Timelapse Machine Writeup

1 minute read

Timelapse is an easy windows machine that involves smb enumeration, password hash cracking, and exploitation of weak active directory configuration.

Recon

First, let’s start with nmap port scanning.

nmap-results

We can see port 445 (smb) is open so let’s check the shared folders that have anonymous access.

We have access to Shares folder, so Let’s try to list and download its content.

If we try to unzip winrm_backup.zip, we can see that it’s password protected.

Let’s get password hash with zip2john and crack it with hashcat.

Now we can unzip the successfully.

Shell as legacyy

We gotlegacyy_dev_auth.pfx, so let’s extract the embedded certificate and key files.

A PFX file indicates a certificate in PKCS#12 format; it contains the certificate, the intermediate authority certificate necessary for the trustworthiness of the certificate, and the private key to the certificate. Think of it as an archive that stores everything you need to deploy a certificate.

But we need a password to decrypt and extract the files.

Again we can use john to crack the password hash.

Now let’s extract the crt and key files.

We can now login to the box using evil-winrm tool with our key and certificate.

Shell as svc_deploy

Running WinPEAS, I found an interesting file called C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt (which stores the powershell commands history), so let’s check it.

We can run the exact same commands to authenticate as svc_deploy, replace whoami command with a powershell cradle to download nc.exe to the target machine so we can get a shell as svc_deploy user.

Shell as root

If we run whoami /all, we see that we are a member of LAPS_Readers group.

laps-group

LAPS allows you to manage the local Administrator password (which is randomized, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorized users using ACLs.

After some searching I tried to enumerate the active directory computer properties to look for ms-Mcs-AdmPwd field (which contains clear-text password).

administrator-password

Now we can login to the box with Administrator user and read root.txt.

root.txt