Abstract
Timelapse is an HTB Energetic Listing machine that’s a straightforward machine however because the idea of preliminary compromise is exclusive, due to this fact, I imagine it ought to be categorised as Intermediate. By fixing this lab I learn the way an attacker can steal a CA certificates to carry out a lateral second.
Desk of content material
Preliminary Entry
- Nmap
- SMB-client
- Openssl
- Winrm
Privilege Escalation
- WinPeas
- Credential Dumping
- Abusing LAPS
Preliminary Entry
Let’s deep dive into the time.
nmap -p- -sV 10.129.227.105
From the nmap scan, we will see that it is a Window Server extra exactly a site controller since we now have DNS, LDAP, Kerberos and SMB ports open. Additionally WinRM ( Home windows Distant Administration) port 5986 is current.
SMBClient
smbclient -L 10.129.227.105
Let’s use smb shopper to search out if there are any share folders out there for nameless login. Certainly, there’s a sharing enabled with the identify of “Shares”.
Now we attempt to hook up with that folder utilizing smb shopper and browse the listing to search out different subfolders. The winrm_backup.zip is definitely password-protected. So we have to crack it.
In our state of affairs, we used fcrackzip to crack the winrm_backup file utilizing the wordlist rockyou.txt.
fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt
As soon as we now have cracked the password, we will use it to unzip the file. As soon as extracted, we discover a .pfx file known as: legacy_dev_auth.pfx. PFX recordsdata are literally digital certificates that comprise each the SSL certificates’s private and non-private keys.
unzip winrm_backup.zip pfx2john legacyy_dev_auth.pfx >pfxhash
Openssl
Now, we’re going to convert that pfx file to the hash and crack it utilizing the hash utilizing John to get the non-public key and the pem key. As you may see, the password is thuglegacy.
We are going to attempt to open the certificates utilizing openssl and as we will see it’s a Microsoft Software program Key Storage Supplier. We are able to extract the certificates and personal key.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificates.pem
As soon as the non-public secret’s out there, we will use this key to login into the field.
We are going to use evil-winrm to login utilizing each the pem certificates and the pem non-public key. As an alternative of a password we will login with the keys additionally.
evil-winrm -i 10.129.227.105 -c certificates.pem -k priv-key.pem -S -r timelapse
Privilege Escalation
Now we now have a shell on the field. It appears we don’t have something within the doc library. Let’s browse the desktop library to see if we will discover any flags. Certainly we now have a consumer.txt flag on the desktop.
Now we are going to use updog to add winPEASx64.exe on the server.
Let’s obtain updog. One other various is to make use of python httpSimpleServer however in our state of affairs, we’re utilizing updog.
WinPeas.exe
As soon as put in, let’s run updog on 80. As proven under, updog is operating on port 80 now.
Then on the server, we obtain the winPEASx64.exe utilizing the wget command. As soon as the obtain is full, let’s execute the winPEASx64.exe
Let’s learn the ConsoleHost_History.txt file and see what data we will extract from it.
Credential Dumping- LAPS
As we will see from the file, the username is svc_deploy and the password has been assigned to the variable p. now let’s confirm by which group the consumer svc_deploy is a member. It’s a member of the LAPS_Readers group. LAPS stands for Native Administrator Password Resolution. It randomises all of the passwords for all native machines so that you simply can’t execute cross the hash assault. Nonetheless, it shops the password on the energetic listing itself and solely members of LAPS_Readers can learn the password.
Let’s test all customers out there on the field through the use of the command internet customers. We discovered a consumer account named svc_deploy. Let’s test by which group membership that is positioned. It’s within the LAPS_Readers group.
Now we will attempt to join utilizing evil-winrm utilizing the username and password from the consolehost_history.txt file. And the password is within the ‘ms-Mcs-admpwd’
evil-winrm -i 10.129.227.105 -u svc_deploy -p 'E3R$Q62^12p7PLlCpercentKWaxuaV' -S Get-ADComputer DC01 -property 'ms-mcs-admpwd'
As soon as we now have the administrator password, we will join utilizing evil-winrm to hook up with the field.
evil-winrm -i 10.129.227.105 -u administrator -p 'gU}0649&H)l8VrkJB1n95q0A' -S
And we now have logged on. We are able to now browse and go to the desktop listing to see if we will seize any flags. There you go. We are able to see the foundation.txt.
Creator: Tirut Hawoldar is a Cyber Safety Fanatic and CTF participant with 15 years of expertise in IT Safety and Infrastructure. May be Contacted on LinkedIn
