Quick memory review - extracting secrets from Hikivision iVMS-4200

Last time I tried to use Sysinternals to check few things in Windows 10. This time I tried to get some more details (read: passwords;)) to use it during lateral movement (if needed). Below you will find the details of this scenario. Here we go...

This time we will start here - with iVMS-4200 by Hikivision:

As you can see on the screen I added two users: tester and anotherUser.

Scenario is pretty simple:
- you have a shell on Windows machine
- you know the PID of the process you want to dump
- check created dump to grab some passwords

We will start from creatning two mentioned users: tester and anotherUser. Now when process is started: created profiles should be loaded 'in the memory' of our started program - iVMS-4200.

Assuming we are in some "corporate environment" (and we can not download any 'tools') we will use powershell command I found here:

cmd.exe> Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump PID c:\mini.dmp full

Created file can be opened in Windbg for review...

...but I'm not so sure if you will be able to install it (on client's box as not-admin-user-yet) ;)

So, next thing is to move our created mini.dump file somehow to the Kali machine.

When you are ready - linux console is your friend ;)

Now we can try to use new found passwords for other machines during our 'pentest'. ;)

Maybe you will find it useful.

See you next time!

Cheers