Sensitive Files to Grab in Windows

Scenario time — you’ve just found that you are able to access a whole windows file system via a directory traversal vuln in a webapp. You don’t have command execution, and your plan is to pull down any potentially sensitive data from files alone. What files should you check?

I was inspired to write this post after reading this tweet from @egyp7:

The article is just a set of answers provided by the twitter community, mixed with a few of my own, and some from a great windows post-exploitation article by mubix which you can download here, organised into a nice list. Get in touch if you think there’s some missing!

Note: %windir% can usually be replaced with C:\windows

%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml…