WINDOWS PRIVILEGE ESCALATION [Miscellaneous Techniques]

Can someone please help me with “Using the techniques in this section, find the cleartext password for an account on the target host.”?

1 Like

Hey there!

A hint: enumerate the box with Powershell cmdlets, following the section’s examples.

Check for the local user descriptions

Hi, I finally found the answer with a Powershell command get-something, no need to be admin to run it.

Didn’t we talk about " Sticky Notes" !

WinPeas → and check the results

+1

They say better late than never.

So, after enumerating C:\Users\<user>\AppData\Local\Packages\ I could not identify a single folder pertaining to sticky notes. Unlike the course’s example, there is no folder containg the keyword Sticky or Note in it. The bottom line is that I could not do that programmatically. However, if you open the sticky notes via the GUI (since you have a RDP session ON), you can see the password written in plaintext right there.