0

I have a Windows machine I'm trying to compromise and I've managed to gain access to a SMB share as a guest user. Currently, I've uploaded a bind_tcp payload to the share and I'd like to execute it remotely. I am able to obtain a meterpreter shell when I manually log into the machine as guest and execute.

So far, I've tried smbmap, smbexec, and crackmapexec with no luck using the -x option. I've also tried psexec_command but the I get an issue where it tries to clean up files in the windows directory. Since I am not an admin, the command cannot continue as expected.

What could be some other possible methods to successfully execute this payload remotely?

I feel like it's also important to note that I can connect and list the share using smbclient, but I am not aware of any execution functions.

zxtshadow
  • 1
  • 1
  • 1

1 Answers1

0

You have different methods:

Here is a list of tools with corresponding examples how to use it:

From a linux machine:

  • WMI / Impackets wmiexec.py or crackmapexec -x 'bind_tcp_payload' --exec-method wmi-exec
  • SMB / Impackets smbexec.py or crackmapexec -x 'bind_tcp_payload' --exec-method smb-exec
  • Winexe / winexe
  • Scheduling a task / crackmapexec -x 'bind_tcp_payload' --exec-method atexec
  • Creating a service / Impackets psexec.py

From a windows machine:

  • Using Kerberos auth / runas
  • Creating a service / PsExec.exe or powershell
  • WMI / wmic
  • perpaps WinRM

You can try some of this tools like creating a service manually to better understand at which step it does not work.

A nice overview of all this can be found in this blog series (1,2,3). crackmapexec detailed explanations can be found here.

secf00tprint
  • 553
  • 5
  • 15