Skip to content

Hunting other Files

  • https://github.com/SnaffCon/Snaffler

Manually Searching the File System for Credentials

  • Search for a specific file
    • Get-ChildItem -Path "C:\" -Filter "confidential.txt" -Recurse -File
  • Search for a specific string
    • Get-ChildItem -Path "C:\" -Recurse | Select-String -Pattern "ldapadmin"
  • Search File Contents for String
    • cd c:\Users\htb-student\Documents & findstr /SI /M "password" *.xml *.ini *.txt
    • findstr /si password *.xml *.ini *.txt *.config
    • findstr /spin "password" *.*
  • Search file contents using PowerShell
    • select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password
  • Search file extensions using CMD
    • dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
    • where /R C:\ *.config
  • Search for File Extensions Using PowerShell
    • Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore

Sticky Notes Passwords

  • People often use the StickyNotes app on Windows workstations to save passwords and other information, not realizing it is a database file.
  • This file is located at C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite and is always worth searching for and examining.
  • Looking for StickNotes DB File
    • C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
  • Loading the StickyNotes DB file
    • We can copy the three plum.sqlite* files down to our system and open them with a tool such as DB Browser for SQLite OR https://sqliteviewer.app/#/plum.sqlite/table/Note/ and view the Text column in the Note table with the query select Text from Note;.
  • Viewing Sticky Notes Data Using PowerShell
    • use - https://github.com/RamblingCookieMonster/PSSQLite
    • Set-ExecutionPolicy Bypass -Scope Process
    • Import-Module .\PSSQLite.psd1
    • $db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'
    • Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap
    • OR
    • cat plub.db
      • strings output that youll have to manually sift through
  • Viewing StickyNotes Data using Linux
    • copy the files to kali
    • strings plum.sqlite-wal

Other Files of Interest

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\\*
C:\Program Files\Windows PowerShell\\*