Read my writeup to Outdated machine on:
User 1: Found PDF on SMB share, From the PDF we know that we need to use
CVE-2022-30190 (folina), Sending mail with URL to folina to
firstname.lastname@example.org and we get a reverse shell as
User 2: By running
bloodhound we can see that we can use
AddKeyCredentialLink This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object’s (user or computer account) attribute
msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, Using that we get the user ```sflowers````.
wsus.outdated.htb with misconfiguration (Allow HTTP), Using
SharpWSUS we create an update with
PSExec.exe command that adds
sflowers to local administrators group.