Error 1053

[masaki080]

I am running GoFetch in the following environment, but I can not execute service with error 1053.

The targets of attack are Windows 7 (32 and 64 bit) and 2018, etc., but all result in the same error.

Where is the problem?

Execution environment

The execution environment is the following two.
Both will result in the same error.

Windows7 SP1 64-bit
PowerShell3.0
.NET4.0

Windows7 SP1 32-bit
PowerShell3.0
.NET4.0

GoFetchLog

6/6/2019 1:38 PM GoFetch started on msl8-cl05
6/6/2019 1:38 PM Attack path loaded - Verifying path
6/6/2019 1:38 PM GoFetch in AdminTo
6/6/2019 1:38 PM CopyAndExecuteNext with targetComputer: MSL8-CL03 and targetUser: ******** and payload: test.bat
6/6/2019 1:38 PM Copy payload from C:\Users\********\Downloads\GoFetch\test.bat to \\MSL8-CL03\c$\GoFetch\test.bat
6/6/2019 1:38 PM Copied additional payload from C:\Users\********\Downloads\GoFetch\test.bat to \\MSL8-CL03\c$\GoFetch\test.bat
6/6/2019 1:38 PM Run Invoke-PsExec with command: cmd.exe /c C:\GoFetch\test.bat
6/6/2019 1:38 PM Invoke-PsExec additional payload command: cmd.exe /c C:\GoFetch\test.bat
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM PsExec: {0}
6/6/2019 1:38 PM CopyAndRunAdditionalPayload - Done on MSL8-CL03
6/6/2019 1:38 PM CopyAndExecuteNext - Done Invoke-PsExec on MSL8-CL03 
6/6/2019 1:38 PM Waiting to GoFetchOutput.log file in \\MSL8-CL03\c$\GoFetch\GoFetchOutput.json
6/6/2019 1:38 PM  |MSL8-CL03| - 6/6/2019 1:38 PM GoFetch started on msl8-cl03
6/6/2019 1:38 PM  |MSL8-CL03| - 6/6/2019 1:38 PM Attack path loaded - Verifying path
6/6/2019 1:38 PM  |MSL8-CL03| - 6/6/2019 1:38 PM Local GoFetchOutput.log file was created
6/6/2019 1:38 PM Prompt message: Something went wrong 
Number of exceptions 0
6/6/2019 1:39 PM Local GoFetchOutput.log file was created

Event Viewer System Log

Log Name:      System
Source:        Service Control Manager
Date:          6/6/2019 1:38:52 PM
Event ID:      7000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      msl8-cl03.*******.jp
Description:
The TestSVC service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2019-06-06T04:38:52.686945000Z" />
    <EventRecordID>1565</EventRecordID>
    <Correlation />
    <Execution ProcessID="468" ThreadID="264" />
    <Channel>System</Channel>
    <Computer>msl8-cl03.*******.jp</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">TestSVC</Data>
    <Data Name="param2">%%1053</Data>
  </EventData>
</Event>
--------------------------------------------------
Log Name:      System
Source:        Service Control Manager
Date:          6/6/2019 1:38:52 PM
Event ID:      7009
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      msl8-cl03.*******.jp
Description:
A timeout was reached (30000 milliseconds) while waiting for the TestSVC service to connect.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7009</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2019-06-06T04:38:52.686945000Z" />
    <EventRecordID>1564</EventRecordID>
    <Correlation />
    <Execution ProcessID="468" ThreadID="264" />
    <Channel>System</Channel>
    <Computer>msl8-cl03.*******.jp</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">30000</Data>
    <Data Name="param2">TestSVC</Data>
  </EventData>
</Event>

[talmaor]

The last command that was executed failed to validate the rest of the attack path. I copied the relevant code below - Any chance the attack path you're using is missing a node or data (i.e the last user expected to be found on the target)?

WriteLog 'Attack path loaded - Verifying path'
            if ($pathOfAttack -eq $null -or $pathOfAttack.Length -eq 0 -or $pathOfAttack.path.Length -eq 0)
            {
				$exceptionMessage = "Invalid attack path"
				$resultToReturn = '{"path" : [] ,"final" = [], "exceptions" : {0},"status": {"Type" : "Exception"}}' -f ($exceptionMessage)
				Set-Content $pathToFileWithReturnedResult $resultToReturn
				return
            }

[masaki080]

There is no path like the video below.

https://www.youtube.com/watch?v=5SpDAxUx7Uk&feature=youtu.be

HOST → USER → HOST → USER → HOST

The only path that will come out is the following path, so it was implemented with the following path.

USER → HOST（AdminTo）

How can I create an environment where video-like paths appear?
I don't think it's about listening here, though.

I will try again. Thank you very much.