Ever been able to drop a payload on a machine, but not execute it? I’ve had a few odd times on assessments and/or CTFs where I’ve been able to drop a payload onto a machine that I am targeting, but haven’t been able to trigger it. An example I can talk to is when I’ve created a custom executable, such as one generated from Veil, and use metasploit’s psexec to drop the payload on the machine (which I’ve already obtained hashes or clear-text credentials), but upon uploading the executable to the target machine, for some reason, I don’t get the callback. When this happens, as long as I can verify from the metasploit output (assuming that I used metasploit’s psexec) that uploading the binary was successful, I can use psexec_command to attempt to re-trigger the payload.
So, how do we do this? Here’s how I’ve made this work before:
First, we need to attempt to psexec into a machine with our custom executable. One thing to note, I prefer to use the C$ share when dropping a payload on a machine. There’s no real reason other than the command you provide to metasploit (later) is shorter. Once you’ve provided Metasploit’s psexec module with all the options it needs and execute it, you should see something similar to the following:
But what we sometimes don’t get is the all-important awesome sign of “Sending Stage…”. So.. how can we fix that?
Based off of the Metasploit log above, we can see that our custom executable was uploaded to the target machine as wdKedAbD.exe and it was dropped into the C$ share. We have all the information necessary to manually call our executable and attempt to trigger it via metasploit’s psexec_command. To do that, our configuration should look something like the following:
Note: You will need the double backslashes when setting your “Command” value.
The thing to note here is that we are calling the same executable that was uploaded in our original psexec attempt. This is what is allowing us to attempt to re-trigger the payload that was already uploaded to the machine. With all of our payload variables set, we can now run this single command against the same machine. The output upon executing our psexec_command module should look like the following:
We can see from this output that our payload was triggered, and the second stage was sent, and we opened a new meterpreter session. Success!
If anyone has any questions, feel free to ask here or on twitter @ChrisTruncer!