HackTheBox : Timelapse Walkthrough
Operating System : Windows
Difficulty : Easy
First, let start reconnaissance all open ports on all the target system with nmap scan.
Interesting service.
- kerberost : 88
- ldap : 389
- smb : 139,445
- winrm (ssl) : 5986
Next, use the Nmap tool to scan the details of the services and versions on all open ports. You will find that the LDAP service points to the domain: timelapse.htb.
Add the target machine’s IP address (10.10.11.152) and domain (timelapse.htb) to the /etc/hosts file
Next, use the smbclient tool to enumerate the SMB service. You will discover a ‘Shares’ folder that stands out and is not part of the default shared folders.
Use the smbmap tool to check the permissions of the ‘Shares’ folder with the guest user, and you will find that it has read-only access.
Next, use the smbclient tool to connect to the SMB service at the ‘Shares’ folder. Upon further enumeration, you will find the winrm_backup.zip file in the dev directory. Then, download the winrm_backup.zip file to the attacker’s machine.
Use the unzip tool to extract the winrm_backup.zip file, and you will find that a password is required to open the file.
Next, proceed to crack the password of the winrm_backup.zip file. Start by using the zip2john tool to extract the hash from the password-protected ZIP file. Then, use this hash to crack the password using the dictionary attack technique.
The hash extracted from the winrm_backup.zip file.
Next, use the John the Ripper tool to crack the password using the rockyou.txt wordlist. You will find that the password is successfully cracked.
Use the obtained password to extract the contents of winrm_backup.zip, which will yield the legacyy_dev_auth.pfx file, a file used for authentication with the WinRM service.
Attempt to open the legacyy_dev_auth.pfx file, and you will find that a password is required to access the file
Next, use the pfx2john tool to extract the hash from the password-protected PFX file. Then, use this hash to crack the password using the dictionary attack technique.
Next, use the John the Ripper tool to crack the password using the rockyou.txt wordlist. You will find that the password is successfully cracked.
Next, use the obtained password to open the legacyy_dev_auth.pfx file.
Inside the legacyy_dev_auth.pfx file, you will find the private key and certificate file used for authentication with the WinRM service.
Next, convert the data from the legacyy_dev_auth.pfx file into priv.pem and cert.crt using the OpenSSL command. If prompted for a password, use the same password that was used to open the legacyy_dev_auth.pfx file.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.pem
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
Next, copy the priv.pem file to a new file named private.key and use the Nano editor to modify the file, ensuring that it contains only the private key content.
Similarly, copy the cert.crt file to a new file named cert.cert and use the Nano editor to modify the file, ensuring that it contains only the certificate content.
Next, use the OpenSSL command to convert the private.key file so that it no longer requires a password for authentication (as the password would be repeatedly requested during the WinRM connection and usage). If prompted for a password, use the same password that was set when converting the legacyy_dev_auth.pfx file.
openssl rsa -in private.key -out priv-nopass.key
Next, use the Evil-WinRM (SSL) tool to connect to the target machine using the private key and certificate files.
evil-winrm -i timelapse.htb -S -k priv-nopass.key -c cert.crt
Read the user flag from the user.txt file.
Next, upload the winPEASx64.exe tool to the target machine to perform local enumeration and gather information for privilege escalation.
Execute the winPEASx64.exe on the target machine.
The results from using the winPEASx64.exe tool revealed the ConsoleHost_history.txt file, which appears to be of interest.
Upon viewing the contents of the ConsoleHost_history.txt file, you will find the credentials (username and password) for the user svc_deploy.
Next, use the netexec tool to test access to the target machine using the credentials of the user svc_deploy. You will find that the connection is successful, and you have gained access to the target machine (Pwn3d!).
Next, use the Evil-WinRM tool along with the credentials (username and password) of the user svc_deploy to connect to the target machine. You will find that the connection to the target machine is successful.
Next, check the user’s permissions and groups. It was found that the user svc_deploy belongs to the LAPS_Readers group, which has the ability to read LAPS files.
LAPS (Local Administrator Password Solution) is a tool developed by Microsoft to enhance the security of managing local administrator account passwords on Windows operating systems, particularly in environments with multiple machines, such as in organizations.
By reading the LAPS data, the password for the Administrator account will be revealed. (When this password expires, LAPS will automatically change it.)
Get-ADComputer -Identiry 'dc01' -property 'ms-mcs-admpwd'
Next, use the netexec tool to test access to the target machine using the Administrator’s password. It was found that the connection was successful, and access to the target machine was achieved (Pwn3d!).
Next, use the Evil-WinRM tool to connect to the target machine with the Administrator account, and you will find that the connection is successful.
Next, search for the root flag (root.txt) and find it located in the Desktop directory of the user TRX.
Get-ChildItem -Path C:\ -Recurse -Filter "root.txt" -File -ErrorAction Silentlycontinue
Read the root flag from the root.txt file.
