Nmap
Let’s scan the Ip address first, by using Nmap.
result
# Nmap 7.92 scan initiated Sun Apr 17 06:14:42 2022 as: nmap -sC -sV -p- -T4 -vv -oN nmap/timelapse_all 10.10.11.152Nmap scan report for 10.10.11.152Host is up, received echo-reply ttl 127 (0.055s latency).Scanned at 2022-04-17 06:14:43 +08 for 205sNot shown: 65517 filtered tcp ports (no-response)PORT STATE SERVICE REASON VERSION53/tcp open domain syn-ack ttl 127 Simple DNS Plus88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-04-17 06:16:37Z)135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)445/tcp open microsoft-ds? syn-ack ttl 127464/tcp open kpasswd5? syn-ack ttl 127593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0636/tcp open ldapssl? syn-ack ttl 1273268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)3269/tcp open globalcatLDAPssl? syn-ack ttl 1275986/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)| ssl-cert: Subject: commonName=dc01.timelapse.htb| Issuer: commonName=dc01.timelapse.htb| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2021-10-25T14:05:29| Not valid after: 2022-10-25T14:25:29| MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3| SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652| -----BEGIN CERTIFICATE-----| MIIDCjCCAfKgAwIBAgIQLRY/feXALoZCPZtUeyiC4DANBgkqhkiG9w0BAQsFADAd| MRswGQYDVQQDDBJkYzAxLnRpbWVsYXBzZS5odGIwHhcNMjExMDI1MTQwNTI5WhcN| MjIxMDI1MTQyNTI5WjAdMRswGQYDVQQDDBJkYzAxLnRpbWVsYXBzZS5odGIwggEi| MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJdoIQMYt47skzf17SI7M8jubO| rD6sHg8yZw0YXKumOd5zofcSBPHfC1d/jtcHjGSsc5dQQ66qnlwdlOvifNW/KcaX| LqNmzjhwL49UGUw0MAMPAyi1hcYP6LG0dkU84zNuoNMprMpzya3+aU1u7YpQ6Dui| AzNKPa+6zJzPSMkg/TlUuSN4LjnSgIV6xKBc1qhVYDEyTUsHZUgkIYtN0+zvwpU5| isiwyp9M4RYZbxe0xecW39hfTvec++94VYkH4uO+ITtpmZ5OVvWOCpqagznTSXTg| FFuSYQTSjqYDwxPXHTK+/GAlq3uUWQYGdNeVMEZt+8EIEmyL4i4ToPkqjPF1AgMB| AAGjRjBEMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNV| HQ4EFgQUZ6PTTN1pEmDFD6YXfQ1tfTnXde0wDQYJKoZIhvcNAQELBQADggEBAL2Y| /57FBUBLqUKZKp+P0vtbUAD0+J7bg4m/1tAHcN6Cf89KwRSkRLdq++RWaQk9CKIU| 4g3M3stTWCnMf1CgXax+WeuTpzGmITLeVA6L8I2FaIgNdFVQGIG1nAn1UpYueR/H| NTIVjMPA93XR1JLsW601WV6eUI/q7t6e52sAADECjsnG1p37NjNbmTwHabrUVjBK| 6Luol+v2QtqP6nY4DRH+XSk6xDaxjfwd5qN7DvSpdoz09+2ffrFuQkxxs6Pp8bQE| 5GJ+aSfE+xua2vpYyyGxO0Or1J2YA1CXMijise2tp+m9JBQ1wJ2suUS2wGv1Tvyh| lrrndm32+d0YeP/wb8E=|_-----END CERTIFICATE-----|_http-title: Not Found|_http-server-header: Microsoft-HTTPAPI/2.0| tls-alpn:|_ http/1.1|_ssl-date: 2022-04-17T06:18:07+00:00; +7h59m59s from scanner time.9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49673/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.049674/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC49696/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC64800/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCService Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:| smb2-time:| date: 2022-04-17T06:17:30|_ start_date: N/A| smb2-security-mode:| 3.1.1:|_ Message signing enabled and required|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s| p2p-conficker:| Checking for Conficker.C or higher...| Check 1 (port 62878/tcp): CLEAN (Timeout)| Check 2 (port 32357/tcp): CLEAN (Timeout)| Check 3 (port 38085/udp): CLEAN (Timeout)| Check 4 (port 22941/udp): CLEAN (Timeout)|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
Read data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Sun Apr 17 06:18:08 2022 -- 1 IP address (1 host up) scanned in 206.29 seconds
Oh wow! this is an active directory machine and that’s a lot of open ports. We also get the hostname called timelapse.htb
, let’s add it to the /etc/hosts
file.
SMB
In the result of the Nmap scan. I saw that ports 139
and 445
are open and it’s a default for SMB (Server Message Block)
. Let’s check the windows version using a tool called CrackMapExec.
CrackMapExec: SMB
The version of Windows currently using is Windows 10.0 Build 17763 x64
. So, this is not a new version of Windows, at the time writing this blog Windows 11 is already out.
check windows version over smb using crackmapexec
SMBclient
Now, we already know that smb ports are open. Let’s try listing the shares by using smbclient
. Surprisingly, it doesn’t require authentication for it. I just press Enter
in the password prompt.
list all shares
JohntheRipper: zip2john
After checking the all shares. I finally found something that looks interesting. I found the winrm_backup.zip
file in \Shares\Dev\
. Let’s download it, into our attack machine with the get command
. Now, it’s time to unzip the file. However, it is protected by a password and I don’t know, what the password is. So, I’m gonna run zip2john
to crack the zip file with rockyou.txt
as a wordlist.
download zip file
cracked the zipfile
*.PFX file
Finally, the wait pay off. We’ve got the password and it’s time to crack it open. Well, it just contains one file called legacyy_dev_auth.pfx
. I never heard of the extensions called pfx
before, and with quick googling. It says:
Note
The .pfx
file, which is in a PKCS#12
format, contains the SSL certificate (public keys) and the corresponding private keys.
unzip the zipfile
JohntheRipper: pfx2john
The pfx
file it’s just a binary that compiles with public and private keys. Now, what we need is, to extract the keys from it. I manage found an article that shows us 'How to extract it'
. Here’s the article. First, we need to extract the private key by using openssl
. Unfortunately, its needed the password. I already try the password that we found earlier and it doesn’t work. Now, I’m gonna run the file against pfx2john
to produce the hash and crack it with john
.
openssl extract priv key
cracked the pfx file
Extracting the cert from *.PFX file
Nice! we finally managed to retrieve the pfx
file password. Let’s try to extract the keys one more time. Here’s an article for reference. Let me breaks down into three parts real quick.
- The first command is basically to extract the encrypted private key
- Run the next following command to extract the certificate/public key
- The final command, it’s just decrypted the private key
NOTE: you will be prompted to type the import password. Type the password you found earlier by using pfx2john
extract the priv/pub key
Evil-WinRM: legacyy
Based on the zip file name 'winrm_backup.zip'
. I guess this might be something to do with winrm
, and the Nmap scan result also shows us that port 5986
is open.
Let’s try connecting to it with Evil-WinRM
and make sure to enable ssl
with the -S
tag. I’m gonna use the keys we discovered with -c
for the public key and -k
for a private key. Finally, I’m in as a legacyy
user.
login as legacyy
Powershell History
So, I’ll try to run the winpeas
. Unfortunately, it doesn’t execute because the Anti-Virus
program managed to catch it and throws this error file contains a virus or potentially unwanted software
. Honestly, I am stuck on this machine. Then, I realized, I never check the powershell history
and I felt guilty because that file has always been ignored by me. To my surprise, I found something useful yet interesting in the powershell history
file.
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
found credentials in powershell history
Evil-WinRM: svc_deploy
Well, in the history
file contains svc_deploy
user credentials and lead us into port 5986
once again. Let’s connect to the machine as svc_deploy
user with the credentials we just found. Success!
login as svc_deploy
Group: LAPS_Readers
Let’s check this user “background” with the net user
command. Turns out, this user is part of LAPS_Readers
Global Group memberships. Honestly, I didn’t even know what it is, but it sounds cool :p with a quick search on the net. It says:
Summary
The Local Administrator Password Solution
(LAPS) provides management of local account passwords of domain-joined computers.
Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read them or request its reset.
net user svc_deploy
LDAPsearch
The excited part of it. We can read the password stored in Active Directory. The last time I checked, this is an AD machine. So, I manage to find an article that’s about credentials dumping. I already try used crackmapexec
and it just threw a bunch of errors at me. So, I end up using ldapsearch
. Let’s dump the administrator
credentials.
found credentials in ldap
Evil-WinRM: administrator
We successfully retrieve the administrator
credentials. Let’s try connect to evil-winrm
.
login as administrator
*CHEF KISS* Beautiful