A short but sweet blog post today. If you ever find yourself with local admin credentials on a server that manages VM's, such as vCenter and esxi, think blue team. Years ago someone from work spoke about how they were able to get credentials from a virtual image by using a snapshot or a VM that was paused. This recollection inspired me to try a new technique that utilizes my relatively new forensic skills in an interesting attack.
Instead of relying on extracting registry files, assuming that is what he did, you could instead use volatility on the snapshot data to extract the hashes from a target system. These hashes can then be used with any pass the hash technique to get a shell. I wish I could remember who used the technique and what exactly they did but that was over 3 years ago and I am not as perfect at recollecting things as computers. Also, I am by no means the first person to do this, I just happened to be inspired by my circumstance at the time to try something new. I figured this may be useful to other folks as well.
See short and sweet.
Assuming you are now logged in and you have successfully created a snapshot, identify the .vmss and .vmem files from the snapshot. You will need these to files to create a memory dump.
Make sure you have a copy of vmss2core.exe which can be found at VmWares site.
Next run one of the two following commands to create the memory dump. Use -W8 flag if it is a Windows 8, Server 2012, 2016, or 2019 and -W for everything else.
Next, you will need to run volatility on the memory dump to extract the credentials. There are actually two versions of volatility now. The newer Volatility, version three I think is simpler, however, I had to be connected to the internet to use it because it needed to download symbols on the fly. Depending on your circumstance, this may not be possible so I will put both syntax here.
A few notes about this version if you aren't familiar with the tool. You will first half to identify the correct memory profile so that all the offsets are lined up correctly. Familiar to do so will not result in passwords.
The first command will be identifying the profile following by credential extraction. Sometimes the profile takes some trial and error to get right but if you have done good recon on your target, you should be able to nail it on the first shot. After running the image imageinfo command below, just select the one that matches the Windows version and build. The most recent version of Kali should come with the latest profiles.
Next extract the credentials. This requires finding the SAM and SYSTEM file offsets and using the hashdump module. Andrea Fortuna has a great write up about this on her awesome blog.
This tool is more straight forward to run however, I found out the hard way that you need internet access for the profiles. So if you run an isolated lab then make sure to get the internet connection going.
You should now see a list of lm and nt hashes for local users.
I imagine a similar technique could be applied anywhere that houses virtual operating systems such as anything in the cloud and virtual box. Also, realize that to do this you will need to get access to the virtual machine management solution. If you are struggling to gain access, try targeting the admins who may have access to the systems and use attacks such as smb-relay or phishing.
FuzzySecurity's Blog on the Topic (Volatility2 Only) - https://fuzzysecurity.com/tutorials/18.html