3 box enum ?

C:\Users>dir
dir
 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677

 Directory of C:\Users

10/26/2018  11:37 PM    <DIR>          .
10/26/2018  11:37 PM    <DIR>          ..
10/26/2018  11:37 PM    <DIR>          Public

# no users?

C:\>dir
dir
 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677

 Directory of C:\

07/20/2020  02:36 AM    <DIR>          $Reconfig$
10/26/2018  11:35 PM    <JUNCTION>     Data [\??\Volume{ac55f613-7018-45c7-b1e9-7ddda60262fd}\]
09/29/2021  05:05 PM    <DIR>          inetput
10/26/2018  11:37 PM    <DIR>          Program Files
10/26/2018  11:38 PM    <DIR>          PROGRAMS
10/26/2018  11:37 PM    <DIR>          SystemData
10/26/2018  11:37 PM    <DIR>          Users
07/03/2020  10:35 PM    <DIR>          Windows
               0 File(s)              0 bytes
               8 Dir(s)     579,702,784 bytes free
			   
# data looks interesting.
C:\Data>dir
dir
 Volume in drive C is MainOS
 Volume Serial Number is 3C37-C677

 Directory of C:\Data

10/26/2018  11:37 PM    <DIR>          CrashDump
07/04/2020  12:22 AM                 0 FirstBoot.Complete
10/26/2018  11:37 PM    <DIR>          Logfiles
10/26/2018  11:37 PM    <DIR>          Programs
07/03/2020  11:22 PM    <DIR>          SharedData
07/03/2020  11:22 PM    <DIR>          SystemData
10/26/2018  11:38 PM    <DIR>          test
07/04/2020  07:28 PM    <DIR>          Users
10/26/2018  11:38 PM    <DIR>          Windows
               1 File(s)              0 bytes
               8 Dir(s)   4,692,525,056 bytes free

# both user.txt and root.txt contain PSAutomationCredentials?
C:\Data\Users\app>more user.txt
more user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
    </Props>
  </Obj>
</Objs>

C:\Data\Users\administrator>more root.txt
more root.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">flag</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
    </Props>
  </Obj>
</Objs>

PEAS.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
    PowerShellVersion    REG_SZ    5.1.17763.107

   [i] Maybe you find something interesting
Caption                       = C:
Caption                       = D:
Caption                       = U:

Share name   Resource                        Remark
-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
U$           U:\                             Default share
ADMIN$       C:\windows                      Remote Admin
The command completed successfully

Windows IP Configuration
   Host Name . . . . . . . . . . . . : omni

Firewall status:
-------------------------------------------------------------------
Profile                           = Standard
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Defender Firewall
Remote admin mode                 = Disable

User accounts for \\
-------------------------------------------------------------------------------
Administrator            app                      DefaultAccount
DevToolsUser             Guest                    sshd
WDAGUtilityAccount

Looking inside C:\Data\Users\System\AppData\Local\Microsoft\Credentials\
C425A1CA2CB3B0DE9B75B8E57BD83681

C:\Data\Windows\System32\config\SAM
C:\Data\Windows\System32\config\SYSTEM
C:\Windows\system32\config\SAM
C:\Windows\system32\config\SYSTEM

Previous4 dump SAM SYSTEM Next2 :8080

Last updated 3 years ago

C:\Users>dir dir Volume in drive C is MainOS Volume Serial Number is 3C37-C677 Directory of C:\Users 10/26/2018 11:37 PM <DIR> . 10/26/2018 11:37 PM <DIR> .. 10/26/2018 11:37 PM <DIR> Public # no users? C:\>dir dir Volume in drive C is MainOS Volume Serial Number is 3C37-C677 Directory of C:\ 07/20/2020 02:36 AM <DIR> $Reconfig$ 10/26/2018 11:35 PM <JUNCTION> Data [\??\Volume{ac55f613-7018-45c7-b1e9-7ddda60262fd}\] 09/29/2021 05:05 PM <DIR> inetput 10/26/2018 11:37 PM <DIR> Program Files 10/26/2018 11:38 PM <DIR> PROGRAMS 10/26/2018 11:37 PM <DIR> SystemData 10/26/2018 11:37 PM <DIR> Users 07/03/2020 10:35 PM <DIR> Windows 0 File(s) 0 bytes 8 Dir(s) 579,702,784 bytes free # data looks interesting. C:\Data>dir dir Volume in drive C is MainOS Volume Serial Number is 3C37-C677 Directory of C:\Data 10/26/2018 11:37 PM <DIR> CrashDump 07/04/2020 12:22 AM 0 FirstBoot.Complete 10/26/2018 11:37 PM <DIR> Logfiles 10/26/2018 11:37 PM <DIR> Programs 07/03/2020 11:22 PM <DIR> SharedData 07/03/2020 11:22 PM <DIR> SystemData 10/26/2018 11:38 PM <DIR> test 07/04/2020 07:28 PM <DIR> Users 10/26/2018 11:38 PM <DIR> Windows 1 File(s) 0 bytes 8 Dir(s) 4,692,525,056 bytes free # both user.txt and root.txt contain PSAutomationCredentials? C:\Data\Users\app>more user.txt more user.txt <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS> </Props> </Obj> </Objs> C:\Data\Users\administrator>more root.txt more root.txt <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">flag</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS> </Props> </Obj> </Objs>

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion REG_SZ 5.1.17763.107 [i] Maybe you find something interesting Caption = C: Caption = D: Caption = U: Share name Resource Remark ------------------------------------------------------------------------------- C$ C:\ Default share IPC$ Remote IPC U$ U:\ Default share ADMIN$ C:\windows Remote Admin The command completed successfully Windows IP Configuration Host Name . . . . . . . . . . . . : omni Firewall status: ------------------------------------------------------------------- Profile = Standard Operational mode = Enable Exception mode = Enable Multicast/broadcast response mode = Enable Notification mode = Enable Group policy version = Windows Defender Firewall Remote admin mode = Disable User accounts for \\ ------------------------------------------------------------------------------- Administrator app DefaultAccount DevToolsUser Guest sshd WDAGUtilityAccount Looking inside C:\Data\Users\System\AppData\Local\Microsoft\Credentials\ C425A1CA2CB3B0DE9B75B8E57BD83681 C:\Data\Windows\System32\config\SAM C:\Data\Windows\System32\config\SYSTEM C:\Windows\system32\config\SAM C:\Windows\system32\config\SYSTEM