Unable to find accessible named pipe!



    Don't be confused, this is about MS17-010 and the error you'll sometimes see which states:  "Unable to find accessible named pipe!

    Since I came across this while working, I thought I'd document the steps of how I got here and how I worked to move past it.

    I'm on a network with a Windows 2008 Server and when I perform my port scan, I see:

    Hitting that port with a browser, I see an older version of ManageEngine Desktop Central:

    Firing up Metasploit, I go after it with this exploit:

    I execute:

    But when I check getuid, I see that I'm not NT AUTHORITY\SYSTEM.

    I attempt getsystem and I also run the privilege suggester -- still no luck.  The box is older and appears to possibly be unpatched based on the older version of Deskop Central.  I decide to port forward the SMB ports to scan for MS17-010:

    With the port forward setup, I scan:

    Excellent!  It's vulnerable to MS17-010.  Let's move back to Metasploit:

    I like the psexec exploit and I configure options:

    I execute:

    This error is puzzling because we have the named_pipes.txt file listed but the key word in this phrase is "accessible".  I'll be honest, I've come across boxes that just pop, boxes that are patched, and boxes such as this one.  In this latter form, I assume there's something that requires a username and password but I don't know exactly why.  But let's focus on the part of needing credentials.  We just need ANY credentials.  If you can get credentials on any account, we can move forward with this exploit.

    Jumping into a shell, if we call net users, we see:

    I uncover the password for this user and I add the credentials to the options:

    I execute:

    The execution is successful and when we call getuid, we are NT AUTHORITY\SYSTEM.

    UPDATE:  This is literally the most popular post almost every single day.  I didn't realize this was such a mystery but I guess it is.  I've seen posts that talk about how to fix this with Metasploit updates and such -- that is not the case but for a select few, I would imagine.  This could help better understand the situation:

    Similarly setup like the original image above but this time, we're setting VERBOSE to true.  When we execute:

    When it runs through all of the named pipes, it's getting "ACCESS DENIED".  There's no way around that without getting a user and pass like I've discussed above.  

    © 2020 sevenlayers.com