Transferring Files into a Restrictive Vdi Environment
In a recent penetration test I came across a novel technique to transfer files into restrictive VDI environments where all conventional ways of transferring files had been disabled. It's not rocket science but I thought it was interesting enough to warrant a brief write-up.
TLDR; Base64 encode the file -> Use something like AutoHotkey to type it over -> Base64 decode the file.
-
Base64 encode the file. You can use any tool you want really to achieve this.
certutil.exe -encode C:\hackerman.exe C:\test.txt
-
Type the file across to the target host. If your host for the VDI connection is Windows you can use my AHK script.
The script will type the file at C:\test.txt slowly if you press CTRL+J. The sleeps can be adjusted to type faster but I found that any quicker than what's configured below will result in dropped characters.^j:: SetKeyDelay, 1 loop,read,C:\test.txt { Send,{raw}%a_loopReadLine% Sleep, 100 SendInput,{enter} Sleep, 50 }
-
Base64 decode the file. You will be limited by what's available on the host but there's a good chance certutil will be there.
certutil.exe -decode C:\test.txt C:\hackerman.exe