bitpixie icon indicating copy to clipboard operation
bitpixie copied to clipboard
verified publisher icon andigandhi

Having trouble booting from pxe

Open Alexsaurus-D opened this issue 7 months ago • 3 comments

I am trying to test this against a real machine. I am able to do all the steps to create the bcd as per the grab-bcd-smb.gif though I do need to manually set the IP of the target with netsh interface ip set address "Ethernet" static 10.13.37.69 255.255.255.0 10.13.37.1. I note that the create-bcd.bat asks "Do you want to move the file to the SMB server on 10.13.37.1 (Y/[N])?" I assume this should read 10.13.37.100. The next step in the instructions says to "Start the TFTP server in exploit mode" with ./start-server.sh exploit <interface> though this command doesn't exist and I believe is mean to read ./start-server.sh pxe <interface>. My main question is how this is run relative to the prior command.? Do I open a new terminal and run it or am I meant to close the smb server first? Am I meant to get the modified-bcd file from the smb first? Where is that file stored on the attacking machine?

As it is I have tried both but it seems to fail with the target ending up with a blank blue screen and then shutting down.

Below is the log from the pxe when I try to boot via pxe: └─$ ./start-server.sh pxe eth0 [sudo] password for user: Error: ipv4: Address already assigned. [+] Info: Interface eth0 has IP address 10.13.37.100/24 [+] Info: Killing all dnsmasq processes... dnsmasq: no process found [+] Info: Starting dnsmasq... dnsmasq: started, version 2.91 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth DNSSEC loop-detect inotify dumpfile dnsmasq-dhcp: DHCP, IP range 10.13.37.100 -- 10.13.37.101, lease time 1h dnsmasq-tftp: TFTP root is /home/user/bitpixie/pxe-server dnsmasq: no servers found in /etc/resolv.conf, will retry dnsmasq: read /etc/hosts - 7 names dnsmasq-dhcp: DHCPDISCOVER(eth0) b4:b6:86:da:c8:2e dnsmasq-dhcp: DHCPOFFER(eth0) 10.13.37.101 b4:b6:86:da:c8:2e dnsmasq-dhcp: DHCPREQUEST(eth0) 10.13.37.101 b4:b6:86:da:c8:2e dnsmasq-dhcp: DHCPACK(eth0) 10.13.37.101 b4:b6:86:da:c8:2e dnsmasq-tftp: error 8 User aborted the transfer received from 10.13.37.101 dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: error 0 TFTP Aborted received from 10.13.37.101 dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/Boot/BCD to 10.13.37.101 dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/Boot/BCD to 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/Policies/SbcpFlightToken.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SecureBootPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/en-US/bootmgfw.efi.MUI not found for 10.13.37.101 dnsmasq-tftp: error 0 TFTP Aborted received from 10.13.37.101 dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/bootmgfw.efi to 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/FveTcg_2.log not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/fonts/segoe_slboot.ttf not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/fonts/segmono_boot.ttf not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/fonts/wgl4_boot.ttf not found for 10.13.37.101 dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/fonts/wgl4_boot.ttf not found for 10.13.37.101

Alexsaurus-D avatar May 20 '25 22:05 Alexsaurus-D

Ok, seems like in needed to hit esc when I got the blue screen which would put me at the grub menu to boot Alpine. After that boots I can log in with root and then run the exploit. My issue then is that it fails to find the VMK with all the ones it "finds" having version mismatches.

Alexsaurus-D avatar May 21 '25 23:05 Alexsaurus-D

I've been trying to unlock my bitlocker tor the past week after my windows my locked when i installed ubuntu on a 2nd ssd, which change the order of start via grub, thus changing my pcr7 hash. I have the same issue as you :

'version mismatch : 52 failed to find VMK adress : trying to find a new base'

I have read all the articles https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/#step-3b-exploiting-the-linux-kernel (the article which inspired this repo), tried anothe repo https://github.com/martanne/bitpixie which didn't work for me (run into a windows error when booting into alpine os, after bootmgw downgrad screen). I have read https://arxiv.org/pdf/2304.14717 linked on https://neodyme.io/en/blog/bitlocker_why_no_fix/#tpm-hardware-attacks which describe a hardware attack on amd ryzen with zen2/3 generation which is very advanced and seems effective for retrieving vmk key directly (unfortunately i have zen4 generation, so additionnal work is needed, and also you need to buy hardware equipment amounting to 100 euros).

For me, the issue is that the vmk is not loaded in memory even though it should be, because it exploit the vulnerability of windows failing to wipe VMK keys after rebooting into PXE. I don't know why it doesn't work, maybe it has been patched. I see another person having the same issue as us, Yoyocraft https://github.com/andigandhi/bitpixie/issues/21.

I have issue understanding how rebooting into PXE server should help, because in the article it says Windows forget to wipe VMK key in memory after a PXE Boot, but that mean the key should be there in first hand. Or given the recovery screen means that the VMK key is not released because of the error written on Bitlocker screen. So why should this vulnerability help ?

pdfour avatar May 23 '25 11:05 pdfour

If the system is asking for bitlocker before loading into windows then my understanding is that it never loads the key into RAM and so there is no way for you to find it. On my test laptop the system loads into Windows by default so the system should have the key in RAM. This implies that (if it is still vulnerable) when I have the laptop boot from IPv4 PXE Boot using the modified BCD with the old bootloader it should load the VMK to RAM then soft reboot to Alpine when I can try and get the VMK out of RAM. I have checked the laptop and the secureboot is still using the 2011 certificates and so should accept the old vulnerable bootloader. I am concerned around that the fact that I have to hit esc to get it to grub.

Alexsaurus-D avatar May 26 '25 01:05 Alexsaurus-D