Leaked Credentials (PowerShell History)
December 4, 2024 ยท View on GitHub
Table of Contents
Description
PowerShell history records previously run commands, including any sensitive data such as passwords. Unauthorized access to this history could lead to credential leaks, and might to privilege escalation.
Lab Setup
:warning: If you are using Windows 10 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.
Open a Powershell with local Administrator privileges and run the following command to change the passowrd of local Administrator:
net user Administrator Passw0rd!
Enumeration
To observe the leaked credentials, you should read the C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt PowerShell history file (It is recommended to open the TXT file from File Explorer):
C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Outcome:

Exploitation
Use these credentials to connect to a remote service or application. In this scenario, you can use these credentials to connect as local Administrator via RDP to the victim's machine.

Mitigation
To clear the PowerShell history file, you can delete the content of the file directly:
-
Open PowerShell.
-
Run the following command:
Clear-Content -Path "C:\Users\<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"