Timelapse is a Windows machine running Active Directory with an open SMB share that contains a password-protected ZIP archive. The password can be cracked, revealing another password-protected file—this time a PFX, which can also be cracked. With access to the PFX, the certificate and private key can be extracted and used to make a connection via WinRM. After enumerating the system, credentials for another user can be found within ConsoleHost_history.txt
and then used to move laterally. This user is a member of the LAPS_Readers group which allows access to local admin passwords on the machine, resulting in a shell as Administrator
.
nmap
scan:
Notable open ports:
- 53 (DNS)
- 88 (Kerberos)
- 139, 445 (SMB)
- 464 (kpasswd)
- 389 (LDAP)
- 636 (LDAPS)
- 5986 (WinRM over SSL)
Active Directory:
- domain: timelapse.htb
- hostname: DC01
SMB allowed anonymous logon, so I listed the shares with crackmapexec
:
With read access on Shares
, I used smbclient
to view the share:
I downloaded both folders. HelpDesk
contained some documentation and an installer file for setting up LAPS, there wasn't any useful sensitive data, but it was an indication that LAPS was being used on the system. Dev
contained winrm_backup.zip
which required a password to access:
I used zip2john
to process the ZIP into a hash that JtR
could work with:
JtR
cracked the password:
I was then able to unzip the archive which contained legacyy_dev_auth.pfx
:
A PFX (Personal Information Exchange) file is used to store a variety of cryptographic data (e.g., private keys, public key certificates, etc.) and since legacyy_dev_auth.pfx
was located in a ZIP called winrm_backup.zip
, it could be assumed that the PFX was storing an SSL private key and certificate that could be used to login to the machine given that WinRM supports authentication using a PFX.
In order to use the PFX to authenticate, the private key and certificate must be extracted into PEM format which required a password:
I used pfx2john
to convert the PFX into a compatible hash for JtR
:
JtR
cracked the password:
Now that I had the password for the PFX , I was able to use openssl
to extract the private key and certificate into PEM format:
evil-winrm
made a connection using the certificate (legacyy_cert.pem
) and private key (legacyy_private_key.pem
) as the user legacyy
:
As part of the enumeration process, first I checked group membership for legacyy
as well as the user's privileges, but there wasn't anything too useful:
The C:\Users
directory showed a few additional users on the system: Administrator
, svc_deploy
, and TRX
:
Administrator
and TRX
were both members of Domain Admins:
Next, I checked ConsoleHost_history.txt
which is located in $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\
to see if it had anything interesting. ConsoleHost_history.txt
in PowerShell is similar to .bash_history
in Linux in that it's used to record command-line history on the machine. In this case, it contained credentials for svc_deploy
:
I used the credentials to get a shell as svc_deploy
:
Checking group membership for svc_deploy
showed that the user was a member of LAPS_Readers
:
LAPS (Local Administrator Password Solution) is used to manage local administrator passwords in an Active Directory environment. The main purpose of LAPS is to improve the security of local administrator passwords by generating a unique and complex password for the local administrator account on each computer at a configured frequency.
Members of the LAPS_Readers
group have the ability to read the password of the local administrator which is stored in the ms-mcs-admpwd
property:
Shell as Administrator
: