Error 1053
masaki080 opened this issue · comments
I am running GoFetch in the following environment, but I can not execute service with error 1053.
The targets of attack are Windows 7 (32 and 64 bit) and 2018, etc., but all result in the same error.
Where is the problem?
Execution environment
The execution environment is the following two.
Both will result in the same error.
Windows7 SP1 64-bit
PowerShell3.0
.NET4.0
Windows7 SP1 32-bit
PowerShell3.0
.NET4.0
GoFetchLog
6/6/2019 1:38 PM GoFetch started on msl8-cl05
6/6/2019 1:38 PM Attack path loaded - Verifying path
6/6/2019 1:38 PM GoFetch in AdminTo
6/6/2019 1:38 PM CopyAndExecuteNext with targetComputer: MSL8-CL03 and targetUser: ******** and payload: test.bat
6/6/2019 1:38 PM Copy payload from C:\Users\********\Downloads\GoFetch\test.bat to \\MSL8-CL03\c$\GoFetch\test.bat
6/6/2019 1:38 PM Copied additional payload from C:\Users\********\Downloads\GoFetch\test.bat to \\MSL8-CL03\c$\GoFetch\test.bat
6/6/2019 1:38 PM Run Invoke-PsExec with command: cmd.exe /c C:\GoFetch\test.bat
6/6/2019 1:38 PM Invoke-PsExec additional payload command: cmd.exe /c C:\GoFetch\test.bat
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM CopyAndRunAdditionalPayload - Done on MSL8-CL03
6/6/2019 1:38 PM CopyAndExecuteNext - Done Invoke-PsExec on MSL8-CL03
6/6/2019 1:38 PM Waiting to GoFetchOutput.log file in \\MSL8-CL03\c$\GoFetch\GoFetchOutput.json
6/6/2019 1:38 PM |MSL8-CL03| - 6/6/2019 1:38 PM GoFetch started on msl8-cl03
6/6/2019 1:38 PM |MSL8-CL03| - 6/6/2019 1:38 PM Attack path loaded - Verifying path
6/6/2019 1:38 PM |MSL8-CL03| - 6/6/2019 1:38 PM Local GoFetchOutput.log file was created
6/6/2019 1:38 PM Prompt message: Something went wrong
Number of exceptions 0
6/6/2019 1:39 PM Local GoFetchOutput.log file was created
Event Viewer System Log
Log Name: System
Source: Service Control Manager
Date: 6/6/2019 1:38:52 PM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: msl8-cl03.*******.jp
Description:
The TestSVC service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-06-06T04:38:52.686945000Z" />
<EventRecordID>1565</EventRecordID>
<Correlation />
<Execution ProcessID="468" ThreadID="264" />
<Channel>System</Channel>
<Computer>msl8-cl03.*******.jp</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">TestSVC</Data>
<Data Name="param2">%%1053</Data>
</EventData>
</Event>
--------------------------------------------------
Log Name: System
Source: Service Control Manager
Date: 6/6/2019 1:38:52 PM
Event ID: 7009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: msl8-cl03.*******.jp
Description:
A timeout was reached (30000 milliseconds) while waiting for the TestSVC service to connect.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7009</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2019-06-06T04:38:52.686945000Z" />
<EventRecordID>1564</EventRecordID>
<Correlation />
<Execution ProcessID="468" ThreadID="264" />
<Channel>System</Channel>
<Computer>msl8-cl03.*******.jp</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">30000</Data>
<Data Name="param2">TestSVC</Data>
</EventData>
</Event>
The last command that was executed failed to validate the rest of the attack path. I copied the relevant code below - Any chance the attack path you're using is missing a node or data (i.e the last user expected to be found on the target)?
WriteLog 'Attack path loaded - Verifying path'
if ($pathOfAttack -eq $null -or $pathOfAttack.Length -eq 0 -or $pathOfAttack.path.Length -eq 0)
{
$exceptionMessage = "Invalid attack path"
$resultToReturn = '{"path" : [] ,"final" = [], "exceptions" : {0},"status": {"Type" : "Exception"}}' -f ($exceptionMessage)
Set-Content $pathToFileWithReturnedResult $resultToReturn
return
}
There is no path like the video below.
https://www.youtube.com/watch?v=5SpDAxUx7Uk&feature=youtu.be
HOST → USER → HOST → USER → HOST
The only path that will come out is the following path, so it was implemented with the following path.
USER → HOST(AdminTo)
How can I create an environment where video-like paths appear?
I don't think it's about listening here, though.
I will try again. Thank you very much.