search
Total OSCP GuidePayloads All The Things

Credential Hunting

hashtag
Find password files:

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

Sensitive IIS information such as credentials may be stored in a web.config file. For the default IIS website, this could be located at C:\inetpub\wwwroot\web.config, but there may be multiple versions of this file in different locations, which we can search for recursively

hashtag
Dictionary Files

If a password is saved to dictionary to avoid red underlines:

gc 'C:\Users\htb-student\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

interchange password for any keyword

hashtag
Unattended Installation Files

Check for unattend.xml

hashtag
PowerShell History File

Starting with Powershell 5.0 in Windows 10, PowerShell stores command history to the file:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.

To check history path:

gc (Get-PSReadLineOption).HistorySavePath

To check all history files:

hashtag
Powershell creds

We can obtain cleartext passwords from encrypted.xml

hashtag
Check Sticky Notes

People sometimes save passwords in sticky notes: Located at

Open it using DB Browser for SQLitearrow-up-right And use commands such as select Text from Note;. Can also be opened using powershell

Can also use strings plum.sqlite-wal on linux.

hashtag
Files of Interest

PreviousUACNextWindows Post Enumeration

Last updated