We covered Living Off The Land Binaries that are frequently used in red team engagements. Living Off The Land Binaries are applications and executable that come pre-installed with the operating system. An example is bitsadmin.exe in Windows operating system and ping in Linux. The LOLBAS project contains all binaries that are categorized as living off the land and GTFO bins is its equivalent for Linux operating systems. This was part of the solution walkthrough of TryHackMe Living Off the Land.
The Complete Practical Web Application Penetration Testing Course
Highlights
Living Off the Land is a trending term in the red team community. The name is taken from real-life, living by eating the available food on the land. Similarly, adversaries and malware creators take advantage of a target computer’s built-in tools and utilities.
The following are some categories that Living Off the Land encompasses:
- Reconnaissance
- Files operations
- Arbitrary code execution
- Lateral movement
- Security product bypass
Another example is LOLBAS which stands for Living Off the Land Binaries And Scripts and whose goal is to gather and document the Microsoft-signed and built-in tools used as Living Off the Land techniques, including binaries, scripts, and libraries.
Additional resources
- GTFOBins – The Linux version of the LOLBAS project.
- Astaroth: Banking Trojan – A real-life malware analysis where they showcase using the Living Off the Land technique used by Malware.
Room Answers
Visit the LOLBAS project’s website and check out its functionalities. Then, using the search bar, find the ATT&CK ID: T1040. What is the binary’s name?
Pktmon.exe
Use the search bar to find more information about MSbuild.exe. What is the ATT&CK ID?T1127.001
Use the search bar to find more information about Scriptrunner.exe. What is the function of the binary?
Execute
Run bitsadmin.exe to download a file of your choice onto the attached Windows VM. Once you have executed the command successfully, an encoded flag file will be created automatically on the Desktop. What is the file name?
enc_thm_0YmFiOG_file.txt
Use the certutil.exe tool to decode the encoded flag file from question #1. In order to decode the file, we use -decode option as follow:
C:\Users\thm> certutil -decode Encoded_file payload.txt
THM{ea4e2b9f362320d098635d4bab8a568e}
Replicate the steps of the No PowerShell technique to receive a reverse shell on port 4444. Once a connection is established, a flag will be created automatically on the desktop. What is the content of the flag file?
THM{23005dc4369a0eef728aa39ff8cc3be2}
Video Walkthrough
