-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error opening SCM: 5 #10
Comments
I am actually having the same exact issue in a brand new detectionlab environment in azure. Everything works fine until that step and I get the same SCM: 5 |
Can you confirm that the high priv ticket was imported? (Use klist command) |
Thanks for replying to this issue! I confirm that I have a ticket which I can find using
Using
|
I have just confirmed the same thing as well! beacon> shell klist Current LogonId is 0:0x363b460 Cached Tickets: (1) #0> Client: Administrator @ WINDOMAIN.LOCAL beacon> execute-assembly /Library/Tools/KrbRelayStuff/KrbRelayUp.exe krbscm [+] Using ticket to connect to Service Manger |
Same, having this error. |
When using the tool from memory you have to specify --ServiceCommand since the default will be "{ToolPathOnDisk} system {DesktopSessionToSpawnCmdIn}" (ie: C:\Tools\KrbRelayUp.exe system 1) and since it's not on disk the service will fail upon execution. |
Wonder if you've had a look at the U2U escalation using user account? @Dec0ne |
Not sure if the comment above was related to this issue (since the tool is on disk), but I tried with |
@Dec0ne I've been using service command to execute a new instance of the beacon I dropped on disk, I also tried the new localgroup command you posted above and got the same result i posted previously. |
Same, I've always used the sc command. We don't really use the spawn CMD thing because we don't drop files on disk as it could raise alerts easier. |
Same here, the issue for me is arising when I run from memory. |
Hi, I have exactly the same issue. When debugging the network traffic I recognized that the rpc bind request ends up with a bind_nak response and the error code "Invalid checksum" which meaning is according to MS RPC Documentation (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/6f81bffe-8fce-498a-addf-94654a57b329) "This rejection code is used when an unrecoverable error is detected by the underlying security package." The ticket is in the cache, the user has local admin privilege. However the SCMUACBypass part seams to fail because of unknown reason. Is anyone aware if there exists a specific (hardening) configuration would prevent leveraging hte ticket locally via SCMUACBypass? Any ideas would be very appreciated. Thanks. |
When I run the tool I get the error
Error opening SCM: 5
:Do you have any idea what blocks this?
It looks like
OpenSCManager
failsKrbRelayUp/KrbRelayUp/KrbSCM.cs
Line 56 in 6564f0f
For reference, when running the same command as administrator it runs without any error.
The text was updated successfully, but these errors were encountered: