Timelapse is a Windows Active Directory machine. I have very little experience with Windows and AD, so this was a great learning experience for me. I learned about Evil-WinRM, Crackmapexec, and LAPS. In this box, we start with enumeration to gain access to an SMB share that gives us a password protected winrm backup zip file. After some cracking (and more cracking), we get access to a pfx file. From there, the file is broken into a public and private certificate, which we use to get access to the machine. Then, we upload and run WinPEAS, which shows us some PowerShell history. From there, we gain more credentials and learn that this account can view the LAPS password, which we use to elevate to Administrator privileges.

Initial Enumeration

We start off with nmap to begin our enumeration of the box.

nmap -sC -sV -oA nmap/timelapse 10.10.11.152

Our nmap scan gives us a lot of ports! Since SMB is pretty easy to enumerate, I decided to start with that.

smbclient -L 10.10.11.152

This showed me that there was a share called “Shares” with I was able to access with:

smbclient //10.10.11.152/Shares

These files gave me major clues. First, I didn’t see any winrm ports in my initial scan. According to HackTricks here, WinRM exists on ports 5985 (HTTP) or 5986 (HTTPS), so I decided to run an all ports scan. Secondly, LAPS or Local Administrator Password Solution, is also on this box, and since it is in the name of our challenge (timeLAPSe), this is probably important for us at some point.

I tried to unzip the winrm_backup.zip file, but it was password protected. Luckily, john the ripper can help us out here with zip2john so we can crack the password.

zip2john winrm_backup.zip > zip.txt

From there, we can crack the hash.

john --wordlist=/usr/share/wordlists/rockyout.txt zip.txt

Then we can view the password with john zip.txt --show giving us a password of ‘supremelegacy’.

At this point, I got a little bit stuck and used the HackTheBox forums for a little nudge. An PFX file holds public and private certificates that can be used to log in with WinRM. A little bit of googling and I find this website which gives me the commands to extract the certificates.

We go back to john and can use pfx2john to try and crack the hash, just like with the zip file.

pfx2john legacyy_dev_auth.pfx > pfx.txt

john --wordlist=/usr/share/wordlists/rockyou.txt pfx.txt

john pfx.txt --show

With our new password, I can now extract the certificates.

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes to get the private key

openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem to get the certificate

I moved those new files into a new directory called “keys” to clean up where I was working.

Using Evil-WinRM to Gain Remote Access and the User Flag

From here, I knew about Evil-WinRM, but had never used or installed it before. There also weren’t a lot of examples on how to use the certificates, so there was some trial and error (there were other websites that showed me how to extract different kinds of keys from the PFX file that I tried to use. For the sake of clarity, I didn’t include all of that, but needless to say, there was some trial and error in getting the correct certificates).

I went to the Evil-WinRM GitHub page to learn about the tool and to install it ( I used gem install evil-winrm to install the tool).

Again, it took me a lot of trial and error to get the correct syntax with the right certificates.

evil-winrm -i 10.10.11.152 -S -c cert.pem -k key.pem

Since WinRM is running on port 5986, you have to use the -S flag to enable SSL. Otherwise, it will fail every time. The -c flag is for the public key and the -k flag is for the private key. Looking at the contents of the pem files made it obvious which one was which. I also learned that you can put whatever username and password you want, whether they are real or not, and you will still get access with the certificates.

Now that I have access to the box, I was able to get the user flag!

Now, I want to upload winPEAS so that I can see what is going happening on this machine and try to escalate my privileges. I use the command [intptr]::Size to determine that is is an x64 machine. Evil-WinRM has an upload and download feature built in that allows us to upload and download files. So, I give that a try with upload winPEAS.bat.

I run the file with ./winPEAS.bat and see what we have. Note: I also uploaded the x64.exe version and tried to run it as well. The machine’s antivirus would not run that .exe file, but ran the .bat file just fine.

I go through the output and find this little bit stating that there is a file with PowerShell history.

I navigate to that file and take a look.

This is really interesting. We get a new username of svc_deploy and its password of “E3R$Q62^12p7PLlC%KWaxuaV”. I also decided to run that last command and take a look at our new user.

Escalation to Administrator

We discover that our svc_deploy user can read the LAPS password. I struggled a lot with finding the right commands in order to read this password. After a lot of research, I learned that I can use my new credentials with crackmapexec to get the password thanks to this article here.

I run the command: crackmapexec ldap -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps 10.10.11.152 and get the following output.

With our new password, we can log into the Administrator account using Evil-WinRM.

evil-winrm -i 10.10.11.152 -u Administrator -p 'zV6yq7c]5D,O[d-3F8ZgiWPy' -S

We successfully get Administrator level access! We have to search a little bit for our flag and find it in the desktop of the TRX user. Congratulations on pwning Timelapse!