Hi Pentester,
Maybe after you can compromise a system and get the windows administrator account password and you might get stucked to run a command with on behalf on the admin account while you are in the lower privilege account shell.
You want to run command with higher privilege with help of run-as. Here are some methods of doing run-as for post exploitation
Powershell
You can use the below powershell command sequence in order to run command as defined account you want. in this case administrator.
$pass = convertTo-SecureString 'YOUR_PASSWORD_HERE' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("administrator",$pass)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
Invoke-RunAs
We can also use powershell script provided by FuzzySecurity where you can download from github https://github.com/FuzzySecurity/PowerShell-Suite.git
There is a script that you can run Invoke-RunAs with the sample below
Start cmd with a local account.
C:\PS> Invoke-Runas -User administrator -Password YOUR_PASSWORD_HERE -Binary C:\Windows\System32\cmd.exe -LogonType 0x1
Start cmd with remote credentials. Equivalent to "/netonly" in runas.
C:\PS> Invoke-Runas -User administrator -Password YOUR_PASSWORD_HERE -Domain SomeDomain -Binary C:\Windows\System32\cmd.exe -LogonType 0x2
Metasploit Run-As
msf5 post(windows/manage/run_as) > show options
Module options (post/windows/manage/run_as):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes Command to execute
CMDOUT false yes Retrieve command output
DOMAIN yes Domain to login with
PASSWORD yes Password to login with
SESSION yes The session to run this module on.
USER yes Username to login with
As shown above 3 ways to do run as for post explotation that could help you to run command as another user that you have got during penetration test.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 