Timelapse Machine Writeup
Timelapse is an easy windows machine that involves smb enumeration, password hash cracking, and exploitation of weak active directory configuration.
Recon
First, let’s start with nmap port scanning.
We can see port 445 (smb) is open so let’s check the shared folders that have anonymous
access.
We have access to Shares
folder, so Let’s try to list and download its content.
If we try to unzip winrm_backup.zip
, we can see that it’s password protected.
Let’s get password hash with zip2john
and crack it with hashcat
.
Now we can unzip the successfully.
Shell as legacyy
We gotlegacyy_dev_auth.pfx
, so let’s extract the embedded certificate and key files.
A PFX file indicates a certificate in PKCS#12 format; it contains the certificate, the intermediate authority certificate necessary for the trustworthiness of the certificate, and the private key to the certificate. Think of it as an archive that stores everything you need to deploy a certificate.
But we need a password to decrypt and extract the files.
Again we can use john
to crack the password hash.
Now let’s extract the crt
and key
files.
We can now login to the box using evil-winrm
tool with our key
and certificate
.
Shell as svc_deploy
Running WinPEAS, I found an interesting file called C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt
(which stores the powershell commands history), so let’s check it.
We can run the exact same commands to authenticate as svc_deploy
, replace whoami
command with a powershell cradle to download nc.exe
to the target machine so we can get a shell as svc_deploy
user.
Shell as root
If we run whoami /all
, we see that we are a member of LAPS_Readers
group.
LAPS allows you to manage the local Administrator password (which is randomized, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorized users using ACLs.
After some searching I tried to enumerate the active directory computer properties to look for ms-Mcs-AdmPwd
field (which contains clear-text password).
Now we can login to the box with Administrator
user and read root.txt
.