I was hoping the predefined Unattended Access Password would show up in BulletPassView as well. Excellent, now I can get back into the Options page and look at the Security part of the menu. Surprisingly, it gave me back a password in plaintext. I of course did not know the password and on a whim I downloaded BulletPassView from nirsoft and ran that. It turns out the OptionsPasswordAES reg key is meant to keep unauthorized people out of the menu where you can change settings. I imported the registry keys and was promptly locked out of the menu to change the options. I played around with the settings and menus for a while. I setup a new Windows 10 VM and installed TeamViewer 7 on it. A quick google search shows TeamViewer kindly offers all old version for download still which can be found here. The first thing I did was try to find the installer for the exact same version from the TeamViewer registry keys which happened to be version 7. In the end we were unable to compromise the client in time but the TeamViewer registry keys really stuck with me and thus begins this rabbit hole. This lead me to believe there was a shared key across all TeamViewer which would backup the claim by the reg keys there is AES involved. msi so all the TeamViewer installs in the organization can have the same password. I could however import the registry settings or deploy them in a. I quickly looked up to see what I could do with this and I found out it’s not much. I noted in the backup there were things like OptionsPasswordAES or SecurityPasswordAES. We came across a backup of TeamViewer registry keys. We were able to find a few open shares and connect to them. Even the network admin did not have local admin on any windows machines nor did they have RDP rights anywhere either. After finally cracking one we quickly found out this place was very locked down. They were unaware of mimt6 and that’s how we started getting some hashes rolling in. They fixed absolutely everything from the report last year. I was on-site at a client and these guys were good. TeamViewer also lets you copy data or schedule tasks to run through their Service, which runs as NT AUTHORITY\SYSTEM, so a low privilege user can immediately go to SYSTEM with a. If you do not have RDP rights to machine but TeamViewer is installed, you can use TeamViewer to remote in. If the password is reused anywhere, privilege escalation is possible. This was a crazy ride and I learned a ton along the way. Oh man where to even begin with this one.
0 kommentar(er)
