9

Is there a similar Linux su command in Windows command line? If not, what about:

  • in Powershell?;
  • a workaround with a *.vbs script?;
  • a workaround with some of the sysinternals tools like "psexec.exe"?

Note: I am using a netcat remote shell connection, so I am not able to insert password when requested by command "runas".

Note2: "sudo" and "su" commands are different commands. "sudo" executes commands as another user. "su" changes the effective user.

Note3: Despite finding an answer to my specific issue, The answer to this question, as mentioned by @Ramhound is "not possible"

jarnosz
  • 165
  • 9
f4d0
  • 213
  • 1
  • 2
  • 7
  • 1
    Possible duplicate of [Is there any 'sudo' command for Windows?](https://superuser.com/questions/42537/is-there-any-sudo-command-for-windows) – Ramhound Jul 31 '18 at 13:29
  • @Ramhound "sudo" and "su" commands are different commands. "sudo" executes commands as another user. "su" changes the effective user. People are trying to show me a work around with "runas" which would be the "sudo" from linux. But my main question is about "su", which would be switch the user. – f4d0 Jul 31 '18 at 13:42
  • 3
    @f4d0 - If you cannot use `runas` then what you want is not possible. – Ramhound Jul 31 '18 at 13:46
  • 1
    If you want SU use runas to start a command prompt as a different user. every command in there is then run as that other user. – LPChip Jul 31 '18 at 13:56
  • @LPChip I am not using the windows directly. I am connected to windows using a netcat reverse shell. I got to this shell through an exploit that took advantage of a vulnerability from a program executed by a different user than the one I want to login now. But this is already too far away from our discussion. It's not possible is an acceptable answer, I'll search for another solution. Thanks so much for your help. – f4d0 Jul 31 '18 at 14:02
  • 2
    How about sysinternals tool psExec? You have already mentioned it in your questions and it also supports passing password through command line. Have you already tried that? – Sandeep Jul 31 '18 at 14:14
  • @Sandeep just before i read your answer, i solved my issue with psexec.exe I was able to execute locally a set of commands with user and password and get a shell with the desired user :) – f4d0 Jul 31 '18 at 14:23
  • Consider adding your own answer with thorough detail of what you did exactly to resolve to keep this post helpful to others that may be looking for a similar solution as you describe. – Vomit IT - Chunky Mess Style Aug 15 '18 at 13:58

2 Answers2

2

In Windows you have the runas command. Try this:

  1. Navigate to c:\windows\system32.

  2. Enter the following command: runas /user:computer_name\account_name explorer.exe

Lukas Germerott
  • 141
  • 4
  • 2
    I need to use password as well... I am using a netcat session that does not allow me to insert the password. – f4d0 Jul 31 '18 at 13:07
  • @f4d0 runas can also allow you to set the password. – LPChip Jul 31 '18 at 13:08
  • @LPChip i cannot find out how! Can you please post an answer with that solution? – f4d0 Jul 31 '18 at 13:11
  • Doesnt it ask you for a password? – Lukas Germerott Jul 31 '18 at 13:13
  • 1
    @f4d0 see the answer in this question: https://stackoverflow.com/questions/10811209/how-to-supply-password-to-runas-command-when-executing-it-from-java – LPChip Jul 31 '18 at 13:14
  • 1
    @LukasGermerott yes it does, but because of the shell i am on, the execution finishes before i am able to insert password. In other words, it does not stop to allow me to insert the password, it just flashes through it and finishes execution. – f4d0 Jul 31 '18 at 13:16
  • 1
    @LPChip echo with pipes or redirection with files doesn't work with "runas" command: https://blogs.msdn.microsoft.com/oldnewthing/20041129-00/?p=37183/ – f4d0 Jul 31 '18 at 13:17
  • @f4d0 that post is from 2004, while mine is from 2012. Have you actually tried it exactly like it was mentioned in that answer? – LPChip Jul 31 '18 at 13:19
  • @LPChip exactly no, because I am trying from the command line, not from java execution. :) But taking out the java stuff including character escape, yes, i am doing it like using a normal echo to pipe it to the next command. I am studying penetration testing, i do echo's at least 50 times a day :))) – f4d0 Jul 31 '18 at 13:24
  • there's a huge difference in doing `echo "stuff" | runas` vs `cmd /C echo "stuff" | runas` – LPChip Jul 31 '18 at 13:26
  • @LPChip i didn't know about that there was a difference. Thanks for the attention. Anyway, i try it, and still not working. I really appreciate your effort in trying to help me. – f4d0 Jul 31 '18 at 13:47
0

This one worked for me

user@server C:\Windows\System32> runas /user:Administrator "dir C:\Users\Administrator"

So something like runas /user:MyUser "command"

DimiDak
  • 231
  • 3
  • 11