Privilege Escalation Hash Type
#1
I am trying to learn about privilege escalation and at one point the tutorials says to try a registry search for passwords.

i.e. 

reg query HKCU /f password /t REG_SZ /s

and 

reg query HKLM /f password /t REG_SZ /s

I have some passwords that returned that seem to be encrypted, what encryption do they use?
Reply
#2
while you are on that learning trip, I think it wouldn't hurt to read this about "encrypted passwords":
https://www.techsolvency.com/passwords/d...ecrypting/
Reply
#3
Thanks for the article and mild rebuke. Actually I have been guilty of using the wrong terminology and my understanding is clearer now.

Although, in my question above I thought I asked a legitimate question.

If passwords are retrieved from the registry are they stored as base64?
Reply
#4
Passwords from the registry can be everything. Which password are you talking about?
It can be Windows passwords (LM, NTLM), it can be application password (FTP, etc.), please be more specific about the one(s) your have found.
Reply
#5
Here is one of the results from the registry pull.

HKEY_CURRENT_USER\Software\pdfforge\PDFCreator\Settings\ApplicationSettings\Accounts\TimeServerAccounts\0
Password REG_SZ xxxxxxmCO6g=

(I x'd out half of the password)
Reply
#6
There is no generic answer to that, it depends on the software that put the info there. The password could be hashed, encrypted or simply encoded.
Reply
#7
The '=' at the end *migth* be a padding, often used by base64/32 encoding.
+1 you need to know how the software writes it.
Reply
#8
Thanks for the info. I'll take a deeper look.
Reply