Have some problems with psexec.py

hay, I have a problem with psexec.py. So, now I am working with the first machine and when i enter the next command:
psexec.py [email protected]
i enter the pass and get this:
Password:
[] Requesting shares on 10.10.10.27.....
[] Found writable share ADMIN$
[*] Uploading file tdDuQHqv.exe
And then nothing happens, I have waited for about 15 minutes, but nothing
may be someone can help me with such problem

Comments

  • edited January 23

    I am also getting stuck at this point as well.
    I have run git clone.
    I have installed impacket.
    I have run the setup.py in the impacket folder and I am running the *exec.py script from the build folder. I even added the extra arguments for timestamps and debug mode but nothing extra/helpful is output to the console.

    Looks like some kind of timeout error is happening, or the explicitly stated tool doesn't actually work as intended, or the Starter instructions inaccurately point the user to use the psexec.py script giving them the impression it should work but in reality it won't and the user needs to figure that out...through dumb luck? Even though previous instructions are "vague" in that they say use impacket or some other tool.

    My best guess is that the intention was for us to "struggle"/"try harder", to use the available *exec* options till we got into the host. If this was the case, that failed epicly. Muito Obrigado. Otherwise I'm lost on the intentionality behind this.

    I have gotten smbexec.py to work with the most "success" but the cli is buggy as hell and every few commands it breaks then makes it so you can't reconnect back to the server (see errors below).

    I have tried these without success:
    ./psexec.py
    ./wmiexec.py

    Limited success:
    ./smbexec.py

    Error/Ouput below

    $pwd:
    /tmp/impacket/build/scripts-3.9

    Get Root: PSEXEC

    python3 ./psexec.py 'ARCHETYPE/Administrator:[email protected]' -ts -debug

    Output:

    Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
    
    [2021-01-23 17:26:12] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
    [2021-01-23 17:26:12] [+] StringBinding ncacn_np:10.10.10.27[\pipe\svcctl]
    [2021-01-23 17:26:13] [*] Requesting shares on 10.10.10.27.....
    [2021-01-23 17:26:13] [*] Found writable share ADMIN$
    [2021-01-23 17:26:13] [*] Uploading file WKypLxDp.exe
    

    Hangs here ^

    Then spits out error after ~20min

    [2021-01-23 17:42:48] [-] Error uploading file WKypLxDp.exe, aborting.....
    [2021-01-23 17:42:48] [-] Error performing the installation, cleaning up: [Errno 32] Broken pipe
    [2021-01-23 17:42:48] [+] Exception
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 983, in non_polling_read
        received = self._sock.recv(bytes_left)
    TimeoutError: [Errno 110] Connection timed out
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1862, in storeFile
        written = self.write(treeId, fileId, data, writeOffset, len(data))
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1354, in write
        ans = self.recvSMB(packetID)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 434, in recvSMB
        data = self._NetBIOSSession.recv_packet(self._timeout)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 914, in recv_packet
        data = self.__read(timeout)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 1001, in __read
        data = self.read_function(4, timeout)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 987, in non_polling_read
        raise NetBIOSError('Error occurs while reading from remote', ERRCLASS_OS, ex.errno)
    impacket.nmb.NetBIOSError: Error occurs while reading from remote(110)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/examples/serviceinstall.py", line 166, in install
        self.copy_file(self.__exeFile ,self.share,self.__binary_service_name)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/examples/serviceinstall.py", line 122, in copy_file
        self.connection.putFile(tree, pathname, fh.read)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smbconnection.py", line 819, in putFile
        return self._SMBConnection.stor_file(shareName, pathName, callback)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1866, in storeFile
        self.close(treeId, fileId)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1267, in close
        packetID = self.sendSMB(packet)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 419, in sendSMB
        self._NetBIOSSession.send_packet(packet)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 911, in send_packet
        self._sock.sendall(p.rawData())
    BrokenPipeError: [Errno 32] Broken pipe
    

    Get Root: WMI

    python3 ./wmiexec.py 'ARCHETYPE/Administrator:[email protected]' -ts -debug

    Output:

    Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
    
    [2021-01-23 17:42:55] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
    [2021-01-23 17:42:55] [*] SMBv3.0 dialect used
    [2021-01-23 17:42:56] [+] Target system is 10.10.10.27 and isFDQN is False
    [2021-01-23 17:42:56] [+] StringBinding: \\\\ARCHETYPE[\\PIPE\\atsvc]
    [2021-01-23 17:42:56] [+] StringBinding: Archetype[49666]
    [2021-01-23 17:42:56] [+] StringBinding: 10.10.10.27[49666]
    [2021-01-23 17:42:56] [+] StringBinding chosen: ncacn_ip_tcp:10.10.10.27[49666]
    

    Hangs here ^

    Get Root: SMB

    python3 ./smbexec.py 'ARCHETYPE/Administrator:[email protected]' -ts -debug

    Output:

    Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
    
    [2021-01-23 17:57:51] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
    [2021-01-23 17:57:51] [+] StringBinding ncacn_np:10.10.10.27[\pipe\svcctl]
    [2021-01-23 17:57:52] [+] Executing %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
    Traceback (most recent call last):
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 151, in run
        self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName)
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 198, in __init__
        self.do_cd('')
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 230, in do_cd
        self.execute_remote('cd ' )
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 264, in execute_remote
        resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName,
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/dcerpc/v5/scmr.py", line 1260, in hRCreateServiceW
        return dce.request(createService)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
        raise exception
    impacket.dcerpc.v5.scmr.DCERPCSessionError: SCMR SessionError: code: 0x431 - ERROR_SERVICE_EXISTS - The specified service already exists.
    [2021-01-23 17:57:52] [-] SCMR SessionError: code: 0x431 - ERROR_SERVICE_EXISTS - The specified service already exists
    

    Also tried renaming the service name:

    Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation
    
    [2021-01-23 18:01:41] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
    [2021-01-23 18:01:41] [+] StringBinding ncacn_np:10.10.10.27[\pipe\svcctl]
    [2021-01-23 18:01:42] [+] Executing %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smbconnection.py", line 798, in getFile
        return self._SMBConnection.retr_file(shareName, pathName, callback)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1823, in retrieveFile
        fileId = self.create(treeId, path, FILE_READ_DATA, shareAccessMode, FILE_NON_DIRECTORY_FILE, mode, 0, createContexts=createContexts)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1223, in create
        if ans.isValidAnswer(STATUS_SUCCESS):
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
        raise smb3.SessionError(self['Status'], self)
    impacket.smb3.SessionError: SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 151, in run
        self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName)
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 198, in __init__
        self.do_cd('')
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 230, in do_cd
        self.execute_remote('cd ' )
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 274, in execute_remote
        self.get_output()
      File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 248, in get_output
        self.transferClient.getFile(self.__share, OUTPUT_FILENAME, output_callback)
      File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smbconnection.py", line 802, in getFile
        raise SessionError(e.get_error_code(), e.get_error_packet())
    impacket.smbconnection.SessionError: SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)
    [2021-01-23 18:01:43] [-] SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)
    
  • same here

    tried all of the above ways, and they get stuck.

    I can get reverse shell with the sql way, but I cannot elevate to admin ( not sure what command I can use, there's no python installed to use any of the bash tricks )

Sign In to comment.