Posts: 6 Threads: 0 Joined: N/A August 16, 2022 at 7:32 AM (August 13, 2022, 09:02 PM)yumi Wrote: Posts: 14 Threads: 0 Joined: N/A August 16, 2022 at 1:03 PM nice machine Posts: 5 Threads: 0 Joined: N/A August 16, 2022 at 2:45 PM (August 13, 2022, 09:02 PM)yumi Wrote: let me see Posts: 213 Threads: 0 Joined: N/A August 16, 2022 at 5:54 PM (August 15, 2022, 07:51 PM)cocacolastic_boy Wrote: (August 15, 2022, 06:46 PM)Duckfield Wrote: Been using both telnet and swaks and i cannot get a ping on my http server.. Is it the wrong approach?
Same, someone please explain how to do that This machine is really weird. Two or three days ago I got a callback using swaks sending a simple link like http://10.10.xxx.xxx/test, but today it's not working. Posts: 51 Threads: 0 Joined: N/A August 16, 2022 at 5:58 PM nice work (August 13, 2022, 07:02 PM)wayxoo Wrote: Host is up (0.067s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T02:02:06+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T02:02:05+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T02:02:06+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m42s, deviation: 0s, median: 6h59m42s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-08-14T02:01:27
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.38 seconds Posts: 5 Threads: 0 Joined: N/A August 16, 2022 at 6:05 PM 😎 Posts: 78 Threads: 0 Joined: N/A August 16, 2022 at 11:11 PM rooted
the intended PE is via WSUS, use a tool called SharpWSUS, instructions are available on PayloadsAllTheThings
there is a non-https wsus server configured, and the UseWUServer bit is 1, so this is definitely exploitable.
SharpWSUS doesn't come pre-compiled, so you either need to compile it or use a powershell build which provides a gzip+base64 encoded string, this is the pre-compiled binary.
And the rest is pretty straightforward. Posts: 6 Threads: 0 Joined: N/A August 16, 2022 at 11:23 PM thanks Posts: 0 Threads: 0 Joined: N/A August 17, 2022 at 6:53 AM Gracias Posts: 19 Threads: 0 Joined: N/A August 17, 2022 at 8:49 AM thank you guys for all your support |
