Methodology
  • πŸ˜ƒWelcome
    • Bullet Proof Strategy
    • πŸ‘οΈEnumeration
      • πŸ‘οΈβ€πŸ—¨οΈπŸ‘πŸ—¨ Enumeration Cheatsheet
      • SNMP Enumeration
      • IRC Enumeration
      • LDAP Enumeration
      • RPC Enumeration
      • DNS Enumeration
      • Rsync Enumeration
      • IDENT Enumeration
      • SMB Enumeration
        • Copy of SMBPass Change
      • Web Enumeration
        • Methodology
        • Enumerating Patterns Trick
      • Kerberos Enumeration
    • πŸ‘ΊExploitation
      • Passwords Attacks
        • Decrypting VNC passwords
        • Decrypting Jenkins passwords
        • MongoDB Decryption
      • Web Applications
        • My little cheatsheet
        • Login Portal Strat
        • SQL injection
        • Local File Inclusion
        • WebDav
        • Wordpress
        • phpmyadmin
        • Bypassing Proxies
        • Node.Js Command Injection
        • Weak Cookies and Parameters
        • PHP Web Shells
        • Code Injection
        • Werkzeug
        • Collection of Vulnerable Apps
          • RaspAP 2.5 Authenticated RCE
          • ZenPhoto 1.4.1.4 RCE
          • Sonatype Nexus 3.21.1
          • Argus Surveillance DVR 4.0
          • SmarterMail + .Net Remote
          • H2 Web Console
          • Exhibitor for Zookeper (Exhibitor Web)
          • Subrion 4.2.1
          • RestStack API 3100
          • Kibana 5.6.15 < 6.6.1
          • Authenticated NodeBB Plugin Emoji 3.2.1
        • Discovering Hidden Parameters
        • πŸ•΄οΈJenkins
      • Vulnerable Services
        • Authenticated MSSQL Shell
        • Authenticated PostgresSQL
        • Authenticated MongoDB
        • ClamAV - Milter 0.91.2
        • Unreal Tournament 99
        • MS17-10 Eternal Blue
        • REDIS Exploitation
        • OpenSMTPD < 6.6.2
        • James Adminitrator Remoting 2.3.2
      • Client Side Attacks
        • .ODT File Macros
      • Evil-WinRM
      • Methodology
      • Reversing
        • .net binaries
      • Enumerating Firewall
    • πŸ‘½Privilege Escalation
      • Windows
        • Enumeration
        • Enumerate Permissions on Folders and Binaries
          • Insecure File Permissions
          • Modifiable Binary Path
          • Unquoted Service Path
        • Meterpreter Session Injection /Migration
        • ⏲️Scheduled Apps (CronJobs)
        • πŸ₯”Impersonation Attacks
        • πŸ—’οΈDLL Hijacking
        • Passwords
          • Runas
            • Runas but Powershell
          • Autologon Credentials
        • AlwaysInstallElevated
        • Windows XP SP0/SP1
        • W10 Version 1803
        • Windows Vista x86 SP1
        • πŸ‘»SMB Ghost
        • Local Service / Network Service Users
        • Dangerous Privileges
          • SeLoadDriver Privilege
          • SeRestore Privilege
          • πŸ₯”SeImpersonatePrivilege
          • SeBackUp Privilege
        • Bypassing AV
        • Port Forwarding to access Internal services
        • Start Up Apps
        • Other Users
        • Resources
        • M16-032
        • Upgrading Powershell to Meterpreter
      • Linux
        • Enumerating SUID binaries
          • Find SUID
          • CP SUID
          • dosbox SUID
          • start-stop-daemon SUID
          • gcore SUID
        • Fail2Ban Group
        • Upgrading TTY Shells
        • Git Repository
        • Escaping RBASH
        • Docker
        • Init, Init.d , systemd
        • Shared Objects .so Hijacking
        • Sudo Version - CVE 2021-4034
        • Tar Wilcard Injection
        • Tips to become root
        • Python based applications escalation
        • Internal Services
          • mySQL
            • MySQL User Defined Function
        • Writable Passwd
        • Exiftool Priv Esc
        • Glusterd + Docker Container Breakout
        • choom
        • Slack
      • File Transfer Methods
        • Windows
        • Linux
      • Pivoting
    • πŸ’€Elevated Post Exploitation
    • 🟦Active Directory
      • Attack Vectors
        • LLMNR Poisoning
        • ASREPRoast
        • Spraying
          • SMBPass Change
        • Building Userbase
        • NTLM Relay Attack
        • IPv6 Takeover
      • Post Exploitation - Enumeration
        • Bloodhound
        • Enumeration - Powerview
      • Exploitation
        • Kerberoasting
        • GMSA Password Read
        • Account Operators
        • WriteDACL over DCSync
        • GenericWrite GPO
        • PS-Remoting
        • LAPS Password Read
        • Abusing ACLs
          • GenericWrite/GenericAll/AllExtendedRights over Users
        • Groups.xml
        • Azure AD Sync Dump
        • AD Recycle Bin Group
        • Get-ChangesAll
        • WriteOwner Over Domain Admins
        • Allowed to Delegate To:
        • Force Change Password
      • Resources
    • 😎Walkthroughs
      • πŸͺ¨Proving Grounds
      • πŸ“—Hack The Box
        • Windows
        • Linux
    • Cert Pictures :)
    • 🐍Python Lessons
      • Jenkins Script Groovy Console Exploit in Python
      • Kerbrute Automation
    • 🐚Bash Lessons
    • C# Programming
      • Process Injection Code
Powered by GitBook
On this page
  • Searching the Registry Passwords
  • Saved Creds
  • Searching for Configuration Files
  • SAM
  1. Welcome
  2. Privilege Escalation
  3. Windows

Passwords

PreviousDLL HijackingNextRunas

Last updated 2 years ago

  • Try different authentication methods if we find them as well as juggle the password for every single user just in case we can do some lateral movement .

  • Try psexec because maybe we find a password for our current user but turns out that user reused his password to set up an administrator account

  • try RDP

  • try runas

  • try the powesrshell run as variation

  • try winexe -U "user%pass" //<ip> cmd.exe

Searching the Registry Passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Saved Creds

Windows has a runas command which allows users to run commands with the privileges of other users. This usually requires the knowledge of the other user’s password. However, Windows also allows users to save their credentials to the system, and these saved credentials can be used to bypass this requirement.

To verify these are correct we can run the command cmdkey /list and if it doesnt show anything we need to run the savedcred.bat to restore them and rerun the command.

runas /savedcred /user:<nameo f the credentiasl> C:\path\to\nc.exe or reverse.exe

Searching for Configuration Files

dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt

We should run this in directories where we think these will be, such as unusual folders because then it will become super overloaded with info.

Look at Unattended.xml

SAM

SAM/SYSTEM locations

If we are able to read them we can secretsdump.py

or use

C:\Windows\System32\config

C:\Windows\Repair

C:\Windows\System32\config\RegBack

πŸ˜ƒ
πŸ‘½
GitHub - CiscoCXSecurity/creddump7GitHub
Logo