Pentesting: Runas – How to elevate the same command prompt from user to admin in Windows

The search that’s more likely to bring you here might be something to the effect of: how to elevate the same command prompt from user to admin in Windows. For me, it was surprisingly annoying and I wasted a lot more time than I thought I would tracking down a solution to this particular problem.

It’s a deceptively simple task and the short answer to your question is: depending on the scenario, you can’t – but there are ways around it. As the title eludes, this is unfortunately not a post about how to elevate your privileges in the same command prompt legitimately, but how to do so in a pentesting scenario. (Although if you are a legit admin, you can set things up so you can do it with psexec.)

Scenario

You are pentesting something and you can get command line access to a server as a user. You have administrative credentials, but you only have access to your one user shell and you want to elevate to administrator/system.

How to Do It

Fortunately, it’s pretty straight forward. First thing you have to do is get an a meterpreter shell running on the computer. You may run into AV and if that’s the case you’ll need to obfuscate your meterpreter somehow. Fortunately this is pretty easy to do, something like Veil will do the trick, but really any non-Metasploit crypto/obfuscation typically works. All the AV vendors have signatures for the built in Metasploit stuff so it tends to be fairly ineffective.

Once you have your meterpreter session running you can use a module called post/windows/manage/run_as. The options will look something like this:

CMD <YOUR_METERPRETER_PAYLOAD> yes Command to execute
CMDOUT false yes Retrieve command output
DOMAIN workgroup yes Domain to login with
PASSWORD <ADMIN_PASSWORD> yes Password to login with
SESSION <YOUR_USER_METERPRETER_SESSION> yes The session to run this module on.
USER <ADMIN_USERNAME> yes Username to login with

Where CMD could be anything you want to run as the administrator, but I typically just rerun my meterpreter payload to upgrade it to admin level and go from there.

Leave a Reply