> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/password-reuse/trick-0384.md).

# Password Reuse for WinRM Access

***

A password for the user `raven` was found in plaintext inside a backup file (`website-backup-27–07–23-old.zip`) located in `C:\inetpub\wwwroot`. This file path was discovered using the `xp_dirtree` procedure via MSSQL.

`xp_dirtree` is an undocumented extended stored procedure available in SQL Server that can be used to list the directory structure of a specified folder. By default, it returns a listing of subdirectories. However, it can also be used to list files within directories. The basic syntax is `xp_dirtree 'directory_name', depth, 1`, where the third parameter `1` indicates that files should also be listed. For instance, to list directories and files in the `C:\inetpub\wwwroot` path, a query like the following could be used:

```sql
EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1
```

The recovered password was then used to authenticate to the server via WinRM. Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management protocol, used for remote management of Windows systems. Impacket's `winrm.py` script can be used to execute commands over WinRM. The command structure typically involves specifying the target, credentials, and the command to execute. The `-r http` flag is used for connections over unencrypted HTTP, which is common when WinRM is configured without SSL/TLS.

The command used was:

```bash
impacket-winrm dc01.manager.htb -r http -u raven -p 'FoundPassword' -cmd whoami
```
