The Windows runas command is more-or-less the equivalent of sudo on *NIX systems. Usage is similar.
$USERNAME
may also be specified as $DOMAIN\$USERNAME
for domain-joined machines.
$EXECUTABLE
is treated normally (as if not prefixed by the runas command), so a full or relative path is only necessary when it’s not already in the Windows path.
If credentials are saved for a particular user (use cmdkey /list
to check), then the /savecred
flag will apply them automatically!
Important
When using runas to start a reverse shell, whoami will always return the user who called the runas command, even if the shell is running as under a different user’s privileges. Thus, elevating privileges using runas is a blind attack… You won’t know if the privilege escalation actually worked until you try a command that requires more privileges!