-
Notifications
You must be signed in to change notification settings - Fork 436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Win 10] Permssion denied error #1376
Comments
the answer is here #1371 |
@doomedraven you mean update CAPEv2 again? |
no, due to the problem to run agent.py with proper permissions, looks like latest win10 broke something and you have to do research how to run it properly, or could be case that you didn't disable properly ms defender. |
@doomedraven could the problem not be windows 10 since both of us have had the same issue of running as admin or system but the agent itself? |
I'll see if adding the agent to the HKLM registry key changes something Edit: the agent is now running as a service and from the HKLM registry |
@RoemIko so when i run just as administrator i get alot of permission denied. However this last one i ran as system i got a permission denied but also got an error for modules.packages.exe |
I dont have that problem i only receive a permission denied in the folder that the cape agent creates, where the .ini file is located. Even if i run the agent as a system account which is the highest account within Windows. Both windows defender and windows firewall are turned off. |
i have done the following on the windows host
|
What about winfows defender?
El jue, 16 feb 2023 16:00, RoemIko ***@***.***> escribió:
… i have done the following on the windows host
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v pizzatime /t REG_SZ /d "C:\tmp\agent.pyw"
—
Reply to this email directly, view it on GitHub
<#1376 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH34S5KYYJUAJR4JPXXDWXY6JRANCNFSM6AAAAAAU6FJ6SU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
That one is also disabled @doomedraven |
What win10 build? Latest?
El jue, 16 feb 2023 16:15, RoemIko ***@***.***> escribió:
… That one is also disabled @doomedraven <https://github.com/doomedraven>
—
Reply to this email directly, view it on GitHub
<#1376 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH37DS5EAJRPCGX4OIMLWXY77TANCNFSM6AAAAAAU6FJ6SU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I'm running |
This one should be working just fine weird
El jue, 16 feb 2023 16:49, RoemIko ***@***.***> escribió:
… [image: image]
<https://user-images.githubusercontent.com/45184251/219416944-6b5cdfb7-2e74-4d02-8377-49b922ef172a.png>
version 22h2 OS build 19045.2006
—
Reply to this email directly, view it on GitHub
<#1376 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH37PYUIUNCFPM3IRFR3WXZD7RANCNFSM6AAAAAAU6FJ6SU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I still havent found a solution to this. However quick question for you @RoemIko how did you setup sysmon did you install it on your windows snapshot or does the exe and xml just sit in the bin folder. EDIT: I got sysmon working now back to trying to get this permission denied working |
I believe i found where the issue stems from. But i do not know how to fix it. 2023-02-16 12:49:35,320 [modules.auxiliary.permissions] WARNING: 'Modify admin' call was unable to complete in 15 seconds These errors make me think that the permissions.py is not working correctly. EDIT: Also if you look at the properties of the TMP directory that cape is creating. System does not have full control over the folder. With this in mind, it points me towards the permissions.py even more. Edit2: Permissions.py uses icacls to make it Administrator not system.... |
@C0WB0Y-Ducky what happens if you alter the icacls to system? |
@RoemIko I have not tried yet, I went to the auxiliary.conf and turned off permissions, re running now so ill let you know if that was work around. |
@RoemIko I got farther by just turning the permissions auxiliary off than i have yet so in book thats a win. |
Ah so there is a bug in permissions.py :) |
Yeah, I got a couple of access denied for disguise. Edit: To be honest I have no idea where to start on the icacls thing to change. I don't write in python much. |
@doomedraven I have tried it too and can confirm it works now. Setting permissions to no makes the sandbox work properly |
Cool, thanks for headups, no idea what permissions.py does 🤣
El jue, 16 feb 2023 21:18, RoemIko ***@***.***> escribió:
… @doomedraven <https://github.com/doomedraven> I have tried it too and can
confirm it works now. Setting permissions to no makes the sandbox work
properly
—
Reply to this email directly, view it on GitHub
<#1376 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOFH35MJBEGPMYHUFDW45LWX2DQZANCNFSM6AAAAAAU6FJ6SU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
If yall ever fix whatever permissions.py does please comment in here XD |
@cccs-kevin i see that you is author of that aux module, any tip for them? https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/auxiliary/permissions.py |
Hey all, this auxiliary module was migrated over from a Cuckoo PR cuckoosandbox/cuckoo#3136 and the sole focus of this aux module was to prevent Ransomeware from having the permissions required to encrypt the Python and Cuckoo+CAPE analysis directory. Looks like the permissions are handled differently for these directories https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/auxiliary/permissions.py#L29 with CAPE so I'll revise the module. PR coming soon |
Thanks Kevin
… On 16 Feb 2023, at 22:34, cccs-kevin ***@***.***> wrote:
Hey all, this auxiliary module was migrated over from a Cuckoo PR cuckoosandbox/cuckoo#3136 <cuckoosandbox/cuckoo#3136> and the sole focus of this aux module was to prevent Ransomeware from having the permissions required to encrypt the Python and Cuckoo+CAPE analysis directory. Looks like the permissions are handled differently for these directories https://github.com/kevoreilly/CAPEv2/blob/master/analyzer/windows/modules/auxiliary/permissions.py#L29 with CAPE so I'll revise the module. PR coming soon
—
Reply to this email directly, view it on GitHub <#1376 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOFH3563YT3OTW26NHYRRTWX2MNLANCNFSM6AAAAAAU6FJ6SU>.
You are receiving this because you were mentioned.
|
do |
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
Expect the agent to work correctly with right permissions.
Current Behavior
Whenever i upload a sample it fails, because of permissions
Failure Information (for bugs)
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
Cape is running on Ubuntu 22.04 with KVM machinery which has Windows 10 64 bit device with python 3.10 32 bit running python has been added to path and the host is isolated and there is communication. The agent is running with highest priviliges from a scheduled task. Whenever i upload an sample it seems to fail at a certain point. I have tried many ways to get the agent running as admin which i assume is. I have set the C:/ drive for anyone to be accesible.
I have connected to the VM and see the directories being made, but it seems to fail the moment it tries to read the PID.ini file in /dll/.
The firewall has been shutoff and windows defender has also been turned off.
Any tips or ideas would be appreciated
Failure Logs
Logs from the web interface
The text was updated successfully, but these errors were encountered: