Introduction#

Windows Servers have capabilities to store credentials using a built-in utility called [[https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey|cmdkey]]. On its own, cmdkey is rather useless to an adversary - you can only really use it to list what credentials are stored but not actually reveal them.

cmdkey /list

![[res/List Stored Credentials.png]]

The real deal is another built-in utility called [[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11|Runas]]). It allows one user to execute a binary with the permissions of another and, what is essential here, this can be achieved with only stored credentials. One doesn't even need to know what the credentials are - so long as a user has their credentials stored, then they can be used to execute programmes as that user.

runas /savedcred /user:<user> <path to programme>

![[res/Runas Admin.png]]

![[res/Runas Admin Shell Returned.png]]