HTB-TimeLapse machine is really a great learning box for those who are new to Windows and Active Directory Pentesting I found the initial access (user flag) easier and root flag was a bit tricky for me due to my lack of windows privilege escalation skills overall its a fun machine
Enumeration
As always starting with an Nmap scan
Nmap discovery lead me to SMB enumaration in port 445 there are plenty of SMB enumerating tools available in KALI
Anonymous log in was enabled in the SMB service so enumeration on SMB was fairly easy by using smbclient tool or smbmap in kali
smbclient -L //10.10.11.152/ -N
After some enumeration directory Shares had an interesting zip file called winrm_backup.zip. The WinRM is Windows Remote Management protocol offering similar functionality to SSH so it may be useful for initial access to the machine downloaded zip by using smb get command
smbclient \\10.10.11.152\SharesDev
get winrm_backup.zip
the backup zip file was password protected so used fcrackzip with rockyou wordlist for cracking the zip file and go pass word supremelegacy
sudo fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip
zip file contained a file called legacyy_dev_auth.pfx after some research I found out the .pfx contains the SSL certificate (public keys) and the corresponding private keys and it can be used for connecting to WinRm (password less connection in WinRm) so we can try to get initial access via WinRm using the private and cert key from .pfx file but to extract private and cert key from .pfx file was encrypted with password so had to brute force.
using tool called crackpkcs12 we got the password thuglegacy
crackpkcs12 -d /usr/share/wordlist/rockyou.txt legacyy_dev_auth.pfx
for key based WinRm login we have to export certificate and private key from .pfx file using openssl (useful) using pfx password
after extracting the keys finally we can attempt to get WinRm powershell
we got the initial shell as the user legacyy cat get the user flag in Desktop of this user
ROOT flag
As the user legaccy we don’t have much permissions so for privilege escalation enumeration we can try to use Winpease
sharing winpease from my kali by using http.server python3 module and running winpease gave us a lot of information.
including an powershell history file like bash history in linux
the history file contained remote Pssession password and credentials of user svc_deploy we can use the same Pssession method and execute commands as the user svc_deploy
*Evil-WinRM* PS C:Users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:Users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:Users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
and can use
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
to execute commands as the svc_deploy user
we found the current user permissions by using the net user svc_deploy command
this user is a member of the LAPS Reader group so we can retrieve passwords from LAPS
we got the password of Administrator by using the command
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
Used the password in evil-WinRm to get admin user powershell
and finally we have got the admin user powershell so we can get our root flag
Leave a Reply