HackTheBox-Timelapse

Timelapse was an easy rated windows machine which involved enumerating SMB shares from where we’ll find a pfx certificate which was password protected, on cracking will reveal that it belongs to legacyy user which can be used on WinRM over SSL running on port 5986 , having a shell we can escalate to svc_deploy user by finding the credentials from Powershell console history file, this user belongs to LAPS_READERS group which has the permissions to read LAPS password to become Administrator.

NMAP

PORT      STATE SERVICE       VERSION              
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-27 03:07:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3
|_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
|_ssl-date: 2022-03-27T03:10:27+00:00; +7h59m59s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
64463/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cg
i-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/27%Time=623F6471%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-03-27T03:09:54
|_ start_date: N/A

From the nmap results we have port 88 open which is kerberos that runs on a Domain Controller, so we are looking at Active Directory here and we also have the domain name as well which is dc01.timelapse.htb , let's add this in our /etc/hosts file

PORT 389 (LDAP)

Checking for null authentication on LDAP but it failed as it needs valid credentials

PORT 139/445 (SMB)

Having smb service running, we can check what shares this machine has using smbclient

Checking the Shares we have two folders here

In Dev folder we have winrm_backup.zip so let's download that

And in HelpDesk we have 3 document files regarding LAPS and an installer file for LAPS

LAPS here is Local Administrator Password Solution which randomizes local administrator’s password in the ad domain in each hosts, so that the administrator account’s password isn’t the same across the domain

When unzipping the archive from smb share it asks for a password

Using fcrackzip we can brutefroce the password for this zip archive

fcrackzip -u -D -p /opt/SecLists/Passwords/rockyou.txt ./winrm_backup.zip

Here the parameters are:

  • -u, It will try to decompress the first file by calling unzip with the guessed password
  • -D, This will use dictionary mode, fcrackzip will read passwords from a file which must contain one password per line
  • -p, this is for specifying either a string or the wordlist

Foothold

After unzipping the archive we’ll get a pfx (legacyy_dev_auth.pfx) file and it's a SSL certificate that contains both public and private keys which can be used for authentication that is protected by a password

I tried to read the certificate with openssl and provided the same password that we got for the archive but it failed

We can try to crack the password hash for this pfx file by running pfx2john to get the hash then running johntheripper to crack it

And now we should be able to read the certificate

Reading the certificate we can see a user name Legacyy, this can be verified if it's actually a username on the machine by running kebrute to see if the user exists

Since port 5986 is open which is WinRM over SSL, we need to use a certificate to authenticate to winrm, evill-winrm doesn't have the option to use pfx certificate but it does have an option for public and private key.

And doing this, it worked

In C:\Users we see user svc_deploy and TRX

Privilege Escalation (svc_deploy)

As this is a AD box, we can try running bloodhound to enumerate the domain for potential paths for privilege escalation and other mis-configurations in the domain

But after uploading it and importing, it was blocked by AV, I tried it through IEX as well but it still didn't worked

Downloading sharphound.exe from here https://github.com/BloodHoundAD/SharpHound and running it worked

On uploading the json files to bloodhound we can see a group named LAPS_READERS that can read LAPS password on the domain controller

And svc_deploy is a member of that group so we need to first get to this user in order to read LAPS

So moving on I tried looking into the powershell history file and found the credentials for svc_deploy user

more .\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

The history file shows us the password for svc_deploy being used used with PS-Credential object, we can just use the same commands to execute commands as svc_deploy or just get a shell through winrm

We already have found that this user is in LAPS_READER so now we just need to read the LAPS password to get administrator account

Privilege Escalation (Administrator)

I tried looking into ways to read LAPS password and since we can’t import scripts I tried running sharplaps.exe but it was caught by AV

https://github.com/swisskyrepo/SharpLAPS/

So then I went through this article which explained how we can read LAPS and it showed it through crackmapexec

https://www.hackingarticles.in/credential-dumpinglaps/

One thing to note that crackmapexec requires lsassy a python library in order to use cme's modules which wasn't on my distro so I had to install it

And after this the module for LAPS worked and we got the password

cme ldap 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps

Alternatively we can get the clear text password through AD-Module which already comes installed with LAPS, we can check if it's available through

Get-Module -Name ActiveDirectory -ListAvailable

Then import it with Import-Module -Name ActiveDirectory

Also I came across this post as well in configuring LAPS

https://adsecurity.org/?p=3164

So checking in which attribute we can find the clear text LAPS password

Get-ADComputer -Identity "dc01" -Properties "ms-mcs-AdmPwd"

Being an Administrator on domain controller we can dump SAM and NTDS.dit file

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store