Transferring Files Into a Restrictive VDI Environment

In a recent penetration test I came across a novel technique to transfer files into restrictive VDI environments where all conventional ways of transferring files had been disabled. It's not rocket science but I thought it was interesting enough to warrant a brief write-up.

TLDR; Base64 encode the file -> Use something like AutoHotkey to type it over -> Base64 decode the file.

  1. Base64 encode the file. You can use any tool you want really to achieve this.
    certutil.exe -encode C:\hackerman.exe C:\test.txt

  2. Type the file across to the target host. If your host for the VDI connection is Windows you can use my AHK script.
    The script will type the file at C:\test.txt slowly if you press CTRL+J. The sleeps can be adjusted to type faster but I found that any quicker than what's configured below will result in dropped characters.

    ^j::
    SetKeyDelay, 1
    loop,read,C:\test.txt
    {
        Send,{raw}%a_loopReadLine%
        Sleep, 100
        SendInput,{enter}
        Sleep, 50
    }
    
  3. Base64 decode the file. You will be limited by what's available on the host but there's a good chance certutil will be there.
    certutil.exe -decode C:\test.txt C:\hackerman.exe

Show Comments