Windows CMD - DIR
C:\xxx> dir \\192.168.220.129\Finance\
Volume in drive \\192.168.220.129\Finance has no label.
Volume Serial Number is ABCD-EFAA
Directory of \\192.168.220.129\Finance
02/23/2022 11:35 AM <DIR> Contracts
0 File(s) 4,096 bytes
1 Dir(s) 15,207,469,056 bytes freeWindows CMD - Net Use
C:\xxx> net use n: \\192.168.220.129\Finance
The command completed successfully.Windows CMD - Net Use with username and password to authenticate
C:\xxx> net use n: \\192.168.220.129\Finance /user:plaintext Password123
The command completed successfully.Windows CMD - DIR - How many files the shared folder and its subdirectories contain.
C:\xxx> dir n: /a-d /s /b | find /c ":\"
29302| Syntax | Description |
|---|---|
| dir | Application |
| n: | Directory or drive to search |
| /a-d | /a is the attribute and -d means not directories |
| /s | Displays files in a specified directory and all subdirectories |
| /b | Uses bare format (no heading information or summary) |
Windows CMD - Findstr
c:\xxx>findstr /s /i cred n:\*.*
n:\Contracts\private\secret.txt:file with all credentials
n:\Contracts\private\credentials.txt:admin:SecureCredentials!Windows PowerShell
PS C:\xxx> Get-ChildItem \\192.168.220.129\Finance\
Directory: \\192.168.220.129\Finance
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/23/2022 3:27 PM ContractsNew-PSDrive
PS C:\xxx> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
N FileSystem \\192.168.220.129\FinanceWindows PowerShell - PSCredential Object
PS C:\xxx> $username = 'plaintext'
PS C:\xxx> $password = 'Password123'
PS C:\xxx> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\xxx> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\xxx> New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
N FileSystem \\192.168.220.129\FinanceWindows PowerShell - GCI
PS C:\xxx> N:
PS N:\> (Get-ChildItem -File -Recurse | Measure-Object).Count
29302PS C:\xxx> Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Directory: N:\Contracts\private
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/23/2022 4:36 PM 25 credentials.txtWindows PowerShell - Select-String
PS C:\xxx> Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List
N:\Contracts\private\secret.txt:1:file with all credentials
N:\Contracts\private\credentials.txt:1:admin:SecureCredentials!Linux - Mount
Attacker@xxx[/xxx]$ sudo mkdir /mnt/Finance
Attacker@xxx[/xxx]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/FinanceLinux - Mount with credentials
Attacker@xxx[/xxx]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfileCredential File Structure
username=plaintext
password=Password123
domain=.
Linux - Find
Attacker@xxx[/xxx]$ find /mnt/Finance/ -name *cred*
/mnt/Finance/Contracts/private/credentials.txtAttacker@xxx[/xxx]$ grep -rn /mnt/Finance/ -ie cred
/mnt/Finance/Contracts/private/credentials.txt:1:admin:SecureCredentials!
/mnt/Finance/Contracts/private/secret.txt:1:file with all credentialsLinux - Install Evolution
Attacker@xxx[/xxx]$ sudo apt-get install evolution
...SNIP...Video: Connecting to IMAP and SMTP using Evolution
Linux - SQSH
Attacker@xxx[/xxx]$ sqsh -S 10.129.20.13 -U username -P Password123Windows - SQLCMD
C:\xxx> sqlcmd -S 10.129.20.13 -U username -P Password123Linux - MySQL
Attacker@xxx[/xxx]$ mysql -u username -pPassword123 -h 10.129.20.13Windows - MySQL
C:\xxx> mysql.exe -u username -pPassword123 -h 10.129.20.13Install dbeaver
AdrianoInghihwg@htb[/htb]$ sudo dpkg -i dbeaver-<version>.debRun dbeaver
AdrianoInghihwg@htb[/htb]$ dbeaver &Video - Connecting to MSSQL DB using dbeaver
Video - Connecting to MySQL DB using dbeaver