Read my writeup to Outdated machine on:
TL;DR
User 1: Found PDF on SMB share, From the PDF we know that we need to use CVE-2022-30190 (folina), Sending mail with URL to folina to itsupport@outdated.htb and we get a reverse shell as btables.
User 2: By running bloodhound we can see that we can use AddKeyCredentialLink This technique allows an attacker to take over an AD user or computer account if the attacker can modify the target object’s (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, Using that we get the user ```sflowers````.
Root: Found wsus.outdated.htb with misconfiguration (Allow HTTP), Using SharpWSUS we create an update with PSExec.exe command that adds sflowers to local administrators group.