Comments (12)
Ok, finally looked into this a little bit, and think I have confirmed that MakeToken -> ShellCmd
is a bug. The System.Diagnostics.Process
namespace (used by ShellCmd) does not use the impersonated token as expected.
I'll have to do some thinking about how to handle this. Thanks again for the heads up @attl4s
from covenant.
@attl4s This is more of a workaround than a solution. But I've added ShellRunAs
and ShellCmdRunAs
tasks that accept Username
and Password
parameters, that will run a command as the specified user.
This is a built-in feature of the System.Diagnostics.Process
class. For now, these tasks still won't use a previously impersonated token from the ImpersonateToken
task.
from covenant.
Thanks @attl4s, thanks for the heads up. I might look into the CreateProcessAsUser api in medium integrity contexts: https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
from covenant.
Hi @attl4s! I'm not really sure what's going on, I'm not able to reproduce either of those issues.
Can you re-test and verify you are still seeing these behaviors? If so, can you provide your OS version?
from covenant.
How curious
Here's where Covenant is running (git clonned today)
.NET Core SDK (reflecting any global.json):
Version: 2.2.300
Commit: 73efd5bd87Runtime Environment:
OS Name: debian
OS Version: 9
OS Platform: Linux
RID: debian.9-x64
Base Path: /usr/share/dotnet/sdk/2.2.300/Host (useful for support):
Version: 2.2.5
Commit: 0a3c9209c0.NET Core SDKs installed:
2.2.300 [/usr/share/dotnet/sdk].NET Core runtimes installed:
Microsoft.AspNetCore.All 2.2.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.2.5 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.2.5 [/usr/share/dotnet/shared/Microsoft.NETCore.App]
The testing VM (Fileserver01) was a Microsoft Windows Server 2019 Standard with no GUI.
I have tried it again in another Microsoft Windows Server 2019 Standard (Sqlserver01) with graphical interface and there somehow it works.
For the shellcmd , I keep having the same problem on Sqlserver01
Later I will try on a Windows 10 machine to see if something changes.
Thank you!
from covenant.
Hi again Ryan!
Microsoft Windows 10 Enterprise (Evaluation)
- The LOGON32_LOGON_INTERACTIVE seems to work properly here as well.
- But Shellcmd fails for me again
I'm gonna keep digging to see if I can get something straight because this doesn't really make sense hahaha. It would be nice if a third person could test and post these things here.
Thank you
from covenant.
That's so strange. Which version of Windows 10 are you using? (i.e. build number)
from covenant.
Host Name: WS04
OS Name: Microsoft Windows 10 Enterprise Evaluation
OS Version: 10.0.18362 N/A Build 18362
OS Manufacturer: Microsoft Corporation
from covenant.
Ok, sorry it's taken so long, but I have now added a CreateProcessWithToken
command that will start a new process using a previously impersonated token from the MakeToken
, ImpersonateUser
, or ImpersonateProcess
commands.
I think CreateProcessWIthToken
+ ShellRunAs
+ ShellCmdRunAs
are going to have to be the solutions to this issue, there's no way to get the shell
task to use an impersonated token without totally changing how it works.
Let me know if this solution is sufficient @attl4s!
from covenant.
AWESOME!
I'll take a look tomorrow and let you know. Thank you Ryan!!
from covenant.
Hi again!
I've been trying the new CreateProcessWithToken and these are the results:
Working like a charm in high integrity contexts:
Failing in medium integrity contexts:
AFAIK this is the intended behaviour of CreateProcessWithTokenW:
The process that calls CreateProcessWithTokenW must have the SE_IMPERSONATE_NAME privilege. If this function fails with ERROR_PRIVILEGE_NOT_HELD (1314), use the CreateProcessAsUser or CreateProcessWithLogonW function instead. Typically, the process that calls
So considering the situation, I think this is indeed the best solution.
Sum up:
- If you don't need shellcmd
1.1. As almost every other task in Covenant is executed within the current process, MakeToken should work just fine. - If you need shellcmd
2.1. High integrity context?: use CreateProcessWithToken as if it was shellcmd (or ShellRunAs / ShellCmdRunAs).
2.2. Medium integrity context?: use ShellRunAs / ShellCmdRunAs
Thanks again! if everything is OK, feel free to close this issue
from covenant.
Souds like the perfect solution! I didn't notice the hToken within that call :P
from covenant.
Related Issues (20)
- [Bug] Covenant Graph doesn't link SMBGRUNT after Disconnect HOT 1
- [Bug|Error Request] Process terminated. Couldn't find a valid ICU package HOT 2
- [Feature Request] Migrate to .NetCore 6
- listener not working if connect address is on Public IP
- [Bug] Incorrect date and time in Covenant HOT 2
- Bug/Question Customisation is not saved between projects HOT 3
- Every task i preform it doesn't get executed always uninitialized HOT 3
- [Bug] Launchers not using new kill date
- dotnet run not working HOT 9
- [Listner|Not being created] Listener wont actually create HOT 1
- [Bug|Feature Request] "Type" drop down in Listener Profiles greyed out
- Grunts dying a few seconds after launching. "Not Found" response from listener during certain stage. HOT 3
- dotnet error? need help HOT 1
- DotNet 5.1 HOT 5
- "The build failed. Fix the build errors and run again."
- [Feature Request] More Verbosity needed for Grunt Callback
- Listener didn't work with iptables rule
- [Feature Request] Dotnet 5 + comptability HOT 6
- Does this tool support ipv 6?
- needed some clarification
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from covenant.