# Runas

The `runas /netonly` command let us run a remote application just like it is running locally. Consider the following scenario: we get a non-admin credential from SMB info leak and we are looking for a way to get shell. Since the credential is non-admin, we can't do psexec. Instead, we can switch to a Windows VM, open up command prompt and run the following command to get shell:

```powershell
runas /netonly /user:<domain>\<username> cmd
```

Since the password cannot be supplied as an argument, the session must be interactive.

## Reference

{% embed url="<http://www.pseale.com/pretend-youre-on-the-domain-with-runas-netonly>" %}
Pretend You're On The Domain With Runas /NetOnly
{% endembed %}