Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Steal_token crashes agent #297

Closed
n8tr0n opened this issue Sep 3, 2020 · 5 comments · Fixed by #355
Closed

[BUG] Steal_token crashes agent #297

n8tr0n opened this issue Sep 3, 2020 · 5 comments · Fixed by #355
Labels
bug Something isn't working confirmed

Comments

@n8tr0n
Copy link

n8tr0n commented Sep 3, 2020
edited by Cx01N
Loading

Empire Version

  • Empire 3.3.4

OS Information (Linux flavor, Python version)

  • OS: Kali Linux
  • Python: 3.8.5

Describe the bug
After using credentials\mimikatz\pth and then steal_token, the agent dies.

To Reproduce

  1. Dump SAM
  2. usemodule credentials\mimikatz\pth
  3. steal_token
  4. Agent dies
  5. Expected behavior
  6. I expect to be able to utilize the token to access targets that they stolen token has access to

A clear and concise description of what you expected to happen.
I expect to be able to access targets in the context of the stolen token

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@n8tr0n n8tr0n added the bug Something isn't working label Sep 3, 2020
@Cx01N Cx01N changed the title [BUG] [BUG] Steal_token crashes agent Sep 3, 2020
@Cx01N Cx01N added the confirmed label Sep 3, 2020
@Cx01N
Copy link
Member

Cx01N commented Sep 7, 2020

Steal_token (or Invoke-TokenManipulation) is having issues overall with newer Win 10 systems. It works on older builds, but I'm guessing that there will have to be some changes since it is crashing processes.

@mlgualtieri
Copy link

Also ran in to this today running an agent on a Windows Server 2016 VM, so it seems like this might not be limited to Win10.

Hubbl3 added a commit that referenced this issue Oct 15, 2020
@Hubbl3
fixes for #297
372405c
@Cx01N Cx01N linked a pull request Oct 16, 2020 that will close this issue
Token manipulation fixes #355
Merged
@mpgn
Copy link

mpgn commented Oct 17, 2020

Ran also on this issue with a Windows 10

@Hubbl3
Copy link

Hubbl3 commented Oct 17, 2020

There is now a pull request in that fixes this issue. There was a buffer size issue in the powershell code.

@mpgn
Copy link

mpgn commented Oct 20, 2020

@Hubbl3 just tested your PR, can confirm it's working perfectly 💯

Cx01N added a commit that referenced this issue Oct 22, 2020
@Hubbl3 @Cx01N
fixes for #297 (#355)
ab9a84c 
Co-authored-by: Anthony Rose <[email protected]>
@Hubbl3 Hubbl3 closed this as completed Oct 22, 2020
vinnybod pushed a commit that referenced this issue Mar 16, 2022
@Cx01N
Merge pull request #297 from BC-SECURITY/sponsors-dev
cde97c6 
4.1.1 Master Release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working confirmed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Token manipulation fixes BC-SECURITY/Empire
5 participants
@n8tr0n @mpgn @Cx01N @mlgualtieri @Hubbl3