acc3ssp0int

Just Another InfoSec Blog

, ,

“Bin” There, Exfilled That

Hello everyone. Today, I want to share with you another data exfiltration possibility. The last time, we discussed about how we can leverage the saved state of “temporary” files created by modern day editors, you can read about it here, if you haven’t already, do check it out!

Just last night, I was going through my downloads folder and trashing some of the items to bin. To my surprise, When I opened my recycle bin to empty it, I found quite a few files lying there. While I stared at them for a good minute, is when it hit me…. “What if I can read these files without having to restore them?”. We have all seen this window when we double-click a file in the recycle bin.

This got me thinking. There’s only one thing that could come to our rescue. Powershell!!

I quickly scrolled through a Google search for the path of Recycle Bin and in a few seconds I noticed it being as C:\$Recycle.Bin. Going forward when I looked at the folders. It looks like the deleted content is stored for each user separately in folders with the user SID being used to identify the folder.

Once you reach here, you can find all types of files ranging from text files to images, word documents, excel and so on.

Going forward, we can simply use Get-Content *.txt to read all the text files and loot for any kinds of credentials, IP addresses, or any other data if you’re lucky!

Looting from Word, Excel, PowerPoint is a little more complex, however doable. Let’s take the example of MS-Word.

$word = New-Object -ComObject Word.application
$docPath = 'C:\$Recycle.Bin\<UserSID>\<docfilename>'
$doc = $word.Documents.Open("$docPath")
$FP = $doc.Paragraphs[1].range.Text

The above code snippet does a simple task. Defines a ComObject to access MS-Word. Opens the file specified in the $docPath variable using the $doc variable. The content is read from $FP and the paragraphs can be changed as desired.

The output would look something like this.

Similar objects can also be defined for excel and PowerPoint. But, I wouldn’t be getting into the extraction of content from Excel and PowerPoint to spare the length of this post. There are some already available amazing explanation available. (I have linked them down in References)

Thanks for Reading :D. Stay Home, Stay Safe!

Happy Red Teaming & Exfiltration everybody!

References

Reading content from Excel using powershell here

Reading content from Word using powershell here

Reading content from PowerPoint using powershell here

Reading content from PDF using powershell here

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: