Open myfirstCTFgithub opened 3 weeks ago
Could you run set verbose true
and setg loglevel 3
and then rerun the debug command and attach the output? 🤞
The following global/module datastore, and database setup was configured before the issue occurred:
The database contains the following information:
The following commands were ran during the session and before this issue occurred:
The following framework errors occurred before the issue occurred:
The following web service errors occurred before the issue occurred:
The following framework logs were recorded before the issue occurred:
The following web service logs were recorded before the issue occurred:
The versions and install method of your Metasploit setup:
Looks like the exploit method assumes that the check
method has run successfully - which it looks like you've bypassed
As far as I can see from the error message, either the RHOST is wrong or the target's SMB isn't accessible?
I tried this both against my localhost and a remote windows computer, getting the same error. It is possible that's the case. When running REG QUERY "HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" against the target computer it shows RestrictDriverInstallationToAdministrators REG_DWORD 0x0 NoWarningNoElevationOnInstall REG_DWORD 0x1 with spooler being active. This configuration should be exploitable although other things could be playing into this like the attacking machine not being on the domain that the target IP is on.
Operating system: installed via kali apt repository on kali linux.
expected behavior: exploit runs and interacts with target machine
current: exploit crashes after running. I've also ran this against remote windows machines with the same result
version:
what I ran:
debug output:
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
``` [framework/ui/console] ActiveModule=exploit/windows/dcerpc/cve_2021_1675_printnightmare [windows/dcerpc/cve_2021_1675_printnightmare] RHOSTS=127.0.0.1 AutoCheck=false loglevel=3 WORKSPACE= VERBOSE=false WfsDelay=2 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RPORT=445 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 DCERPC::max_frag_size=4096 DCERPC::fake_bind_multi=true DCERPC::fake_bind_multi_prepend=0 DCERPC::fake_bind_multi_append=0 DCERPC::smb_pipeio=rw DCERPC::ReadTimeout=10 NTLM::UseNTLMv2=true NTLM::UseNTLM2_session=true NTLM::SendLM=true NTLM::UseLMKey=false NTLM::SendNTLM=true NTLM::SendSPN=true SMB::pipe_evasion=false SMB::pipe_write_min_size=1 SMB::pipe_write_max_size=1024 SMB::pipe_read_min_size=1 SMB::pipe_read_max_size=1024 SMB::pad_data_level=0 SMB::pad_file_level=0 SMB::obscure_trans_pipe_level=0 SMBDirect=true SMBUser= SMBPass= SMBDomain=WORKGROUP SMBName=*SMBSERVER SMB::VerifySignature=false SMB::ChunkSize=500 SMB::Native_OS=Windows 2000 2195 SMB::Native_LM=Windows 2000 5.0 SMB::ProtocolVersion=1,2,3 SMB::AlwaysEncrypt=true KrbCacheMode=read-write SMB::Auth=auto SMB::Rhostname= DomainControllerRhost= SMB::Krb5Ccname= SMB::KrbOfferedEncryptionTypes=AES256,AES128,RC4-HMAC,DES-CBC-MD5,DES3-CBC-SHA1 SRVHOST=10.0.2.16 SRVPORT=445 ListenerBindAddress= ListenerBindPort= ListenerComm= SHARE= FILE_NAME= FOLDER_NAME= EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false ReconnectTimeout=10 ForceExploit=false LHOST=10.0.2.16 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= EXITFUNC=process PayloadBindPort= AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging= ```Database Configuration
The database contains the following information:
Collapse
``` Session Type: postgresql selected, no connection ```History
The following commands were ran during the session and before this issue occurred:
Collapse
``` 49 search nightmare 50 use 0 51 options 52 RHOSTS=127.0.0.1 53 set !! 54 set RHOST 127.0.0.1 55 exploit 56 set AutoCheck false 57 exploit 58 set loglevel 3 59 exploit 60 debug ```Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
``` [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH [04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm [04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh [04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh [04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC ```Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
``` msf-ws.log does not exist. ```Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
``` [04/22/2024 11:59:22] [d(0)] core: Negotiated SMB version: SMB3 D, [2024-04-22T11:59:22.591564 #1914] DEBUG -- : Adding disk share: Mqmf [04/22/2024 11:59:22] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T11:59:22.595452 #1914] DEBUG -- : Removing share: Mqmf [04/22/2024 11:59:22] [w(0)] core: IOError: stream closed in another thread [04/22/2024 12:23:18] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 12:24:42] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare) - NoMethodError undefined method `remove_share' for nil:NilClass D, [2024-04-22T12:26:05.937894 #22830] DEBUG -- : Adding disk share: MUxf [04/22/2024 12:26:05] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T12:26:05.945973 #22830] DEBUG -- : Removing share: MUxf [04/22/2024 12:26:05] [w(0)] core: IOError: stream closed in another thread [04/22/2024 12:34:37] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:34:51] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:34:52] [w(0)] core: The following modules could not be loaded! [04/22/2024 12:34:52] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [04/22/2024 12:34:52] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [04/22/2024 12:34:52] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/exchange_enum [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/host_id [04/22/2024 12:36:03] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 12:36:03] [w(0)] core: Removing invalid module reference from cache: scanner/msmail/onprem_enum D, [2024-04-22T12:37:04.039760 #1708] DEBUG -- : Adding disk share: GxDH [04/22/2024 12:37:04] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T12:37:04.047152 #1708] DEBUG -- : Removing share: GxDH [04/22/2024 12:37:04] [w(0)] core: IOError: stream closed in another thread [04/22/2024 13:01:33] [e(0)] core: Failed to connect to the database: No database YAML file [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment. [04/22/2024 13:01:35] [w(0)] core: The following modules could not be loaded! [04/22/2024 13:01:35] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go [04/22/2024 13:01:35] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go [04/22/2024 13:01:35] [w(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go D, [2024-04-22T13:02:20.741106 #15061] DEBUG -- : Adding disk share: oZxm [04/22/2024 13:02:20] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:02:20.745642 #15061] DEBUG -- : Removing share: oZxm [04/22/2024 13:02:20] [w(0)] core: IOError: stream closed in another thread [04/22/2024 13:09:07] [e(0)] core: Failed to connect to the database: No database YAML file D, [2024-04-22T13:10:30.361328 #19252] DEBUG -- : Adding disk share: NEqHh [04/22/2024 13:10:30] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:10:30.365273 #19252] DEBUG -- : Removing share: NEqHh [04/22/2024 13:10:30] [w(0)] core: IOError: stream closed in another thread D, [2024-04-22T13:13:53.544344 #19252] DEBUG -- : Adding disk share: jkvesC [04/22/2024 13:13:53] [e(0)] core: Exploit failed (windows/dcerpc/cve_2021_1675_printnightmare): NoMethodError undefined method `call' for nil:NilClass - NoMethodError undefined method `call' for nil:NilClass D, [2024-04-22T13:13:53.551007 #19252] DEBUG -- : Removing share: jkvesC [04/22/2024 13:13:53] [w(0)] core: IOError: stream closed in another thread ```Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
``` msf-ws.log does not exist. ```Version/Install
The versions and install method of your Metasploit setup:
Collapse
``` Framework: 6.4.5-dev Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu] OpenSSL: OpenSSL 3.1.4 24 Oct 2023 Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```