Running batch files from mounted sshfs with elevated permissions. Forensics collection.

[nand0san]

Hello! This tool is amazing. I'm trying to elevate the use for Forensics automation, but when I mount in my win 10 a remote unit that is in a linux server with SSHFS configured, for adquiring data in the windows 10, the remote batch scripts, now mounted in let's say N:, can't be run in elevated permissions mode.

Because I can't alter the forensics artifacts in win 10 (just install the sshfs and winfsp in specific folder, to remove it lately) and can't use VPN because it is a production working machine and is not allowed to isolate it.

The idea is to use remote tools in batch files without copying it to the win10.

-------- WIN 10: ------------installed: sshfs-win-3.5.20160-x64.msi.msi winfsp-1.7.20172.msi SET PATH=C:\Users\nando\Desktop\forensics\bin

Command (not administrator cmd): sshfs.exe -cmd -f root@172.0.0.2:/root/forensics -p 22022 N: -o subtype=sshfs,create_file_umask=0111,create_dir_umask=0000,umask=0000,uid=-1,gid=-1,StrictHostKeyChecking=no

-------- The linux server is an apline container with sshfs: --------- 80b487514c59:~# sshfs --version SSHFS version 3.7.0 FUSE library version 3.9.1 using FUSE kernel interface version 7.31 fusermount3 version: 3.9.1

/etc/fuse.conf ---------> user_allow_other (uncommented)

The units seems well mounted, I can write and read from the non administrator cmd and from the explorer. I can create dirs and files from cmd in N:

cmd win 10: N:>mkdir test_with_dirs ------------> its working dir N:\ > newfile.txt ------------> its working

In the linux side: -rw-r--r-- 1 root root 564 Sep 10 08:28 newfile.txt drwxr-xr-x 2 root root 4096 Sep 10 08:24 test_with_dirs

But, whe executing a batch file, in example, adquiring memory, I need admin permissions, and if I open and elevated admin cmd, system can't find the unit into this cmd window.

Is there any idea of how can this be done?

Thank you very much!

[nand0san]

Answer myself with one option, but not the desired solution.

Open admin cmd. Run connection command: the unit is mounted but, only visible for admin users.

This means that the windows explorer cant see the new mounted unit and all the work must be scripted. The work with the explorer is lost.

[billziss-gh]

When a drive (such as N:) is created on Windows, it goes by default into a local namespace that is only accessible from the account that created the drive. So user A can create a drive N: that points to one file system and user B can create a drive N: that points to a different file system. The drive namespace is also different when creating a drive from the same account, but elevated. (For example, if you create a drive in an elevated command prompt it is not visible to your non-elevated Explorer.)

It is possible to create global drives that are visible to everyone. This happens when you create a drive while running in the context of the SYSTEM (LocalSystem) account, i.e. the Windows service context. This is how SSHFS-Win works by default (e.g. when you use net use): in its regular configuration it is launched and managed by a service called the WinFsp Launcher, which runs SSHFS-Win in the service context.

An alternative would be to use a utility called psexec, which allows you to run arbitrary commands (including a full command prompt) in the SYSTEM context: PsExec

[mez0ru]

I have this problem too, I cannot do anything under administrator account or elevated privileges', only local account can see and read write to the sshd drive, it seems to be a problem with the sshfs drives, is there a solution to this issue? I can't do anything productive because of this issue, nothing works unless a program does not require any admin privileges'. Tried everything, I even mounted the sshd drive as root user, still cannot access it from any other account than the one mounted the drive, I hope you make a config to allow other users to access the drive as well.