HackTheBox : Timelapse

Timelapse

Timelapse is an interesting Windows box which involves accessing an publicly accessible SMB share containing a password protected zip file that can be cracked by using John. Extracting the zip file shows it contains a password protected PFX file which can be converted to a hash format readable by John, then be cracked. From the PFX file an SSL certificate and a private key can be extracted which is used to authenticate via WinRM. After authentication we discover a Powershell command history file containing svc_deploy user’s credentials. User enumeration shows that svc_deploy is part of a group named LAPS_Readers. The LAPS_Readers group has the ability to manage passwords in LAPS, which allows any user from this group to read the local passwords for machines in the domain so by abusing this trust we retrieve the password for Administrator and compromise the entire domain.

Reconnaissance

Nmap scan

Nmap scan

DNS — TCP/53

In this section, we will try to perform a reverse DNS lookup and a DNS zone transfer :

Reverse DNS Lookup

DNS Zone Transfer

SMB — TCP/445

Here, we will enumerate the SMB server using enum4linux-ng :

Scanning open ports

SMB Dialects and domain information

RPC requests are denied

One thing I do like with enum4linux-ng is that it runs rpcclient automatically against the target so that we do not have to do RPC enumeration manually.

Based on the output above, we know that the target allows SMB null or guest session. Let’s see if we can enumerate the shares.

Many tools can be used to reach that end. In my case, I will use NetExec :

Enumerating shares using a null session

As you can notice, NetExec returned some basic interesting information such as :

• The OS and its build version( Windows Server 2019 Build 17763)
• The OS’ architecture (x64)
• The hostname (DC01)
• The domain (timelapse.htb)
• SMB signing and SMBv1 state

However, we got a denied access during the share enumeration.

Let’s do the same enumeration by using the guest username :

Enumerating shares using a guest session

As you can see, it works perfectly ! This is because null and guest session are quite different. Feel free to check out this blog post if you want to learn more about that topic.

Well, let’s mount Shares on our Kali machine using the mount.cifs command :

Mounting Shares

Note : You could download the share content instead of mounting it.

Shares’ content

Password protected ZIP file

Cracking ZIP file’s password

Extracting ZIP content

A pfx file (Personal Information Exchange) is a password protected binary file that is used to store a certificate and its corresponding private key. It derives from the PKCS 12 (Public Key Cryptography Standard #12) archive file format certificate, and it stores multiple cryptographic objects within a single file :

• X.509 public key certificates
• X.509 private keys
• X.509 CRLs
• generic data

Among the other types of certificate formats, you have .pem, .cer, .crt.

Some of these formats can be converted to a pfx and used for code signing, while others can only be used for SSL/TLS.

Code signing consists of signing executables and scripts, ensuring the authenticity and integrity of the code.

That said, let’s take a look at the cryptographic objects in the pfx file. For that, we will use openssl :

openssl x509 -in legacyy_dev_auth.pfx -text -noout

Password protected .pf

It seems that the pfx file is protected with a password. Thus, we will need to crack the password if we want to access the cryptographic objects.

Here is how to do that :

Cracking pfx protected file

PFX’s cryptographic objects

We can see information such as the issuer, the subject, the public key, the signature algorithm used and its value, etc.

Note : This certificate is a self-signed certificate. In fact, if the issuer and subject fields are similar, we can then conclude that the certificate is self-signed.

Now you might ask yourself what can be done with this certificate ?

Well, were you aware that WinRM supported certificate-based authentication ?

Yessir, I am dead serious :)

Initial Access

Here, we’re going to authenticate to the target using our certificate.

WinRM certificate-based authentication leverages digital certificates to verify users’ identities, ensuring that only authorized users can access and manage remote systems.

Nonetheless, before authenticating to the target system, we will first need to extract the private key and the signed certificate from the pfx file. As a reminder, the pfx file stores both the signed certificate and its corresponding private key.

1/ Extract the private key

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key

Extracting the private key from pfx file

private key content

You will be prompted to enter the password for the pfx file and create a password of your choice for the private.key file.

2/ Extract the certificate

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.cer

Extracting the signed certificate from pfx file

certificate content

Now that we have the private key and the signed certificate, we can try to authenticate to the target using evil-winrm using the following options :

WinRM authentication succeeded

Here is a break of options used above :

• -S : enables ssl
• -k : specifies the private key
• -c : specifies the public key which is the self-signed certificate
• -i : specifies the remote host IP or hostname

Furthermore, you might notice that we were prompted to enter the private. key’s passphrase that we defined when extracting the private key from the pfx file. This can be tiresome especially if we regularly authenticate to the remote host. To get rid of this passphrase, we can use the following command :

openssl rsa -in private.key -out private_nopass.key

Removing the passphrase from the private key

Once done, let’s authenticate again using the private_nopass.key :

WinRM authentication with unprotected private key

As you can see, this time we are not prompted to enter the private key’s passphrase.

From here, you can retrieve the user flag located in the Desktop folder.

User flag

Well, let’s perform now some internal reconnaissance.

Internal Reconnaissance

Let’s first collect the domain information with sharphound, then visualize the different attack paths using bloodhound.

Python web server

Uploading SharpHound on the target host

Collecting domain data with SharpHound

Downloading the collected data on our machine

Find all Domain Admins

Shortest Paths to Domain Admins from Owned Principals

Unlikely, I found no exploitable attack path while using bloodhound. Hence, I decided to upload winpeas on the target system to see if I could enumerate other interesting information.

Downloading winpeas on the target host

Winpeas execution blocked

Unfortunately, Windows Defender Antivirus is preventing winpeas from running though I used the latest obfuscated version. I also tried to run the powershell version of winpeas in memory but it didn’t work properly. The lesson to learn here is that: though tools such as winpeas can be useful at times, it is always a great idea to not only rely on them and learn how to do some manual enumeration.

Back to old school

Here, we are going to enumerate legacyy’s privileges, the system information as well as the other domain users’ information.

Privileges enumeration

System information enumeration failed

Users enumeration

Administrator’s account information

TRX’s account information

svc_deploy’s account information

We can notice that svc_deploy is part of the LAPS_Readers group. Members of this group can read the local administrator’s password.

LAPS (Local Administrator Password Solution) is a windows feature that automatically manages and backs up the password of a local administrator account. One of the main benefits of using LAPS is that it protects against pass-the-hash and lateral movement attacks. Indeed, it sets a unique and strong password for each local administrator account in the domain.

That said, let’s check who else is part of the LAPS_Readers group :

LAPS_Readers group information

svc_deploy is the only member of this group. Let’s verify if there is an existing path between our compromised user (legacyy) and svc_deploy.

PathFinding : legacyy → svc_deploy

To exploit this path, we first need the DC01 machine’s password to DCSync with the domain control which is not feasible in our scenario.

Let’s check now if there is an exploitable existing path between svc_deploy and Domain Admins group.

PathFinding : svc_deploy → Domain Admins

Same situation as the previous graph.

Nonetheless, let’s keep on with our enumeration by taking a look at the command history. To find the history save path, we will use the Get-PSReadLineOption cmdlet :

History file not found

After googling, I found that there was another history file located at $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Let’s take a look at it :

History file content

Awesome ! We found out a plaintext password and it seems to be svc_deploy’s password. We can verify that using netexec :

Password spraying

Well, we got a successful authentication as svc_deploy user. Furthermore, we can quickly check if we can authenticate using other protocols :

Checking authentication on other protocols

Authenticating to svc_deploy account

Now that we are authenticated as svc_deploy, we can read the local administrator’s password see that we are part of the LAPS_Readers group.

For that, we can use the following cmdlet :

Get-ADComputer -Identity '<active-directory-computer-name>' -property 'ms-mcs-admpwd'

Retrieving local administrator’s password

We could also get the password from our Linux machine by using LAPSDumper :

Installation

Dumping LAPS

Great ! Normally, we should be able to authenticate as the administrator using the password above. Let’s check that :

Password spraying

We got a successful authentication for the Administrator account.

Let’s use psexec and the administrator’s credentials to log into the target machine :

Psexec authentication failed

As you can see, we didn’t get a shell. This is probably because the antivirus is blocking our payload. In such a scenario, you can try different authentication methods such as smbexec, wmiexec or evil-winrm.

Authenticating as Administrator using evil-winrm

Root flag

Findings and Recommendations

1/ To get our initial access, we authenticated as a guest user to the SMB server and found out we had read permission over the Shares share. We then mounted the unprotected share on our local machine and successfully cracked the passwords of a zip and pfx files. After cracking the pfx file’s password, we extracted the SSL certificate and its corresponding private key that we then used to authenticate via WinRM. To fix that, we recommend to disable guest authentication and use a strong password policy.

2/ To compromise the domain controller, we first retrieved svc_deploy’s plaintext password which was insecurely stored in the local history file, then we authenticated to his account and read the local administrator’s password. After that, we authenticated as the administrator and got full control of the domain. To fix that, we recommend to avoid using plaintext passwords in command line as they can be read by anyone with an access to the command history file.

Wrapping Up

That’s it guys. Congrats on having made it so far 👏.

I hope you enjoyed the writeup.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.

Resources

https://www.advancedinstaller.com/what-is-pfx-certificate.html
https://medium.com/r3d-buck3t/certificate-based-authentication-over-winrm-13197265c790
https://stackoverflow.com/questions/2292495/what-is-the-difference-between-a-cer-pvk-and-pfx-file
https://sensepost.com/blog/2024/guest-vs-null-session-on-windows/
https://github.com/Flangvik/SharpCollection
https://exploit-notes.hdks.org/exploit/windows/privilege-escalation/
https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
https://exploit-notes.hdks.org/exploit/windows/active-directory/laps-pentesting/
https://github.com/n00py/LAPSDumper

Contact

GitHub : https://github.com/0liverFlow