InfoSec LAB

Omni_Filesystem

Created: 4 min read

Windows IoT

After performing some basic enumeration and learning that the current user is an administrator, I wanted to take a look at the filesystem structure as this is my first engagement with a Windows IoT device.

ps c:\> ls
 
 
    directory: C:\
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----        7/20/2020   2:36 AM                $Reconfig$                    
d----l       10/26/2018  11:35 PM                Data                          
d-----       10/26/2018  11:37 PM                Program Files                 
d-----       10/26/2018  11:38 PM                PROGRAMS                      
d-----       10/26/2018  11:37 PM                SystemData                    
d-r---       10/26/2018  11:37 PM                Users                         
d-----         7/3/2020  10:35 PM                Windows                       
-a----         2/3/2023   7:36 AM          43696 nc64.exe

The system root is certainly different. just about the only directories that i recognize are c:\Windows, C:\Users and C:\Program Files I checked them all. the c:\Windows directory contains the generic Windows system configuration data files with a bit of twist. both the c:\Users and C:\Program Files were pretty much empty.

c:\$Reconfig$

PS C:\> cd '$Reconfig$' ; ls
 
 
    Directory: C:\$Reconfig$
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----        7/20/2020   2:36 AM             25 undolog.xml                   
 
 
PS C:\$Reconfig$> cat undolog.xml
cat undolog.xml
<ReconfigurationUndoLog/>

The direcotry,C:\$RECONFIG$, is typically a hidden folder used by the Windows operating system as a backup location for system files. This folder is used during the process of updating or reconfiguring the system, to ensure that a previous version of a system file is available in case of issues. The folder may contain backup copies of system files, drivers, or other important components.

For my case, it’s not helpful

C:\SystemData

ps c:\> cd SystemData ; ls
 
 
    directory: C:\SystemData
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----       10/26/2018  11:37 PM                Temp                          
 
 
ps c:\SystemData> cd Temp ; ls

The directory has a sub-directory, but empty

c:\PROGRAMS

PS C:\> cd PROGRAMS ; ls
 
 
    Directory: C:\PROGRAMS
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----       10/26/2018  11:38 PM                PhoneProvisioner_OEM          
d-----       10/26/2018  11:38 PM                UpdateOS                      
 
 
PS C:\PROGRAMS> cd PhoneProvisioner_OEM ; ls
 
 
    Directory: C:\PROGRAMS\PhoneProvisioner_OEM
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----       10/26/2018  11:38 PM                OEM                           
 
 
PS C:\PROGRAMS\PhoneProvisioner_OEM> cd OEM ; ls
 
 
    Directory: C:\PROGRAMS\PhoneProvisioner_OEM\OEM
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/26/2018  11:38 PM            586 mxipcold_BSPProductName_001.pr
                                                 ovxml                         
 
 
PS C:\PROGRAMS\PhoneProvisioner_OEM\OEM> cat mxipcold_BSPProductName_001.provxml
<!--
            Copyright (c) Microsoft Corporation.  All rights reserved.
            -->
            <wap-provisioningdoc>
 
              <characteristic type="Registry">
                <!-- MS as OEM BSP Product name.  For internal use only-->
                <characteristic type="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\Overrides\BSP">
                <parm name="Name" value="IOTCore.BSP.MSASOEM.MBMx64_1024x768.Production.en-us"  />
                </characteristic>
              </characteristic>
 
            </wap-provisioningdoc>
 
PS C:\PROGRAMS\PhoneProvisioner_OEM\OEM> cd ..\..\UpdateOS\ ; ls
 
 
    Directory: C:\PROGRAMS\UpdateOS
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----       10/26/2018  11:38 PM       70911215 UPDATEOS.wim

It seems that this directory contains a log file relevant to IoT as well as a Windows Imaging Format (WIM) file, which is mostly used for distributing and storing large amounts of data, including entire operating system installations, device drivers, and other system components.

It’s apparently fairly common to see in an Windows IoT

C:\Data

ps c:\> cd Data ; ls
 
 
    directory: C:\Data
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----       10/26/2018  11:37 PM                CrashDump                     
d-----       10/26/2018  11:37 PM                Logfiles                      
d-----       10/26/2018  11:37 PM                Programs                      
d-----         7/3/2020  11:22 PM                SharedData                    
d-----         7/3/2020  11:22 PM                SystemData                    
d-----       10/26/2018  11:38 PM                test                          
d-----         7/4/2020   7:28 PM                Users                         
d-----       10/26/2018  11:38 PM                Windows                       
-a----         7/4/2020  12:22 AM              0 FirstBoot.Complete

the c:\Data directory appears to be another system root, so call it junction

ps c:\Data> cd Users ; ls
 
 
    directory: C:\Data\Users
 
 
Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
d-----         7/4/2020   9:48 PM                administrator                 
d-----         7/4/2020   9:53 PM                app                           
d-----         7/3/2020  11:22 PM                DefaultAccount                
d-----         7/3/2020  11:22 PM                DevToolsUser                  
d-r---        8/21/2020   1:55 PM                Public                        
d-----         7/4/2020  10:29 PM                System

there is all the users at the c:\Data\Users directory. I guess that the whole OS is nested with another?

Interactive Graph View

Backlinks