Type your comment> @VbScrub said:
FINALLY got the user flag on this thing.
Wow that was hard work.I spent so long trying to switch from user I*** to user C**** and even though I’ve got the user flag now I still don’t actually have a full shell as C**** lol I don’t understand how you guys have managed to launch one. I ended up writing my own program that impersonates the user and reads a file’s contents as them (so I could get the user flag). Trying to use this method to actually launch a new process just resulted in the new process still running as the I*** user though
I really don’t understand what’s going on. I can easily launch a new process that gets another reverse shell on a new port. Works fine. But as soon as I try to do that with alternate credentials, it seems to launch the process without error but I never get a connection back to my reverse shell listener.
EDIT: Figured out a way around it, not actually launching a new process but a new… “something” that I can connect to remotely after a bit of trickery with some ports. I’m not sure if that’s what everyone else did but I assume so.
I was in the same boat but between the batman video from ippsec and c# - PowerShell remoting from a Windows service - Stack Overflow
I was able to get shell from the non-user user to the other user.