Service binary manipulation fails because PowerUp reports incorrect information about caldera HOT 10 CLOSED

Hmm, that's interesting. Perhaps some kind of incompatibility between the bundled version of PowerUp and the OS version. In your manual testing what version of PowerUp are you using (PowerSploit dev or master branch? ). Also, what version of windows is the RAT running on?

from caldera.

The target is a Windows 10 machine if that helps. I was using the PowerSploit master branch for the manual test. How can I find out what version RAT I'm using? If it's any help it's the CraterMainWin8+.exe file and I downloaded it about a month ago.

from caldera.

I'm dumb. Found the issue, I forgot that when I ran the PowerUp script I ran it from a powershell console which I ran as administrator. When ran under normal privileges it gives the same output as Caldera does. I'm guessing that I have to find a way to enable services to be restarted by non-admin users.

from caldera.

Ah cool. The easiest way I've found to let non-admins restart services without mucking around in group policy is to use subinacl. https://support.microsoft.com/en-us/help/325349/how-to-grant-users-rights-to-manage-services-in-windows-server-2003

After installing subinacl.exe you'll probably want something like this:

C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe /service <service name> /grant="<domain name>\Domain Users"=PTO

from caldera.

Thank you that worked wonderfully! The service is restartable and I gain administrator privileges. But now I have a new issue, get_creds doesn't work. Here is the output of the step: https://pastebin.com/kfkr4nEz

This was working before and I haven't changed anything (I tried on another machine which I havent touched) so I'm at a loss as to what could cause this. Any ideas? Also should I open a new issue?

from caldera.

Does it fail on the machine with the abusable service if you run an operation without the privesc steps? My understanding of your issue is that (on the same machine)

1. get_creds succeeds when launched by a RAT running as SYSTEM after bootstrapping as SYSTEM account in operation setup
2. get_creds fails when launched by a RAT running as SYSTEM that was created via powerup / service abuse

Not sure what could cause that, though I honestly haven't done that much testing on Windows 10 in a while. Could you verify 1 & 2 above, open a new issue, and close this one with a link to the new one? New issue just to make it easier for others to find when they run into the same problem.

from caldera.

On second look this doesn't seem to be an issue with Caldera, looks like the latest Windows update broke Mimikatz: EmpireProject/Empire#1147

from caldera.

Good find!

Looks like updating to the version of Invoke-ReflectivePEInjection in the Empire dev branch should fix this. You can probably paste the newest version into invoke-relfectivepe-ps1 in the script editor in the caldera web ui.

@dm-mitre, If this works, well want to include the updated script in the repo.

from caldera.

@hf-mitre I opened a new issue related to Mimikatz, let me know if you can assist.

from caldera.

Closing this one as we figured out the initial problem. #38, #47 still open to track the needed updates to mimikatz and powersploit.

from caldera.