HackTheBox - Timelapse Writeup
Timelapse is an easy Hack The Box Windows machine that begins with accessing an open SMB share containing a password-protected ZIP file. The ZIP and a contained .pfx file are cracked using John the Ripper, allowing extraction of a certificate and private key. These are used to authenticate via WinRM. Further enumeration reveals stored PowerShell history with credentials for the svc_deploy user, who is a member of the LAPS_Readers group. This group can retrieve local admin passwords managed by LAPS, which is leveraged to obtain the domain Administrator's credentials and gain full access to the machine.
August 21, 2022 1 min read crackmapexec-smb smbclient zip2john pfx-file pfx2john john evil-winrm powershell-history ldap ldapsearch laps_readers-group