Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Runas (Stored Credentials)

February 3, 2021 | by Stefano Lanaro | Leave a comment

Introduction

Runas is a Windows command-line tool that allows a user to run specific tools, programs or commands with different permissions than the user’s current logon provides.

If a user’s credentials are cached in the system, the Runas command can be run using the /savecred flag which will automatically authenticate and execute the command as that user.

Identifying Stored Credentials

Cmdkey is a Windows command-line utility that is used to create, list, and delete stored user names and passwords or credentials.

The following command can be used to identify stored credentials:

cmdkey /list

They can also be viewed from the Windows Credential Manager:

Automated scripts such as WinPEAS can also find stored credentials:

winpeas.exe quiet cmd windowscreds

Exploiting Saved Credentials

For this example, a reverse shell can be executed using the Runas command, in order to gain remote SYSTEM level Access.

It can be generated using MSFvenom, with the following flags:

  • -p to specify the payload type, in this case the Windows reverse TCP shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to
  • -f to specify the format, in this case exe

Transferring the shell.exe file to the Windows victim machine using the Python web server and the Windows Certutil utility.

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

The following command can then be used to execute the reverse shell as the Administrator user:

runas /savecred /user:WORKGROUP\User "Program to execute"

The Runas command executed the reverse shell as the administrator user, therefore granting remote SYSTEM level access to the machine.

Conclusion

Stored credentials have been a common vulnerability and privilege escalation vector for a long time, and they are just another reason why trading security for convenience isn’t always the best idea.

Runas is just one way of exploiting this vulnerability but it’s one of the most common ones and it’s done using a built-in Windows utility which helps.