Selcouth Cyber Security Services Private Limited

“Bin” There, Exfilled That

Data-Exfil + InfoSec + Red Teaming acc3ssp0int todayOctober 7, 2020 7

share close

Hello everyone. Today, I want to share with you another data exfiltration possibility. The last time, we discussed about how we can leverage the saved state of “temporary” files created by modern day editors, you can read about it here, if you haven’t already, do check it out!

Just last night, I was going through my downloads folder and trashing some of the items to bin. To my surprise, When I opened my recycle bin to empty it, I found quite a few files lying there. While I stared at them for a good minute, is when it hit me…. “What if I can read these files without having to restore them?”. We have all seen this window when we double-click a file in the recycle bin.

This got me thinking. There’s only one thing that could come to our rescue. Powershell!!

I quickly scrolled through a Google search for the path of Recycle Bin and in a few seconds I noticed it being as C:\$Recycle.Bin. Going forward when I looked at the folders. It looks like the deleted content is stored for each user separately in folders with the user SID being used to identify the folder.

Once you reach here, you can find all types of files ranging from text files to images, word documents, excel and so on.

Going forward, we can simply use Get-Content *.txt to read all the text files and loot for any kinds of credentials, IP addresses, or any other data if you’re lucky!

Looting from Word, Excel, PowerPoint is a little more complex, however doable. Let’s take the example of MS-Word.

$word = New-Object -ComObject Word.application
$docPath = 'C:\$Recycle.Bin\<UserSID>\<docfilename>'
$doc = $word.Documents.Open("$docPath")
$FP = $doc.Paragraphs[1].range.Text

The above code snippet does a simple task. Defines a ComObject to access MS-Word. Opens the file specified in the $docPath variable using the $doc variable. The content is read from $FP and the paragraphs can be changed as desired.

The output would look something like this.

Similar objects can also be defined for excel and PowerPoint. But, I wouldn’t be getting into the extraction of content from Excel and PowerPoint to spare the length of this post. There are some already available amazing explanation available. (I have linked them down in References)

Thanks for Reading :D. Stay Home, Stay Safe!

Happy Red Teaming & Exfiltration everybody!


Reading content from Excel using powershell here

Reading content from Word using powershell here

Reading content from PowerPoint using powershell here

Reading content from PDF using powershell here

Written by: acc3ssp0int

Rate it
Previous post

Similar posts

Active Directory acc3ssp0int / May 28, 2021

Kerberos Part 1: How it Works

Today we start with a new series of blog posts, namely, active directory components. In this three part series on Kerberos, we’ll be talking about it’s three heads: Part 1: What Kerberos is and how it works? Part 2: The notorious techniques of kerberoasting and ticketing attacks (golden and silver tickets) Part 3: Attempting to ...

Read more trending_flat

AppSec w1r3sh65rk / February 22, 2021

Secure Code Review – Part One

Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...

Read more trending_flat

Post comments (0)

Leave a reply