Comments (10)
Hmm, that's interesting. Perhaps some kind of incompatibility between the bundled version of PowerUp and the OS version. In your manual testing what version of PowerUp are you using (PowerSploit dev or master branch? ). Also, what version of windows is the RAT running on?
from caldera.
The target is a Windows 10 machine if that helps. I was using the PowerSploit master branch for the manual test. How can I find out what version RAT I'm using? If it's any help it's the CraterMainWin8+.exe file and I downloaded it about a month ago.
from caldera.
I'm dumb. Found the issue, I forgot that when I ran the PowerUp script I ran it from a powershell console which I ran as administrator. When ran under normal privileges it gives the same output as Caldera does. I'm guessing that I have to find a way to enable services to be restarted by non-admin users.
from caldera.
Ah cool. The easiest way I've found to let non-admins restart services without mucking around in group policy is to use subinacl. https://support.microsoft.com/en-us/help/325349/how-to-grant-users-rights-to-manage-services-in-windows-server-2003
After installing subinacl.exe you'll probably want something like this:
C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe /service <service name> /grant="<domain name>\Domain Users"=PTO
from caldera.
Thank you that worked wonderfully! The service is restartable and I gain administrator privileges. But now I have a new issue, get_creds doesn't work. Here is the output of the step: https://pastebin.com/kfkr4nEz
This was working before and I haven't changed anything (I tried on another machine which I havent touched) so I'm at a loss as to what could cause this. Any ideas? Also should I open a new issue?
from caldera.
Does it fail on the machine with the abusable service if you run an operation without the privesc steps? My understanding of your issue is that (on the same machine)
- get_creds succeeds when launched by a RAT running as SYSTEM after bootstrapping as SYSTEM account in operation setup
- get_creds fails when launched by a RAT running as SYSTEM that was created via powerup / service abuse
Not sure what could cause that, though I honestly haven't done that much testing on Windows 10 in a while. Could you verify 1 & 2 above, open a new issue, and close this one with a link to the new one? New issue just to make it easier for others to find when they run into the same problem.
from caldera.
On second look this doesn't seem to be an issue with Caldera, looks like the latest Windows update broke Mimikatz: EmpireProject/Empire#1147
from caldera.
Good find!
Looks like updating to the version of Invoke-ReflectivePEInjection in the Empire dev branch should fix this. You can probably paste the newest version into invoke-relfectivepe-ps1
in the script editor in the caldera web ui.
@dm-mitre, If this works, well want to include the updated script in the repo.
from caldera.
@hf-mitre I opened a new issue related to Mimikatz, let me know if you can assist.
from caldera.
Closing this one as we figured out the initial problem. #38, #47 still open to track the needed updates to mimikatz and powersploit.
from caldera.
Related Issues (20)
- Failed to run BaseObfuscator - Web UI Not Loading HOT 7
- signs in then loops back to sign in page whenever you click on anything else HOT 7
- hardcoded URL localhost:8888 HOT 3
- Docker image (ghcr.io/mitre/caldera:5.0.0) does not contain Magma (dist) build files HOT 4
- FileNotFoundError: [WinError 2] Le fichier spécifié est introuvable HOT 2
- Unable to change agent group name or set agent group in WebUI . HOT 2
- psh executor for Windows agent not working HOT 4
- Not able to login HOT 13
- Attempting to achieve lateral movement using sandcat agent and metasploit HOT 3
- No review command button during empty operation Training Module HOT 5
- Wrong time format in event logs of operations HOT 1
- caldera-ot plugins apear on dashboard but when start operation don't work or apeare on operation or they don't execute? HOT 2
- Encoding error when approving link during manual operation HOT 1
- Confusion between obfuscated command and edited command in manual operations HOT 1
- fact_store's lifecycle? HOT 3
- Custom abilities do not support requirement definitions using stockpile basic parser HOT 14
- Agent communicates with base64 obfuscation despites different operation settings HOT 5
- install v5.0.0 error HOT 7
- Caldera and engage HOT 1
- Grap SVG error and extreme network utilization from console HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caldera.