PRIMARY CATEGORY → WINDOWS PRIVESC
Theory
Abuse
Imagine we achieved to access the remote system by leveraging an existing flaw on the web application which allowed us to send a reverse shell to our TCP listener
Once we are in, the first occurrence is to check the privileges associated with the current access token as we have a shell as the service account running the web application, which is likely to have the seImpersonatePrivilege
whoami /privBut this time there is no luck 💀
The current user does not have any sensitive privileges and is not member of any interesting group
So we continue searching throughout the system to see if we anything can help us to privesc, until we find an XML file that contains a PSCredential object
This file appears to be the result of running the Export-CLIXML cmdlet, which exports a PSCredential object to an XML file
Therefore, whenever we deal with an XML file resulting from a Powershell CLI-XML operation, we can proceed as follows in order to obtain the plain password from the PSCredential object
Importing the PSCredential Object from CLI-XML file into a PS Variable
$cred = Import-CLIXML '<XML_FILE>'Extracting the Plain Password from the PSCredential Object
$cred.GetNetworkCredential().password