Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

X (Twitter)

Timelapse, HackTheBox Walk-Through

In this post, we walk through the hacking steps of a HackTheBox machine, "Timelapse." This machine is WINDOWS-based, and according to HTB users, hardness is easy. This box is running Active Directory services...

In this post, we walk through the hacking steps of a HackTheBox machine, “Timelapse.” This machine is WINDOWS-based, and according to HTB users, hardness is easy. This box is running Active Directory services. We considered that the step-by-step solution of this machine is helpful for pen-testers. So let’s start.

NMAP

Nmap results are shown below. Lots of ports are open.

After finishing a full scan through nmap, the machine appears to be an active directory box. The common name is discovered on port 5986 as “dc01.timelapse.htb” So, I modify my “/etc/hosts” file by adding the “commonName.”

ENUMERATION

When we have a Windows-based box, especially if it is Active Directory, I try to enumerate port 445 over SMB first to look for whether I have access to any files that might give me some clues for initial access or not.

SMB-Enumeration

It looks like we have read access to the “Shares” directory. I used smbmap to list what is in the “Shares” directory. In the figure above, we see that a file called “winrm_backup.zip” is in “Dev” directory, also an executable, and some documentation files about “Microsoft LAPS,” which is a tool used to rotate Microsoft administrative passwords, in “HelpDesk” directory. We will note that for later. We will use the get command to download them to our kali box.

Local Admin Password Solutution (LAPS) is a method of managing the passwords for the local administrator accounts via the domain. Without LAPS, it is very challenging for a support team to manage keeping unique local admin passwords for each system. This leads to shared credentials, which means that when an attacker gets elevated priviledges on a system, they can dump the shared credential and use it to get access on other systems. LAPS also rotates administrator passwords, changing them periodically, such that if they are captured by an attacker, they become invalied after some period of time.

https://bit.ly/3UAcmPX (microsoft site)

There is no need to download files in the “HelpDesk” directory because they are standard Microsoft files on how Microsoft LAPS Works. If you don’t know anything about it, you should download them to understand how it works.

Next, we will try to extract the “winrm_backup.zip” file. When trying to extract files, we are met with a password prompt. The zip file appears to be password protected.

Since the zip file is password protected, we can use “fcrackzip” with a wordlist to crack the password of the zip file. As shown below, we are successful at breaking the password with a wordlist.

After getting the password from the cracking tool, we unzip the file and extract the “legacyy_dev_auth.pfx” file, as shown in the below figure.

A PFX file indicates a certificate in PKCS#12 format; it contains the certificate, the intermediate authority certificate necessary for its trustworthiness, and the private key to the certificate. Think of it as an archive that stores everything you need to deploy a certificate.

When we try to open the pfx file, we will see that it requires a password to open it.

So we need to crack the password again for this file. First, we will use “pfx2john”, natively installed on Kali Linux, to extract the hash from the pfx file. And then, use “john” with a wordlist to crack the password. The result is shown below figure.

INITIAL ACCESS

The pfx file in PKCS#12 format contains the SSL certificate (public keys) and the corresponding private keys. Sometimes, you might have to import the certificate and private keys separately in an unencrypted plain text format to use it on another system. You can visit below the web page to learn how to extract “.crt” and “.key” files from the pfx file.

https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

As explained on the web page above, we can extract the key and certificate with the password. Removing the key asks for the password, “thuglegacy,” and then a password, which uses the same password, “thuglegacy,” for the output pem file.

Now we have two files, “key” and “cert.” Using These files to perform authentication via SSL using “evil-winrm.” (evil-winrm is the best tool for connecting to WinRM from a Linux host.) we will use the following to join the timelapse.htb machine:

evil-winrm -i timelapse.htb -S -k key -c cert"
-S: enable SSL
-c: public key, certificate
-k: private key
-i: host to connect

At this point, we have initial access to the environment.

PRIVILEGE ESCALATION

Now we need to escalate our privileges. After basic enumeration, I didn’t find anything to use for privilege escalation. There is nothing special about the user’ legacy’. The user is in the “Remote Management Users” group, but I know that without this group, we wouldn’t be able to connect over WinRM.Later, I decided to look for the PowerShell console host history file. The default location for this file is “$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt”. You can get the location by “Get-PSReadlineOption” and looking at the options. So, we use the command “Get-PSReadlineOption).HistorySavePath” to get the path and read the PowerShell history file for any information.

You can see in the above figure that there is some helpful information. There is a username and a plaintext password for the user. After getting this information, we can connect to the host with them via “evil-winrm.”

evil-winrm -i timelapse.htb -S –u ‘svc_deploy’ –p ‘E3R$Q62^12p7PLlC%KWaxuaV’

We see that the user svc_deploy is a member of the LAPS_Readers group. Since we have laps membership, we can read any LAPS passwords from the domain.

ROOT SHELL

With LAPS, the DC manages the local administrator passwords for computers on the domain. It is common to create a group of users and permit them to read these passwords, allowing the trusted administrators access to all the local admin passwords. To read the LAPS password, I use the PowerShell command, which I get from the “PayloadAllTheThings” page. The page link is: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#reading-laps-password

PowerShell script:
([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { $_.properties}

  • * Since we have laps membership, we can use “crackmapexec” and the laps module to get the laps password from the domain. Command is: “ crackmapexec ldap 10.10.11.152 -d timelapse.htb -u svc_deploy -p ‘E3R$Q62^12p7PLlC%KWaxuaV’  –module laps ”
  • I also found a python script for getting a LAPS password; you can easily find this tool by Google search. Here is the python tool address: https://github.com/n00py/LAPSDumper.git

We can see that the local Administrator password of DC01$ is shown in the above figure. We can now use “evil-winrm” again to log in as an administrator.

At last, we pwned the box. We hope this post helps sharpen your pentesting skills. Please share your comments.

Omer Faruk Kerman

Trending now

Explore Hack The Box
Explore, HackTheBox Walk-Through
DFIR Team
Computer Forensics Investigation Process, Part Two
Computer Forensics Investigation Process, Part One
DFIR, need for an investigator
Forensics Investigator, Roles and Responsibilities and DFIR Legal Issues, Code of Ethics