I was recently exploring methods of caching cleartext credentials on Windows systems for a pentest lab when I ran into an interesting tool, cmdkey.exe. Cmdkey is a built-in Windows tool that can cache domain user credentials for use on specific target machines. You can check out the documentation from Microsoft here: https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx .

While cmdkey didn’t quite suit my criteria for pentest labs, it had a few characteristics that piqued my interest:

You can list and create credentials w/ cmdkey as a regular domain user

It’s often used to perform administrative tasks on remote systems

Sounds like an opportunity to abuse this for privilege escalation to me! So, I decided to dig a little deeper and play out a possible scenario on an internal penetration test.

Scenario: You’ve established a beacon on a Domain User workstation which does not have local admin, or any elevated privileges on other systems. However, the user has a secondary account which they use for remote administration and they’ve cached the creds with cmdkey to make their lives easier.