Outdated - [HTB]

Cover Image for Outdated - [HTB]
Marmeus
Marmeus

Introduction

Outdated is a medium Windows machine from HackTheBox where the attacker will have to send a phishing email to exploit the Follina vulnerability to obtain RCE on the machine. Then, the attacker will use the "Shadow Credentials" technique to perform a lateral movement on the domain. Finally, to become an administrator, the attacker will have to exploit the WSUS technique.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

It seems that the machine is a Domain Controller with several domains. So, add them to your /etc/hosts file.

Then, with the following script, it is possible to check the Shares permissions.

Inside the "Shares" share, there is a PDF.

The contents of the file are the following.

Email staff

Exploitation

The text talks about sending links to IT support in order to monitor internal platforms. Interestingly, it is also talking about CVEs that must be patched, the first CVE-2022-30190 .aka Follina, which uses Word's external link calling Microsoft Support Diagnostics Tool (MSDT) to perform code execution.

The easiest way to exploit this vulnerability is with John Hammond's script.

However, because this script requires the Internet to download the nc64.exe file, you need to modify it, so it is downloaded from your attacking machine.

Then, execute the script as follows:

Finally, send an email to the IT support with a link to your local machine so the exploit can be executed.

After around 3 minutes, a reverse shell as "btables" is obtained.

Privilege Escalation 1

To enumerate the domain, you can use SharpHound to obtain the data from the domain and then smbserver to exfiltrate it.

Because there is no direct path to the domain administrator, using the pathfinding option, it is possible to obtain a path that allows us to become the user "sflowers".

image-20220912223139320
Shadow Credentials

This can be achieved by abusing a technique named "Shadow credentials", which requires a compiled version of Whisker, but thanks to PowerShark, it can be obtained with the following command:

After that, to become sflowers, perform the following commands:

Finally, access the machine through winrm as sflowers.

Privilege Escalation 2

Keeping enumerating the machine using WinPEAS, appears a the WSUS privilege escalation technique.

The exploit on that hacktricks is for MiTM attacks that don't work in this scenario. However, there is an alternative named SharpWSUS, which also requires compilation, and also can be obtained with the following commands.

Also, you need PsExec, to execute the payload as "Authority system".

Furthermore, you also need to create a reverse shell with msfvenom that will be executed during the update.

Finally, upload everything to the machine.

To perform the privilege escalation, execute the following commands as appear on PayloadAllTheThings.

Then, create the update.

After that, execute the approve command that appears after creating the update.

Finally, wait a few minutes to obtain a reverse shell as nt authority\system