Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash in Password Policies and Print Logon Sessions and Enumerating Security Packages Credentials and more #327

Open
e4ch opened this issue Dec 22, 2022 · 0 comments
Open

Crash in Password Policies and Print Logon Sessions and Enumerating Security Packages Credentials and more #327

e4ch opened this issue Dec 22, 2022 · 0 comments

Comments

@e4ch
Copy link

e4ch commented Dec 22, 2022

If you are going to suggest something, please remove the following template.

Issue description

Running the x64 binary on a Win Server 2012R2 give the following error in the output:
[...]
� Check for a possible brute-force
[X] Exception: System.OverflowException: Negating the minimum value of a twos complement number is invalid.
at System.TimeSpan.op_UnaryNegation(TimeSpan t)
at winPEAS.Info.UserInfo.UserInfoHelper.GetPasswordPolicy()
Domain: Builtin
[...]
����������͹ Print Logon Sessions
[X] Exception: System.Runtime.InteropServices.COMException (0x80070006): The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at System.Runtime.InteropServices.Marshal.FreeHGlobal(IntPtr hglobal)
at winPEAS.Native.Classes.UNICODE_STRING.Dispose(Boolean disposing)
Method: WMI
[...]
����������͹ Enumerating Security Packages Credentials
[X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d535350000300000001000100620000000000000063000000000000005800000000000000580000000a000a00580000000000000063000000058a80a2060380250000000fee4655ce70a8b970020c1d3ded8e5ebc44004900530043004f0000

�����������������������������������͹ Browsers Information �������������������������������������

[...]
����������͹ Current IE tabs
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
[X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A)
--- End of inner exception stack trace ---
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()
Not Found

����������͹ Looking for GET credentials in IE history
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
[X] Exception: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Windows\system32\config\systemprofile\Favorites'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileSystemEnumerableIterator1.CommonInit() at System.IO.FileSystemEnumerableIterator1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
at System.IO.Directory.EnumerateFiles(String path, String searchPattern, SearchOption searchOption)
at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetIEHistFav()

����������͹ IE favorites
Not Found

[...]
����������͹ Recent files --limit 70--
[X] Exception: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileSystemEnumerableIterator1.CommonInit() at System.IO.FileSystemEnumerableIterator1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
at System.IO.Directory.EnumerateFiles(String path, String searchPattern, SearchOption searchOption)
at winPEAS.KnownFileCreds.KnownFileCredsInfo.GetRecentFiles()
Not Found

����������͹ Looking inside the Recycle Bin for creds files

[...]

Steps to reproduce the issue

  1. run the binary on Windows Server 2012R2 as mentioned user (I tried on the PEN-200 lab machine 10.11.1.13)

Which parameters did you use for executing the script and how did you execute it?

command line, no parameters

If winpeas, did you use a clean or obfuscated winpeas, and for which architecture?

clean, x64

Is there any AV / Threat protection in the system?

no

Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)

Windows Server 2012R2, English

Please, indicate the check that is failing and add a screenshot showing the problem

see log above instead and let me know if not reproducible

How did you expect it to work?

no crash

Additional details / screenshot

Please note that the running user is IIS APPPOOL\DEFAULTAPPPOOL (part of IIS with limited functionality).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@e4ch