To solve this machine, we begin by enumerating open ports using
nmap – finding ports
54476 open. From SMB, we find a password-protected WinRM backup archive. After extracting the contents of the archive, we get an encrypted PKCS#12 file. After extracting the public and private keys, we are able to get a shell on the machine as
legacyy and read
user.txt. From enumeration, we are able to find credentials for the
svc_deploy user. After we get a shell on the machine as
svc_deploy, we are able to use a group we are apart of to get
Administrator‘s password. Getting a shell as
Administrator, we are able to read
Like all machines, we begin by enumerating open ports using
nmap. From our scans, we find ports
$ sudo nmap -v -p- --min-rate 3000 $RHOST [...] $ sudo nmap -v -sV -A -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49698,54476 -oA enum/nmap/tcp-scripts 10.129.119.174 # Nmap 7.92 scan initiated Mon Mar 28 10:40:46 2022 as: nmap -v -sV -A -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49698,54476 -oA enum/nmap/tcp-scripts 10.129.119.174 Nmap scan report for 10.129.119.174 Host is up (0.051s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-28 23:40:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: 2022-03-28T23:42:25+00:00; +7h59m58s from scanner time. | tls-alpn: |_ http/1.1 |_http-server-header: Microsoft-HTTPAPI/2.0 | ssl-cert: Subject: commonName=dc01.timelapse.htb | Issuer: commonName=dc01.timelapse.htb | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-10-25T14:05:29 | Not valid after: 2022-10-25T14:25:29 | MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3 |_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49698/tcp open msrpc Microsoft Windows RPC 54476/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2022-03-28T23:41:45 |_ start_date: N/A |_clock-skew: mean: 7h59m57s, deviation: 0s, median: 7h59m57s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 48.95 ms 10.10.14.1 2 49.19 ms 10.129.119.174 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Mar 28 10:42:28 2022 -- 1 IP address (1 host up) scanned in 101.78 seconds
Since SMB is exposed on the machine, we begin enumerating it using tools like
smbclient. From our enumeration, we determine anonymous access is disabled, whereas “guest” is allowed to read from the “Shares” share.
Listing out the files and directories the “Shares” share contains, we see there are several files on the share.
To quickly extract the files from the server, we use the
Next, since RPC (port 135) is also exposed on the server, we connect to it anonymously. We attempt to use it to get additional information, however, there is not much useful information we could get.
$ rpcclient -U "" -N $RHOST rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient $> querydominfo result was NT_STATUS_ACCESS_DENIED rpcclient $> enumdomgroups result was NT_STATUS_ACCESS_DENIED rpcclient $> enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24) rpcclient $> getdompwinfo result was NT_STATUS_ACCESS_DENIED rpcclient $> lsaenumsid result was NT_STATUS_ACCESS_DENIED rpcclient $> createus khaotic command not found: createus rpcclient $> createdomuser khaotic result was NT_STATUS_ACCESS_DENIED rpcclient $> create createdomalias createdomgroup createdomuser createprinteric createsecret createtrustdom rpcclient $> lookupname lookupnames lookupnames4 lookupnames_level rpcclient $> lookupnames administrator result was NT_STATUS_ACCESS_DENIED rpcclient $> enumalsgroups builtin result was NT_STATUS_ACCESS_DENIED rpcclient $> netshareem netshareadd netsharedel netshareenum netshareenumall netsharegetinfo netsharesetdfsflags netsharesetinfo rpcclient $> netshareen netshareenum netshareenumall rpcclient $> netshareenu netshareenum netshareenumall rpcclient $> netshareenum Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED rpcclient $> netshareenumall Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED rpcclient $> netsharegetinfo Shares Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED rpcclient $> enumdomains result was NT_STATUS_ACCESS_DENIED rpcclient $> querydispi querydispinfo querydispinfo2 querydispinfo3 rpcclient $> querydispinfo result was NT_STATUS_ACCESS_DENIED rpcclient $> exit
Lastly, since LDAP is also available, we attempt to query information from it. Unfortunately, it appears that unauthenticated access is not allowed.
Since we found a backup archive in our enumeration, we attempt to extract it, however, we are prompted for a password. In an effort to gain the password, we use the
zip2john utility to get a hash that we can crack using
Once we have the hash, we can use
john to crack the hash and get the password of the zip archive.
Using the password, we extract the contents of
winrm_backup.zip, and get a file named
Since “.pfx” is an unusual file extension, we do some research and learn that it is a pkcs#12 formatted file that contains public and private keys. From the article, we learn we will need the password used to protect the file. Fortunately, there is a
pfx2john utility to give us a crackable hash like we used with
zip2john. After cracking the hash, we now have the password used to protect the file.
With the password now known, we follow the rest of the guide to extract the private and public keys. We then convert the private key into PEM format.
As the archive was named
winrm_backup, we assume they are to be used to connect to the machine via WinRM. As the “.pfx” filename was
legacyy_dev_auth, we make the assumption the user to authenticate as is named
legacyy. With this information, we should be able to use
evil-winrm to get a session on the machine. For this, we use port
5986 as it’s the SSL port for WinRM. We get a shell on the machine as
legacyy, and can now read
Since we have a shell on the machine as
legacyy, we begin enumerating the machine to find a path for privilege escalation. To begin, we upload WinPEAS to the machine, and execute it. From the results, we find that
legacyy‘s PowerShell history is available.
Looking at the contents of the file, we find a set of credentials for the
Using the same method as in the history, we verify the authenticity of the credentials to run the
whoami command. With this, we are told we executed the command as
Using the same method, we get a reverse shell on the machine.
Looking at the user’s group information, we see the user is a part of a domain group named “LAPS_Readers”. This suggests
svc_deploy is able to read the system administrator’s password, as is managed by LAPS.
Using PowerShell, we are able to exploit this privilege to extract the Administrator’s password. With the password, we are able to use
evil-winrm to get a shell on the machine as
Administrator, and read
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!