Timelapse
Enumeration
As always, we run our nmap scan:
As we can see, we have SMB protocol available. We can try to access the shares using smbmap:
Note that we can see the name
timelapse.htb, this is because I added the IP address to the/etc/hostsfile.
As we can see, we have access to the Shares share. This share contains two folders, Dev and HelpDesk:
We have a zip file in the Dev folder and some docx files in the HelpDesk folder:
After downloading the files, we can see that the files that were in the HelpDesk folder contain procedures to follow on the LAPS protocol to create an administrator password randomly and read it.
Use the
--download PATH/TO/FILEto download a file using smbmap.
PFX Password Cracking
What is interesting, is that the zip file is protected by a password. We can use zip2john to get the hash and finally john to recover the password:
We just have to provide the newly found password, and we get the pfx file from the zip:
PFX files (Personal Information Exchange) are a type of digital certificate file that contains both the public key and private key, often used for secure data encryption and authentication.
The pfx file is also protected, we use pfx2john this time and crack again the password. After a few minutes, we cracked it:
We now can use it as specified on this website to recover the certificate and RSA key.
Foothold
Now that we have the certificate and the private key, we can connect to the server using evil-winrm with SSL:
Don’t forget the
-S. If you do so, you will get an error saying that you need to specify a user.
User.txt
Horizontal Privilege Escalation
When we get the shell using evil-winrm, we don’t seem to have that many rights…
After a bit of roaming on the server, I didn’t find much… But when I tried to get the powershell history at C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt, we find some credentials for the user svc_deploy:
Vertical Privilege Escalation
Now that we have credentials, we can connect using those via evil-winrm as svc_deploy.
As we can see, we have pretty much the same rights, but we are in the LAPS_Readers groups. This means that we could read the Administrator password that was generated randomly.
There are a lot of technics to get this password:
- We can use crackmapexec like
crackmapexec ldap 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' --kdcHost 10.10.11.152 -M laps. But this didn’t work. - We can use other powershell tools specified on hacktricks or on viperone’s blog.
- None of the above worked for me, so I search a command to dump password using
LAPSand found thisGet-ADComputer -Filter 'ObjectClass -eq "computer"' -Property *. I addedselect-object "ms-Mcs-AdmPwd"at the end so I only get the password:
- Finally, I found this python script that dumped the password too:
Root.txt
Now that we have the Administrator password, we can connect using evil-winrm as before. And… Voilà: