Timelapse - [HTB]
![Cover Image for Timelapse - [HTB]](/assets/images/blog/Timelapse-htb/Timelapse.png)
Introduction
Timelapse is an easy Windows machine where the attacker will have to use some certificates and some rid enumeration to access the machine as the user "leggacy". Then, looking at the PowerShell history, it will find some credentials for a user who can read LAPS passwords. Finally, using crackmapexec the attacker can obtain the DC password, obtaining the root flag.
Enumeration
As always, let's start finding all opened ports in the machine with Nmap.
Then, we continue with a deeper scan of every opened port, getting more information about each service.
Thanks to Nmap, it was possible to obtain the domain of the machine dc01.timelapse.htb.
Looking at the SMB service without credentials, there is a share named Shares.
Enumerating the share, there is a winrm_backup.zip and LAPS' documentation.
The backup file is password protected. Nonetheless, it can be cracked pretty easily with john.
Inside the zip file, there is a windows certificate.
This certificate is also password protected. However, once again, it can be cracked with john.
Moreover, doing some rid-brute force, it can be discovered that "legaccy" is a legit user on the AD domain.
Exploitation
Because the only service that accepts ciphered communication is winrm with evil-winrm, we need to convert the windows certificate into a private key and certificate in PEM format. After that, you will obtain the user flag.
Privilege Escalation
Looking at the legacyy's PowerShell console history, we can obtain some credentials used to access the machine through winrm as the user "svc_deploy".
Enumerating this user, you can see that it is a member of the "LAPS_Readers" group.
Hence, thanks to crackmapexec, you can retrieve the LAPS passwords, obtaining the DC01's password.
Note: This password change for every machine reset.
Finally, we can obtain the root flag accessing the machine as Administration.