Results 1 to 6 of 6

Thread: Run as Admin

  1. #1
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default Run as Admin

    Does anyone know any secure apps that allow standard (non admin) users the ability to run applications with escalated permissions.
    In other words, I'm a domain admin and I would like to link users to a file share and give them the ability to install a specific application (via batch).

    I have a script that triggers UAC, but you still need escalated permissions to run it.
    There are apps like "RunAsRob" that do this, but they are limited in their functionality and I would need the app to work with network shares. Ideally I'd like a free app that does this.

    Anyway, the app would encrypt the local admin password I type into it so then I can call that encrypted password from a batch script and it would execute the batch with the credentials I provided in the encrypted file.

  2. #2
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    This is pretty terrible, but I completely forgot c++ syntax lol. I think I'm on to something using powershell though. There are some functions that allow me to encrypt passwords and read the encrypted content from a file so that would work for my use; I'm just trying to figure it all out.

    Currently I have a function that returns the builtin\admin account, then I use that account to parse the password. I don't think there is a way to extract or use the stored cached password from the machine itself (I would imagine this could be used as a huge vulnerability if someone used it maliciously)...

    I'll share my work if I get it sorted out, but if anyone else has any thoughts or would like to share something they might find useful, I would appreciate it!

  3. #3
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    Well I got it working the way I wanted. I'll share the results.
    This script generates the hashed password and the AES key
    When it prompts for credentials you can use a local account or a network account
    The hash and AES key will export to the same path where this script is run from


    CreatePWHash.ps1

    #Clear Screen
    CLS

    # Prompt you to enter the username and password
    $credObject = Get-Credential

    # The credObject now holds the password in a ‘securestring’ format
    $passwordSecureString = $credObject.password

    #Path where the script is running from
    $path = Split-Path $script:MyInvocation.MyCommand.Path

    # Define a location to store the AESKey
    $AESKeyFilePath = $path + "\aeskey.txt"

    # Define a location to store the file that hosts the encrypted password
    $credentialFilePath = $path + "\credpassword.txt"

    # Generate a random AES Encryption Key.
    $AESKey = New-Object Byte[] 32
    [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey)

    # Store the AESKey into a file. This file should be protected! (e.g. ACL on the file to allow only select people to read)
    Set-Content $AESKeyFilePath $AESKey # Any existing AES Key file will be overwritten
    $password = $passwordSecureString | ConvertFrom-SecureString -Key $AESKey
    Add-Content $credentialFilePath $password


    Now in a new powershell script this is where you will type the account info and import the keys you exported above to run the session

    escalate.ps1

    CLS

    #-----------------------------------------
    #Authenticate Admin Account using encrypted password
    #-----------------------------------------

    function Run-SoftwareEscalated
    {
    Try
    {
    $path = Split-Path $script:MyInvocation.MyCommand.Path
    $AESKeyFilePath = $path + "\aeskey.txt"
    $SecurePwdFilePath = $path + "\credpassword.txt"
    $userUPN = "some\account"

    #use key and password to create local secure password
    $AESKey = Get-Content -Path $AESKeyFilePath
    $pwdTxt = Get-Content -Path $SecurePwdFilePath
    $securePass = $pwdTxt | ConvertTo-SecureString -Key $AESKey

    #create a new psCredential object with required username and password
    $adminCreds = New-Object System.Management.Automation.PSCredential($userUPN, $securePass)

    #Run our installer
    $script = $path + "\install.bat"
    Start-Process -FilePath $script -Credential $adminCreds -ArgumentList "-noprofile -command &{Start-Process $script -verb runas}" -WorkingDirectory $path
    }
    Catch
    {
    Write-Warning -Message "$($_.Exception.Message)"
    }
    }

    Run-SoftwareEscalated


    As you can see (for my use) I have it run a batch script with the escalated permissions. You can essentially call any kind of file you want from the batch script (needs to be install.bat or whatever you name it above), and it will run it in the admin context.

    Now to create a simple launcher for users, I creates a small batch called "Setup.bat" that has this line of code

    PowerShell -NoProfile -ExecutionPolicy Unrestricted -file "%~dp0escalate.ps1"


    And finally, my install.bat file has my traditional "stuff", but the header of my install file has this:


    ::==================================
    ::-- This will run as admin --
    ::==================================
    @echo off

    ::Check for permissions
    OPENFILES > nul

    ::If error flag set, we do not have admin.
    IF ERRORLEVEL 1 ( goto UACPrompt ) else ( goto gotAdmin )

    :UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~dp0install.bat", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
    "%temp%\getadmin.vbs"
    del "%temp%\getadmin.vbs"
    exit /B

    :gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    pushd "%~dp0"

    ::==================================
    ::-- End of main ADMIN script --
    ::==================================
    ::Write your code to do stuff here


    Hope you find this helpful. It took me a while to get this working the way I want, but it will save me A LOT of time.
    I took 1 additional step and used a tool to convert bat to exe. The tool I used is here: http://www.f2ko.de/en/b2e.php or here: https://www.portablefreeware.com/index.php?id=1660
    Basically you point to the batch script and you can embed all the files listed in here into this and then it exports a executable. The user would double click on it and everything will run like it's supposed to.

  4. #4
    Senior Member Ancient Order's Avatar
    Join Date
    Aug 2015
    Location
    Paris, Fr.
    Posts
    256

    Default

    One things i hesitate to understand: this originally needs an admin password? I can't use it to hack admin rights from my PC at work?

  5. #5
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    Well....
    When you create the initial password hash using the credentials, as long as you type in a users credentials with escalated permissions (such as a domain admin), then yes; you can use that to technically install anything at your disposal.
    This script is obviously more useful for network admins, sys engineers, etc; and not your typical user behind a desk, because if someone gets their hands on this, then of course they can use it maliciously or even unknowingly mess something up.

    This tool isn't used to bruteforce or hack anyone's password. This is solely shared for use with someone that wants to create a tool to help automate tasks for standard users at work.

    Does that make sense?

  6. #6
    Senior Member Ancient Order's Avatar
    Join Date
    Aug 2015
    Location
    Paris, Fr.
    Posts
    256

    Default

    Clear now thank you!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •