Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[!] Unhandled Rubeus exception: #44

Closed
Wolchara000 opened this issue Apr 13, 2020 · 2 comments
Closed

[!] Unhandled Rubeus exception: #44

Wolchara000 opened this issue Apr 13, 2020 · 2 comments

Comments

@Wolchara000
Copy link

Good day.
Trying to run Rubeus monitor. On all systems (Win10 and Win7) same issue. Tried at local Admin, Domain admin, User... Same. Tried disabling UAC.

PS C:\> .\Rubeus.exe monitor

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: TGT Monitoring
[*] Monitoring every 60 seconds for new TGTs


[!] Unhandled Rubeus exception:

System.Exception: Could not elevate to system
   в Rubeus.LSA.GetLsaHandle()
   в Rubeus.LSA.EnumerateTickets(Boolean extractTicketData, LUID targetLuid, String targetService, String targetUser, St
ring targetServer, Boolean includeComputerAccounts, Boolean silent)
   в Rubeus.Harvest.HarvestTicketGrantingTickets()
   в Rubeus.Commands.Monitor.Execute(Dictionary`2 arguments)
   в Rubeus.Domain.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments)
   в Rubeus.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)
PS C:\>
@HarmJ0y
Copy link
Member

HarmJ0y commented Apr 14, 2020

So it's failing at the Helpers.GetSystem() call (https://github.com/GhostPack/Rubeus/blob/master/Rubeus/lib/Helpers.cs#L82-L134) . For some reason the token duplication method to elevate to SYSTEM is failing. This can occasionally happen in some situations where SeDebugPrivilege is removed from local administrators, but without the system to experiment with it's hard to tell.

Can you try to elevate to SYSTEM manually (i.e. with PSEXEC) and try running the same Rubeus command while running from that context?

@Wolchara000
Copy link
Author

Ok. Done.
From "nt authority\system" it works fine.
Strange. I used clean Win 10 distr. + DC 2012R2 clean with domain as test environment. On both systems it didn't get monitor mode.

`C:>whoami
nt authority\system

C:>Rubeus.exe monitor

(_____ \ | |
) ) | | _____ _ _ ___
| __ /| | | | _ | ___ | | | |/)
| | \ | || | |) ) | || | |
|| ||/|/|_____)_/(/

v1.5.0

[] Action: TGT Monitoring
[] Monitoring every 60 seconds for new TGTs

[*] 15.04.2020 9:39:06 UTC - Found new TGT:

User : ivanov@THUNTER.LOCAL
StartTime : 15.04.2020 10:44:00
EndTime : 15.04.2020 20:44:00
RenewTill : 22.04.2020 10:44:00
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :

doIFLDCCBSigAwIBBaEDAgEWooIEMDCCBCxhggQoMIIEJKADAgEFoQ8bDVRIVU5URVIuTE9DQUyiIjAgoAMCAQKhGTAXGwZrcmJ0`

@HarmJ0y HarmJ0y closed this as completed May 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HarmJ0y @Wolchara000