help!! run-as please

Hi Pentester,

Maybe after you can compromise a system and get the windows administrator account password and you might get stucked to run a command with on behalf on the admin account while you are in the lower privilege account shell.

You want to run command with higher privilege with help of run-as. Here are some methods of doing run-as for post exploitation

Powershell

You can use the below powershell command sequence in order to run command as defined account you want. in this case administrator.

$pass = convertTo-SecureString 'YOUR_PASSWORD_HERE' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("administrator",$pass)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred 

Invoke-RunAs

We can also use powershell script provided by FuzzySecurity where you can download from github https://github.com/FuzzySecurity/PowerShell-Suite.git

There is a script that you can run Invoke-RunAs with the sample below

Start cmd with a local account.
C:\PS> Invoke-Runas -User administrator -Password YOUR_PASSWORD_HERE -Binary C:\Windows\System32\cmd.exe -LogonType 0x1

Start cmd with remote credentials. Equivalent to "/netonly" in runas.
C:\PS> Invoke-Runas -User administrator -Password YOUR_PASSWORD_HERE -Domain SomeDomain -Binary C:\Windows\System32\cmd.exe -LogonType 0x2

Metasploit Run-As

msf5 post(windows/manage/run_as) > show options 

Module options (post/windows/manage/run_as):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD                        yes       Command to execute
   CMDOUT    false            yes       Retrieve command output
   DOMAIN                     yes       Domain to login with
   PASSWORD                   yes       Password to login with
   SESSION                    yes       The session to run this module on.
   USER                       yes       Username to login with

As shown above 3 ways to do run as for post explotation that could help you to run command as another user that you have got during penetration test.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s