Have some problems with psexec.py

HTB Content Machines
1

hay, I have a problem with psexec.py. So, now I am working with the first machine and when i enter the next command:
psexec.py administrator@10.10.10.27
i enter the pass and get this:
Password:
Requesting shares on 10.10.10.27…
Found writable share ADMIN$
[*] Uploading file tdDuQHqv.exe
And then nothing happens, I have waited for about 15 minutes, but nothing
may be someone can help me with such problem

2

I am also getting stuck at this point as well.
I have run git clone.
I have installed impacket.
I have run the setup.py in the impacket folder and I am running the *exec.py script from the build folder. I even added the extra arguments for timestamps and debug mode but nothing extra/helpful is output to the console.

Looks like some kind of timeout error is happening, or the explicitly stated tool doesn’t actually work as intended, or the Starter instructions inaccurately point the user to use the psexec.py script giving them the impression it should work but in reality it won’t and the user needs to figure that out…through dumb luck? Even though previous instructions are “vague” in that they say use impacket or some other tool.

My best guess is that the intention was for us to “struggle”/“try harder”, to use the available *exec* options till we got into the host. If this was the case, that failed epicly. Muito Obrigado. Otherwise I’m lost on the intentionality behind this.

I have gotten smbexec.py to work with the most “success” but the cli is buggy as ■■■■ and every few commands it breaks then makes it so you can’t reconnect back to the server (see errors below).

I have tried these without success:
./psexec.py
./wmiexec.py

Limited success:
./smbexec.py

Error/Ouput below

$pwd:
/tmp/impacket/build/scripts-3.9

Get Root: PSEXEC

python3 ./psexec.py 'ARCHETYPE/Administrator:MEGACORP_4dm1n!!@10.10.10.27' -ts -debug

Output:

Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation

[2021-01-23 17:26:12] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
[2021-01-23 17:26:12] [+] StringBinding ncacn_np:10.10.10.27[\pipe\svcctl]
[2021-01-23 17:26:13] [*] Requesting shares on 10.10.10.27.....
[2021-01-23 17:26:13] [*] Found writable share ADMIN$
[2021-01-23 17:26:13] [*] Uploading file WKypLxDp.exe

Hangs here ^

Then spits out error after ~20min

[2021-01-23 17:42:48] [-] Error uploading file WKypLxDp.exe, aborting.....
[2021-01-23 17:42:48] [-] Error performing the installation, cleaning up: [Errno 32] Broken pipe
[2021-01-23 17:42:48] [+] Exception
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 983, in non_polling_read
    received = self._sock.recv(bytes_left)
TimeoutError: [Errno 110] Connection timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1862, in storeFile
    written = self.write(treeId, fileId, data, writeOffset, len(data))
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1354, in write
    ans = self.recvSMB(packetID)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 434, in recvSMB
    data = self._NetBIOSSession.recv_packet(self._timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 914, in recv_packet
    data = self.__read(timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 1001, in __read
    data = self.read_function(4, timeout)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 987, in non_polling_read
    raise NetBIOSError('Error occurs while reading from remote', ERRCLASS_OS, ex.errno)
impacket.nmb.NetBIOSError: Error occurs while reading from remote(110)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/examples/serviceinstall.py", line 166, in install
    self.copy_file(self.__exeFile ,self.share,self.__binary_service_name)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/examples/serviceinstall.py", line 122, in copy_file
    self.connection.putFile(tree, pathname, fh.read)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smbconnection.py", line 819, in putFile
    return self._SMBConnection.stor_file(shareName, pathName, callback)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1866, in storeFile
    self.close(treeId, fileId)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1267, in close
    packetID = self.sendSMB(packet)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 419, in sendSMB
    self._NetBIOSSession.send_packet(packet)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/nmb.py", line 911, in send_packet
    self._sock.sendall(p.rawData())
BrokenPipeError: [Errno 32] Broken pipe

Get Root: WMI

python3 ./wmiexec.py 'ARCHETYPE/Administrator:MEGACORP_4dm1n!!@10.10.10.27' -ts -debug

Output:

Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation

[2021-01-23 17:42:55] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
[2021-01-23 17:42:55] [*] SMBv3.0 dialect used
[2021-01-23 17:42:56] [+] Target system is 10.10.10.27 and isFDQN is False
[2021-01-23 17:42:56] [+] StringBinding: \\\\ARCHETYPE[\\PIPE\\atsvc]
[2021-01-23 17:42:56] [+] StringBinding: Archetype[49666]
[2021-01-23 17:42:56] [+] StringBinding: 10.10.10.27[49666]
[2021-01-23 17:42:56] [+] StringBinding chosen: ncacn_ip_tcp:10.10.10.27[49666]

Hangs here ^

Get Root: SMB

python3 ./smbexec.py 'ARCHETYPE/Administrator:MEGACORP_4dm1n!!@10.10.10.27' -ts -debug

Output:

Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation

[2021-01-23 17:57:51] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
[2021-01-23 17:57:51] [+] StringBinding ncacn_np:10.10.10.27[\pipe\svcctl]
[2021-01-23 17:57:52] [+] Executing %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Traceback (most recent call last):
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 151, in run
    self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName)
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 198, in __init__
    self.do_cd('')
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 230, in do_cd
    self.execute_remote('cd ' )
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 264, in execute_remote
    resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName,
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/dcerpc/v5/scmr.py", line 1260, in hRCreateServiceW
    return dce.request(createService)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 878, in request
    raise exception
impacket.dcerpc.v5.scmr.DCERPCSessionError: SCMR SessionError: code: 0x431 - ERROR_SERVICE_EXISTS - The specified service already exists.
[2021-01-23 17:57:52] [-] SCMR SessionError: code: 0x431 - ERROR_SERVICE_EXISTS - The specified service already exists

Also tried renaming the service name:

Impacket v0.9.23.dev1+20210111.162220.7100210f - Copyright 2020 SecureAuth Corporation

[2021-01-23 18:01:41] [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket
[2021-01-23 18:01:41] [+] StringBinding ncacn_np:10.10.10.27[\pipe\svcctl]
[2021-01-23 18:01:42] [+] Executing %COMSPEC% /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smbconnection.py", line 798, in getFile
    return self._SMBConnection.retr_file(shareName, pathName, callback)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1823, in retrieveFile
    fileId = self.create(treeId, path, FILE_READ_DATA, shareAccessMode, FILE_NON_DIRECTORY_FILE, mode, 0, createContexts=createContexts)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3.py", line 1223, in create
    if ans.isValidAnswer(STATUS_SUCCESS):
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smb3structs.py", line 454, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 151, in run
    self.shell = RemoteShell(self.__share, rpctransport, self.__mode, self.__serviceName)
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 198, in __init__
    self.do_cd('')
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 230, in do_cd
    self.execute_remote('cd ' )
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 274, in execute_remote
    self.get_output()
  File "/tmp/impacket/build/scripts-3.9/./smbexec.py", line 248, in get_output
    self.transferClient.getFile(self.__share, OUTPUT_FILENAME, output_callback)
  File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.23.dev1+20210111.162220.7100210f-py3.9.egg/impacket/smbconnection.py", line 802, in getFile
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)
[2021-01-23 18:01:43] [-] SMB SessionError: STATUS_SHARING_VIOLATION(A file cannot be opened because the share access flags are incompatible.)
3

same here

tried all of the above ways, and they get stuck.

I can get reverse shell with the sql way, but I cannot elevate to admin ( not sure what command I can use, there’s no python installed to use any of the bash tricks )