LOLBITS is a C# reverse shell that uses Microsoft’s Background Intelligent Transfer Service (BITS) to communicate with the Command and Control backend. The Command and Control backend is hidden behind an apparently harmless flask web application and it’s only accesible when the HTTP requests received by the app contain a valid authentication header.
It is composed of 3 main elements:
In order to deny proxies content inspection, all the relevant content sent between the agent and the C&C server is encrypted using RC4 with a preshared secret key. A high level diagram of the infrastructure behaviour would be as it’s shown in the following diagram:
To avoid that the Blue Team could reproduce some of the old requests and discover the C&C infrastructure, each authentication header is generated randomly and is valid only for one single cycle (a cycle is composed of a POST request followed by a GET request). Old authentication headers will be ignored and the harmless website will be displayed for those requests.
Also Read – GTFO : Search For Unix Binaries To Bypass System Security Restrictions
Getting Started
Prerequisites
For the C&C infrastructure is required a Windows Server 2012 or above with python 3.4+ and the following python dependencies:
pip install colorama
pip install flask
The C# agent has been successfully tested on Windows Server 2016, Windows Server 2019, Windows 8.1 and Windows 10. To compile it it’s required:
Setup
git clone https://github.com/Kudaes/LOLBITS.git
Also install .NET Framework and BITS features for IIS.
the
content
of the C&C folder of this repository to the physical directory where the new website is deployed. Let’s say that you have created the new website pointing to your directory C:\inetpub\wwwroot\bits
, then this should be that directory tree: I recommend to grant full access rights to Everyone for the website directory (C:\inetpub\wwwroot\bits
in the example) in order to avoid all kind of access
denied errors. At the end this is just a C&C server…
scriptProcessor
property for the web handler. For that, go back to the IIS Manager, click on the IIS server’s root and select FastCGI Settings (you should have configured this when following the tutorial referenced on the step 3). The value of the scriptProcessor
property should be “Full Path|Arguments”.According with the previous image, my scriptProcessor
property should have the value “c:\python3.4\python.exe|c:\python3.4\lib\site-packages\wfastcgi.py”.
Password
variable.Password
variable.password
variable. Url
variable. AuthPath
, ReadPath
and Payloads
pointing to the correponding folders in the website directory.baseReadPath
and baseWritePath
acording with your website directory tree.__payloads
that you set for Payloads
in myapp.py.Usage
To obtain the reverse shell just type in python lawlbin.py
on a cmd of the C&C server and execute the C# agent on the compromised host.
Since this project borns from the ashes of a previous and failed project, some of the old features have been kept. The old project was a shell where all the available commands would be executed using exclusively Living of The Land Binaries. Thats where the LOL of LOLBITS comes from, and thats why the following features run using exclusively LOLBINS (this could help to bypass AWS and some EDR filters):
Despite this features could be interesting in some environments (hmm downloading remote files without using Powershell? I like it!) I kept them just to reuse part of the old code for the C&C console. Below is a list with some features that im sure will be more usefull in a regular situation:
To get usage tips just type in help
or <somecommand> help
. In the future more features will be implemented, so stay tuned!
Welcome to atomicgen.io, a simple tool designed to create Atomic Red Team tests with ease.…
This Python script emulates the websocket server side of RevC2 by sending the type you…
Linux kernel 6.13-rc1 has been released by Linus Torvalds, marking the end of the two-week…
Scripting Interpreters are agreat method to achieve Command or Shellcode Execution, but one of many…
ScriptSentry finds misconfigured and dangerous logon scripts. ScriptSentry is a powerful tool designed to detect…
SilentLoad is a powerful exploitation tool designed to load drivers stealthily by directly setting up…