HTB:Timelapse (OSCP Style)
This is a recently retired box that is running Active Directory services and is an excellent study box for the OSCP. So let’s get started.
Initial Enumeration:
After looking over the initial enumeration this appears to be an active directory box. The common name is discovered on port 5986 as dc01.timelapse.htb
Next I modify my /etc/hosts file with this new information.
Anytime I have a Windows based box, especially if it is Active Directory, I like to enumerate port 445 over SMB first to see if I have access to any files that might give me some clues on how to get some initial access into the box. (Important OSCP tip here. Notice how I tried enumerating with null authentication first, then as Guest).
It looks like we have read access to the Shares directory. We will use smbclient to inspect what is in the Shares directory. We will first enumerate the directory called Dev.
In the figure above we see that a file called winrm_backup.zip is the only file in the Dev directory. We will use the get command to download it to our kali box.
Next we will enumerate the HelpDesk directory using the same methods.
We see some documentation for Microsoft LAPS which is a tool used to rotate Microsoft administrative passwords. We will keep that in mind for later. There is no need to download these files since they are standard Microsoft files on how Microsoft LAPS works.
Next we will try and extract the winrm_backup.zip file. When trying to extract files we are met with a password prompt. This zip file appears to be password protected.
Since the zip file is password protected we can use zip2john to extract the password hash into a file. Zip2john is already natively installed on kali linux so there is no need to download and install anything.
Now that we extracted the hash into a file we will use john along with a wordlist to crack the zip hash. As shown below we are successful at cracking the password with a wordlist.
Next we will use pfx2john to extract the hash from the pfx file. Pfx2john is also natively installed on Kali Linux so there is no needed to download or install anything.
Now that we have the hash extracted we will use john again to crack the password with the rockyou.txt password file.
Now that we have recovered the PFX password we will need to convert it to a PEM file. The reason for the change is we will be attempting to connect to the box with a tool called evil-winrm. To convert the pfx file to a pem file we will use the following command:
openssl pkcs12 -in legacyy_dev_auth.pfx -out certificate.pem
For the password to the PEM file I ended up using the same existing password that we recovered earlier to the file. Normally I would separate the public key from the private key but to use evil-winrm, it is not necessary. Next I issue the following command to get an initial shell(your ip may vary):
evil-winrm -i 10.129.204.197 -c certificate.pem -k certificate.pem -S
At this point we have an initial shell into the environment.
Privilege Escalation
Now we need to escalate our privileges on the box. Before I start using automated scripts for enumeration and looking at any privilege escalation we should enumerate manually OSCP style.
Below we will get the account we are operating out of, other accounts that exist on the box, and the privileges we are currently operating on.
Notice from above we can add workstations to the domain. This may be useful if we need to elevate our privileges. Next we will look at open network ports.
Since there are no ports from the above figure that isn’t already exposed we will move on to some more enumeration tactics. Let’s enumerate the Windows version and the processor architecture. This is important for any payload or scripts we may run against this box.
Now that we know the version and processor architecture we will download the 64 bit version of winpeas through powershell by hosting the file with python as shown below.
When winpeas is executed we immediately see a few things to take note of. First Microsoft Laps is enabled.
Also we will notice that we have a powershell console host history file we will need to inspect.
The console host history file has plain text credentials for the account svc_deploy.
Next we will log in with the recovered credentials and enumerate the group memberships that our new user has.
We see that the user svc_deploy is a member of the Laps_Readers group. Since we have laps membership we can use crackmapexec and use the laps module to see if we can dump any laps passwords from the domain.
We see we have retrieved the local password for the Administrator account to the domain. We can now use evil-winrm to log in as the administrator.
At this point we have done full privilege escalation up to the Administrator account and have owned the box.
