3 box enum ?
C:\Users>dir
dir
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\Users
10/26/2018 11:37 PM <DIR> .
10/26/2018 11:37 PM <DIR> ..
10/26/2018 11:37 PM <DIR> Public
# no users?
C:\>dir
dir
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\
07/20/2020 02:36 AM <DIR> $Reconfig$
10/26/2018 11:35 PM <JUNCTION> Data [\??\Volume{ac55f613-7018-45c7-b1e9-7ddda60262fd}\]
09/29/2021 05:05 PM <DIR> inetput
10/26/2018 11:37 PM <DIR> Program Files
10/26/2018 11:38 PM <DIR> PROGRAMS
10/26/2018 11:37 PM <DIR> SystemData
10/26/2018 11:37 PM <DIR> Users
07/03/2020 10:35 PM <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 579,702,784 bytes free
# data looks interesting.
C:\Data>dir
dir
Volume in drive C is MainOS
Volume Serial Number is 3C37-C677
Directory of C:\Data
10/26/2018 11:37 PM <DIR> CrashDump
07/04/2020 12:22 AM 0 FirstBoot.Complete
10/26/2018 11:37 PM <DIR> Logfiles
10/26/2018 11:37 PM <DIR> Programs
07/03/2020 11:22 PM <DIR> SharedData
07/03/2020 11:22 PM <DIR> SystemData
10/26/2018 11:38 PM <DIR> test
07/04/2020 07:28 PM <DIR> Users
10/26/2018 11:38 PM <DIR> Windows
1 File(s) 0 bytes
8 Dir(s) 4,692,525,056 bytes free
# both user.txt and root.txt contain PSAutomationCredentials?
C:\Data\Users\app>more user.txt
more user.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e131d78fe272140835db3caa288536400000000020000000000106600000001000020000000ca1d29ad4939e04e514d26b9706a29aa403cc131a863dc57d7d69ef398e0731a000000000e8000000002000020000000eec9b13a75b6fd2ea6fd955909f9927dc2e77d41b19adde3951ff936d4a68ed750000000c6cb131e1a37a21b8eef7c34c053d034a3bf86efebefd8ff075f4e1f8cc00ec156fe26b4303047cee7764912eb6f85ee34a386293e78226a766a0e5d7b745a84b8f839dacee4fe6ffb6bb1cb53146c6340000000e3a43dfe678e3c6fc196e434106f1207e25c3b3b0ea37bd9e779cdd92bd44be23aaea507b6cf2b614c7c2e71d211990af0986d008a36c133c36f4da2f9406ae7</SS>
</Props>
</Obj>
</Objs>
C:\Data\Users\administrator>more root.txt
more root.txt
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">flag</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb0100000011d9a9af9398c648be30a7dd764d1f3a000000000200000000001066000000010000200000004f4016524600b3914d83c0f88322cbed77ed3e3477dfdc9df1a2a5822021439b000000000e8000000002000020000000dd198d09b343e3b6fcb9900b77eb64372126aea207594bbe5bb76bf6ac5b57f4500000002e94c4a2d8f0079b37b33a75c6ca83efadabe077816aa2221ff887feb2aa08500f3cf8d8c5b445ba2815c5e9424926fca73fb4462a6a706406e3fc0d148b798c71052fc82db4c4be29ca8f78f0233464400000008537cfaacb6f689ea353aa5b44592cd4963acbf5c2418c31a49bb5c0e76fcc3692adc330a85e8d8d856b62f35d8692437c2f1b40ebbf5971cd260f738dada1a7</SS>
</Props>
</Obj>
</Objs>
PEAS.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
PowerShellVersion REG_SZ 5.1.17763.107
[i] Maybe you find something interesting
Caption = C:
Caption = D:
Caption = U:
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
U$ U:\ Default share
ADMIN$ C:\windows Remote Admin
The command completed successfully
Windows IP Configuration
Host Name . . . . . . . . . . . . : omni
Firewall status:
-------------------------------------------------------------------
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Defender Firewall
Remote admin mode = Disable
User accounts for \\
-------------------------------------------------------------------------------
Administrator app DefaultAccount
DevToolsUser Guest sshd
WDAGUtilityAccount
Looking inside C:\Data\Users\System\AppData\Local\Microsoft\Credentials\
C425A1CA2CB3B0DE9B75B8E57BD83681
C:\Data\Windows\System32\config\SAM
C:\Data\Windows\System32\config\SYSTEM
C:\Windows\system32\config\SAM
C:\Windows\system32\config\SYSTEM
Last updated