• 0xD@infosec.pub
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    7 months ago

    You need Administrative permissions for psexec. It uploads a file to the target computer’s \admin$ share (just C:\Windows) and starts a service to execute it. Services run as SYSTEM so that’s why you get those privileges.

    (Hah, I forgot your message while typing mine and just copied you :)

    Edit: fixed c$ to admin$

    • elvith@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      7 months ago

      I found a blog post outlining exactly that. If you use it locally, it will install and start a service temporarily. That service runs as SYSTEM and invokes your command. To succeed, you need to be a local administrator.

      If you try the same remote, it tries to access \\remote-server-ip\$admin and installs the service with that. To succeed your current account on your local machine must exist on the remote machine and must be an administrator there.

      So in short: It only works, if you’ve already the privilege to do so and the tool itself is not (ab)using a privilege escalation or something like that. Any hacker and virus may do the very same and doesn’t need psexec - it’s just easier for them to use that tool.

      • 0xD@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        7 months ago

        Thank you for clearing it up!

        And regarding your assessment: Exactly!