{"id":7420,"date":"2020-08-23T18:16:26","date_gmt":"2020-08-23T18:16:26","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7420"},"modified":"2020-08-27T21:44:33","modified_gmt":"2020-08-27T21:44:33","slug":"certutil-one-more-gui-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/08\/23\/certutil-one-more-gui-lolbin\/","title":{"rendered":"certutil – one more GUI lolbin"},"content":{"rendered":"\n

Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place and as such, what I present below is not new. However, AFAICT it has not been covered in a context of lolbining and as such, perhaps deserves some attention.<\/p>\n\n\n\n

Project LOLBAS<\/a> describes at least two ways of downloading files via certutil. Here is the third one:<\/p>\n\n\n\n

certutil -URL https:\/\/www.google.com<\/pre>\n\n\n\n
This will launch a GUI window for a program called URL Retrieval Tool:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Once you hit Retrieve button you will get the ‘Failed’ status, but… the file that URL points to will be now downloaded into %APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\<hash> file (thx to @OsandaMalith<\/a> for pointing out a mistake in the path).<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place and as such, what I present … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7420"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7420"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7420\/revisions"}],"predecessor-version":[{"id":7430,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7420\/revisions\/7430"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7420"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7420"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}