TimeLapse – Hack The Box

HTB-TimeLapse machine is really a great learning box for those who are new to Windows and Active Directory Pentesting I found the initial access (user flag) easier and root flag was a bit tricky for me due to my lack of windows privilege escalation skills overall its a fun machine

Enumeration

As always starting with an Nmap scan

Nmap discovery lead me to SMB enumaration in port 445 there are plenty of SMB enumerating tools available in KALI

Anonymous log in was enabled in the SMB service so enumeration on SMB was fairly easy by using smbclient tool or smbmap in kali

smbclient -L //10.10.11.152/ -N

After some enumeration directory Shares had an interesting zip file called winrm_backup.zip. The WinRM is Windows Remote Management protocol  offering similar functionality to SSH so it may be useful for initial access to the machine downloaded zip by using smb get command

smbclient \\10.10.11.152\SharesDev
get winrm_backup.zip

the backup zip file was password protected so used fcrackzip with rockyou wordlist for cracking the zip file and go pass word supremelegacy

sudo fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip

zip file contained a file called legacyy_dev_auth.pfx after some research I found out the .pfx contains the SSL certificate (public keys) and the corresponding private keys and it can be used for connecting to WinRm (password less connection in WinRm) so we can try to get initial access via WinRm using the private and cert key from .pfx file but to extract private and cert key from .pfx file was encrypted with password so had to brute force.

using tool called crackpkcs12 we got the password thuglegacy

crackpkcs12 -d /usr/share/wordlist/rockyou.txt legacyy_dev_auth.pfx

for key based WinRm login we have to export certificate and private key from .pfx file using openssl (useful) using pfx password

after extracting the keys finally we can attempt to get WinRm powershell

we got the initial shell as the user legacyy cat get the user flag in Desktop of this user

ROOT flag

As the user legaccy we don’t have much permissions so for privilege escalation enumeration we can try to use Winpease

sharing winpease from my kali by using http.server python3 module and running winpease gave us a lot of information.

including an powershell history file like bash history in linux

the history file contained remote Pssession password and credentials of user svc_deploy we can use the same Pssession method and execute commands as the user svc_deploy

*Evil-WinRM* PS C:Users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:Users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:Users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)

and can use

invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}

to execute commands as the svc_deploy user

we found the current user permissions by using the net user svc_deploy command

this user is a member of the LAPS Reader group so we can retrieve passwords from LAPS

we got the password of Administrator by using the command

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

Used the password in evil-WinRm to get admin user powershell

and finally we have got the admin user powershell so we can get our root flag