Friday, January 31, 2014

Leveraging psexec locally to execute privileged command..

Gong Xi Fa Choy to all of you. Not really a good start year for me, my daughter is sick. But I need to go to Jakarta next week to teach  a Digital Forensics/Anti-Forensic class. Okay anyway this is another trick to use sysinternal tools in a hackish way.

Case Study

  1. In a social engineering campaign attack, you managed to pivot your way into a machine with low privileged (guest) windows access machine.
  2. You have an admin privileged  username and password but RDP is impossible or runas doesn`t work.
  3. Ingress/Outgress Firewall kicked in.. so psexec remotely is impossible.
  4. For Fun!!!!!
Suppose a we backdoored a normal user with a bind shell at port 4444



As you can see add user is kinda impossible due to limited priviledge. Let's assume we know the password of user admin which is admin123 .    Can we use runas command?


It seems our runas command failed due to the fact that our bindshell backdoor is an interactive shell  that couldn`t compensate normal stdin..

All hope is loss? Nope we can use psexec to bypass this circumstances.  I would say "psexec is  like sudo"


Why do I like psexec? I believe internal tools is the "universal windows backdoor."




No comments: