Linux Mount VHD / VHDX
Here's the situation -- you're on a network and you find a Network Attached Storage device with a share protected using a weak password. You brute force the password and once you login, you find a WindowsImageBackup directory which houses the data from a Windows Server Backup. When we view the contents, we're interested in the files with the VHD or VHDX extension. VHDX is essentially the same as VHD but the size limit on VHDX was increased to 2TB. That's neither here nor there, what we really want is inside the file.
We could copy the file over to our machine but depending on the location of the file with respect to your attacking system, that could be a problem. What we really want to do is to mount that file in its current location and access what's inside.
My Kali box is already setup so in this example, I'm using Ubuntu 18 but the steps are the same regardless of whether it's Kali or not.
Starting from the top, we find our share:
When we traverse into the directory, we find two VHDX files. The larger of the two (23GB) is the one we want:
Before we can access the file, we need to perform a few steps. First, we're going to install the libguestfs tools which allow us to access virtual disk images:
This second install might already exist on your system but if not, we'll need the CIFS utils which we'll use to access SMB/CIFS shares:
Next, we'll need to create a directory for the share, a directory for the VHD, and we'll need to issue mount commands for both:
The second mount command for the VHD is long-winded. Truncating for the sake of not creating a very long screenshot:
When it's finished, we should see data in both the /share and /vhd directory. We're interested in /vhd because that's where our backup data exists:
When we list the contents of the directory, we see the the data and we can traverse through the directories without issue. Here are all of the commands I used:
sudo apt-get install libguestfs-tools
sudo apt-get install cifs-utils
sudo mkdir /share
sudo mkdir /vhd
sudo mount -t cifs -o user=admin,rw,iocharset=utf8,file_mode=0777,noperm, "//192.168.86.219/Public" /share
sudo guestmount --add "/share/WindowsImageBackup/homeServer/Backup 2019-06-27 121342/b094c9f5-e4dd-11e8-80b3-806e6f6e6963.vhdx"
--inspector --ro /vhd -v