Gong Xi Fa Choy to all of you. Not really a good start year for me, my daughter is sick. But I need to go to Jakarta next week to teach a Digital Forensics/Anti-Forensic class. Okay anyway this is another trick to use sysinternal tools in a hackish way.
Case Study
As you can see add user is kinda impossible due to limited priviledge. Let's assume we know the password of user admin which is admin123 . Can we use runas command?
It seems our runas command failed due to the fact that our bindshell backdoor is an interactive shell that couldn`t compensate normal stdin..
All hope is loss? Nope we can use psexec to bypass this circumstances. I would say "psexec is like sudo"
Why do I like psexec? I believe internal tools is the "universal windows backdoor."
Case Study
- In a social engineering campaign attack, you managed to pivot your way into a machine with low privileged (guest) windows access machine.
- You have an admin privileged username and password but RDP is impossible or runas doesn`t work.
- Ingress/Outgress Firewall kicked in.. so psexec remotely is impossible.
- For Fun!!!!!
Suppose a we backdoored a normal user with a bind shell at port 4444
As you can see add user is kinda impossible due to limited priviledge. Let's assume we know the password of user admin which is admin123 . Can we use runas command?
It seems our runas command failed due to the fact that our bindshell backdoor is an interactive shell that couldn`t compensate normal stdin..
All hope is loss? Nope we can use psexec to bypass this circumstances. I would say "psexec is like sudo"
Why do I like psexec? I believe internal tools is the "universal windows backdoor."
This idea pops up thanks to stackoverflow http://stackoverflow.com/questions/12456675/single-line-command-for-run-as-different-user-in-window-7-that-contain-password
No comments:
Post a Comment