https://tryhackme.com/room/windowsprivesc20

Task 3 - Harvesting Passwords from Usual Spots

username: thm-unpriv
password: Password321

Unattended Windows Installations

Interesting files which might store Unattended Windows Credentials

C:\\Unattend.xml
C:\\Windows\\Panther\\Unattend.
C:\\Windows\\Panther\\Unattend\\Unattend.
C:\\Windows\\system32\\sysprep.
C:\\Windows\\system32\\sysprep\\sysprep.xml

Powershell History

Viewing PowerShell history from cmd.exe prompt

type %userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt

Saved Windows Credentials

List saved Credentials

cmdkey /list

In case we can’t view the credentials but we can run as other users using runas & /savecred option, this should be able to run any program (Not just cmd.exe)

runas /savecred /user:admin cmd.exe

IIS Configuration

Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called web.config Depending on the installed version of IIS, we can find web.config in one of the following locations:

C:\\inetpub\\wwwroot\\web.config
C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config

A quick example be like

type C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config | findstr connectionString

Task 3 - Harvesting Passwords from Usual Spots

Unattended Windows Installations

Powershell History

Saved Windows Credentials

IIS Configuration

Retrieve Credentials from Software: PuTTY