runAs tool using Psexec #6

Th3LionH3ad · 2020-05-07T15:10:24Z

hello, i tried to understand how to use runAs with psexec but i always get:
"Starting cmd on X ...n X...ing to Y...
cmd exited on Y with error code 0.

and i didnt get the shell.

i'm using command:

JetBrains.runAs.exe -p:[PASS] -u:[DOMAIN][USER] PsExec.exe [Destination IP] cmd

thanks.

NikolayPianikov · 2020-05-17T19:07:16Z

@Th3LionH3ad could you add '-l:debug` and attach the output?

Th3LionH3ad · 2020-05-19T13:25:12Z

hello nikolay, DEBUG: JetBrains RunAs x64 1.0.0.061 DEBUG: main::Run starting DEBUG: Runner::Create a job DEBUG: Runner::Configure all child processes associated with the job to terminate when the parent is terminated DEBUG: Job::SetInformation DEBUG: Runner::Assign the current process to the job DEBUG: Job::AssignProcessToJob DEBUG: ProcessesSelector::SelectProcesses DEBUG: ProcessesSelector::SelectProcesses push Process DEBUG: ::GetStdHandle(STD_OUTPUT_HANDLE) DEBUG: ::GetStdHandle(STD_ERROR_HANDLE) DEBUG: SecurityManager::GetTokenInformation - Get the required buffer size. DEBUG: SecurityManager::GetTokenInformation - Get the token information from the access token. DEBUG: ProcessTracker::InitializeConsoleRedirection DEBUG: Environment::CreateForCurrentProcess DEBUG: SET "=::=::\" (from API results) DEBUG: SET "=C:=C:\Test" (from API results) DEBUG: SET "=ExitCode=FFFE795D" (from API results) DEBUG: SET "=F:=F:\" (from API results) DEBUG: SET "ALLUSERSPROFILE=C:\ProgramData" (from API results) DEBUG: SET "APPDATA=C:\Users\Administrator\AppData\Roaming" (from API results) DEBUG: SET "CommonProgramFiles=C:\Program Files\Common Files" (from API results) DEBUG: SET "CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files" (from API results) DEBUG: SET "CommonProgramW6432=C:\Program Files\Common Files" (from API results) DEBUG: SET "COMPUTERNAME=SA-Computer" (from API results) DEBUG: SET "ComSpec=C:\windows\system32\cmd.exe" (from API results) DEBUG: SET "DriverData=C:\Windows\System32\Drivers\DriverData" (from API results) DEBUG: SET "FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer" (from API results) DEBUG: SET "FPS_BROWSER_USER_PROFILE_STRING=Default" (from API results) DEBUG: SET "HOMEDRIVE=C:" (from API results) DEBUG: SET "HOMEPATH=\Users\Administrator" (from API results) DEBUG: SET "LOCALAPPDATA=C:\Users\Administrator\AppData\Local" (from API results) DEBUG: SET "LOGONSERVER=\\SA-Computer" (from API results) DEBUG: SET "NUMBER_OF_PROCESSORS=4" (from API results) DEBUG: SET "OneDrive=C:\Users\Administrator\OneDrive" (from API results) DEBUG: SET "OS=Windows_NT" (from API results) DEBUG: SET "Path=C:\windows\system32;C:\windows;C:\windows\System32\Wbem;" (from API results) DEBUG: SET "PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC" (from API results) DEBUG: SET "PROCESSOR_ARCHITECTURE=AMD64" (from API results) DEBUG: SET "PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 58 Stepping 9, GenuineIntel" (from API results) DEBUG: SET "PROCESSOR_LEVEL=6" (from API results) DEBUG: SET "PROCESSOR_REVISION=3a09" (from API results) DEBUG: SET "PROG27B48B2C051=1" (from API results) DEBUG: SET "PROG27B48B2C056=1" (from API results) DEBUG: SET "ProgramData=C:\ProgramData" (from API results) DEBUG: SET "ProgramFiles=C:\Program Files" (from API results) DEBUG: SET "ProgramFiles(x86)=C:\Program Files (x86)" (from API results) DEBUG: SET "ProgramW6432=C:\Program Files" (from API results) DEBUG: SET "PROMPT=$P$G" (from API results) DEBUG: SET "PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\windows\system32\WindowsPowerShell\v1.0\Modules" (from API results) DEBUG: SET "PUBLIC=C:\Users\Public" (from API results) DEBUG: SET "SESSIONNAME=Console" (from API results) DEBUG: SET "SystemDrive=C:" (from API results) DEBUG: SET "SystemRoot=C:\windows" (from API results) DEBUG: SET "TEMP=C:\Users\ADMINI~1\AppData\Local\Temp" (from API results) DEBUG: SET "TMP=C:\Users\ADMINI~1\AppData\Local\Temp" (from API results) DEBUG: SET "USERDOMAIN=SA-Computer" (from API results) DEBUG: SET "USERDOMAIN_ROAMINGPROFILE=SA-Computer" (from API results) DEBUG: SET "USERNAME=Administrator" (from API results) DEBUG: SET "USERPROFILE=C:\Users\Administrator" (from API results) DEBUG: SET "windir=C:\windows" (from API results) DEBUG: Environment::Override DEBUG: Environment::Copy environment variables from base environment DEBUG: SET "=::=::\" (set value) DEBUG: SET "=C:=C:\Test" (set value) DEBUG: SET "=ExitCode=FFFE795D" (set value) DEBUG: SET "=F:=F:\" (set value) DEBUG: SET "ALLUSERSPROFILE=C:\ProgramData" (set value) DEBUG: SET "APPDATA=C:\Users\Administrator\AppData\Roaming" (set value) DEBUG: SET "CommonProgramFiles=C:\Program Files\Common Files" (set value) DEBUG: SET "CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files" (set value) DEBUG: SET "CommonProgramW6432=C:\Program Files\Common Files" (set value) DEBUG: SET "COMPUTERNAME=SA-Computer" (set value) DEBUG: SET "ComSpec=C:\windows\system32\cmd.exe" (set value) DEBUG: SET "DriverData=C:\Windows\System32\Drivers\DriverData" (set value) DEBUG: SET "FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer" (set value) DEBUG: SET "FPS_BROWSER_USER_PROFILE_STRING=Default" (set value) DEBUG: SET "HOMEDRIVE=C:" (set value) DEBUG: SET "HOMEPATH=\Users\Administrator" (set value) DEBUG: SET "LOCALAPPDATA=C:\Users\Administrator\AppData\Local" (set value) DEBUG: SET "LOGONSERVER=\\SA-Computer" (set value) DEBUG: SET "NUMBER_OF_PROCESSORS=4" (set value) DEBUG: SET "OneDrive=C:\Users\Administrator\OneDrive" (set value) DEBUG: SET "OS=Windows_NT" (set value) DEBUG: SET "Path=C:\windows\system32;C:\windows;C:\windows\System32\Wbem;" (set value) DEBUG: SET "PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC" (set value) DEBUG: SET "PROCESSOR_ARCHITECTURE=AMD64" (set value) DEBUG: SET "PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 58 Stepping 9, GenuineIntel" (set value) DEBUG: SET "PROCESSOR_LEVEL=6" (set value) DEBUG: SET "PROCESSOR_REVISION=3a09" (set value) DEBUG: SET "PROG27B48B2C051=1" (set value) DEBUG: SET "PROG27B48B2C056=1" (set value) DEBUG: SET "ProgramData=C:\ProgramData" (set value) DEBUG: SET "ProgramFiles=C:\Program Files" (set value) DEBUG: SET "ProgramFiles(x86)=C:\Program Files (x86)" (set value) DEBUG: SET "ProgramW6432=C:\Program Files" (set value) DEBUG: SET "PROMPT=$P$G" (set value) DEBUG: SET "PSModulePath=C:\Program Files\WindowsPowerShell\Modules;C:\windows\system32\WindowsPowerShell\v1.0\Modules" (set value) DEBUG: SET "PUBLIC=C:\Users\Public" (set value) DEBUG: SET "SESSIONNAME=Console" (set value) DEBUG: SET "SystemDrive=C:" (set value) DEBUG: SET "SystemRoot=C:\windows" (set value) DEBUG: SET "TEMP=C:\Users\ADMINI~1\AppData\Local\Temp" (set value) DEBUG: SET "TMP=C:\Users\ADMINI~1\AppData\Local\Temp" (set value) DEBUG: SET "USERDOMAIN=SA-Computer" (set value) DEBUG: SET "USERDOMAIN_ROAMINGPROFILE=SA-Computer" (set value) DEBUG: SET "USERNAME=Administrator" (set value) DEBUG: SET "USERPROFILE=C:\Users\Administrator" (set value) DEBUG: SET "windir=C:\windows" (set value) DEBUG: Environment::Override environment variables from source environment DEBUG: Environment::CreateFormList DEBUG: Environment::Apply DEBUG: ::CreateProcess DEBUG: Runner::Run failed DEBUG: Runner::Run error code: 3 DEBUG: Runner::Run error description: The system cannot find the file specified. DEBUG: Runner::Run finished DEBUG: main::Run finished DEBUG: main::Create resultsJetBrains RunAs x64 1.0.0.061 Copyright (C) 2017 JetBrains. All rights reserved. Runs a process under the specified windows user account. Argument(s): -l:debug psexec \\10.10.0.100 cmd Settings: user_name: domain: working_directory: C:\Test exit_code_base: -100000 integrity_level: auto inheritance_mode: auto show_mode: hide self_testing: 0 executable: psexec command_line_args: \\10.10.0.100 cmd Error code: -100003

…

NikolayPianikov · 2020-10-08T08:20:03Z

@Th3LionH3ad Try using a full path for you executable

BiatuAutMiahn · 2023-02-07T21:52:26Z

Also I dont believe your going to have much luck running psexec with RunAs if you are attempting to run psexec on remote host with credentials supplied to RunAs. I think you would have more luck running psexec with the -c (copy) command to pass RunAs to the target and tell it to run cmd.exe as your user. ie; psexec.exe \\[target] -u[user] -p[pass] -c -f JetBrains.runAs.exe -p:[PASS] -u:[DOMAIN]\[USER] cmd.exe

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

runAs tool using Psexec #6

runAs tool using Psexec #6

Th3LionH3ad commented May 7, 2020

NikolayPianikov commented May 17, 2020

Th3LionH3ad commented May 19, 2020 via email

NikolayPianikov commented Oct 8, 2020

BiatuAutMiahn commented Feb 7, 2023 •

edited

Loading

runAs tool using Psexec #6

runAs tool using Psexec #6

Comments

Th3LionH3ad commented May 7, 2020

NikolayPianikov commented May 17, 2020

Th3LionH3ad commented May 19, 2020 via email

NikolayPianikov commented Oct 8, 2020

BiatuAutMiahn commented Feb 7, 2023 • edited Loading

BiatuAutMiahn commented Feb 7, 2023 •

edited

Loading