Skip to content

Latest commit

 

History

History
63 lines (39 loc) · 2.48 KB

LeakedCredentialsPowerShellHistory.md

File metadata and controls

63 lines (39 loc) · 2.48 KB

Leaked Credentials (PowerShell History)

Back to Main

Table of Contents

Description

PowerShell history records previously run commands, including any sensitive data such as passwords. Unauthorized access to this history could lead to credential leaks, and might to privilege escalation.

Lab Setup

⚠️ If you are using Windows 10 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

Open a Powershell with local Administrator privileges and run the following command to change the passowrd of local Administrator:

net user Administrator Passw0rd!

Enumeration

To observe the leaked credentials, you should read the C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt PowerShell history file (It is recommended to open the TXT file from File Explorer):

C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Outcome:

Leaked-Creds-PS-History-Enumeration

Exploitation

Use these credentials to connect to a remote service or application. In this scenario, you can use these credentials to connect as local Administrator via RDP to the victim's machine.

Leaked-Creds-PS-History-Exploitation

Mitigation

To clear the PowerShell history file, you can delete the content of the file directly:

  1. Open PowerShell.

  2. Run the following command:

Clear-Content -Path "C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

References