Decryption
Now that I have a valid PowerShell session as the app user, I will be able to decrypt the PSCredential objects in the home directory of the app user.
iot-admin.xml
PS C:\Data\Users\app> $cred = Import-CliXml -Path .\iot-admin.xml; $cred.GetNetworkCredential() | format-list *
UserName : administrator
Password : _1nt3rn37ofTh1nGz
Domain : omni- I can use the PowerShell’s Import-CliXml cmdlet to parse objects from an xml file and
- then use the GetNetworkCredential() method to decrypt the securestring password hash with the current authenticated session credential
- Line them up
The administrator user password extracted;
_1nt3rn37ofTh1nGz
user.txt
ps c:\Data\Users\app> $cred = Import-CliXml -Path .\user.txt; $cred.GetNetworkCredential() | format-list *
username : flag
password : 7cfd50f6bc34db3204898f1505ad9d70
domain : I can do the same for the user.txt file as the file content is XML despite of the TXT extension.