Skip to content

Creds Hunting

Application Configuration Files

  • Searching for Files
    • apps often store passwords in cleartext - in config files
    • findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
    • Look in - C:\inetpub\wwwroot\web.config

Dictionary Files

  • Chrome Dictionary Files
    • ex: sensitive information such as passwords may be entered in an email client or a browser-based application, which underlines any words it doesn't recognize. The user may add these words to their dictionary to avoid the distracting red underline.
    • gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

Unattended Installation Files

  • Unattended installation files may define auto-logon settings or additional accounts to be created as part of the installation. Passwords in the unattend.xml are stored in plaintext or base64 encoded.

PowerShell History File

  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
  • Find powershell History save path
    • (Get-PSReadLineOption).HistorySavePath
  • Reading PS History File
    • gc (Get-PSReadLineOption).HistorySavePath
  • Retrieve contents of all ps history files available to current user
    • foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

PowerShell Credentials

  • PS creds are used for automation
  • these credentials are protected using DPAPI, which typically means they can only be decrypted by the same user on the same computer they were created on.
  • EG: script Connect-VC.ps1, which a sysadmin has created to connect to a vCenter server easily. 
    # Connect-VC.ps1
# Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'
$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword
  • Decrypting PowerShell Credentials
    • If we have gained command execution in the context of the above user or can abuse DPAPI, then we can recover the cleartext credentials from encrypted.xml. The example below assumes the former. 
      PS C:\htb> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\htb> $credential.GetNetworkCredential().username

bob


PS C:\htb> $credential.GetNetworkCredential().password

Str0ng3ncryptedP@ss!