Pacome Kemkeu Djoumessi
Timelapse
LAPS
AD
The investigations I conducted through this challenge led me to separate their results into 3 principal chapters:
I began by scanning the machine through all its ports, looking for different services running on it.
I also increased the detail to find out the versions of everything that is running, using the flag -sV -sC. -sC here is used to add the default scripts from the Nmap Script Engine arsenal to scanning.
Based on the results of the extended scan, we concluded that:
I decided to start by enumerating Kerberos and used kerbrute and a custom wordlists of usernames.
I got the following results
Then using this list of usernames, I conducted a bruteforce attack on the enumerated valid Active Directory accounts that resulted unsuccessful after after few times.😩
I then decided to pass on another service.
SMB enumeration
Tried with enum4linux. Did not get too much informations but at least found that I could log in anonymously.
So using smbmap, I logged in using null user and null password trying to enumerate samba share drives
Among them I found the share drive Shares with READ ONLY access.Read only shares are generally prepared to share resources on the domain with guests users. so I recursively downloaded all its contents on my host using smbclient.
Thanks to Hermann
Exploiting Helpdesk directory
The HelpDesk folder contains LAPS software and few Documents about its documentation.
LAPS(Local Password Administration Solution) is a software that provides a simple way to manage local administrator passwords on domain joined Windows Servers and endpoints, ensuring that each password is unique and is changed regularly. I did not found anything useful in this directory.
So I turned back to the zip file in Dev folder.
I first tried to unzip it but it asked for a password that I didn't get any idea what it was
Using fcrackzip and rockyou.txt as wordlists, I cracked the file and got the password as follow:
I then unziped the file with the password and found a pfx file.
A PFX file indicates a certificate in PKCS#12 format; it contains the certificate, the intermediate authority certificate necessary for the trustworthiness of the certificate, and the private key to the certificate. Think of it as an archive that stores everything you need to deploy a certificate. sslmarket
These PFX files are useful for protecting users, computers and networks from malicious poeple, third-party users without the consent of accessing system and network resources as well as malicious applications that instruct it to access these protected resources and data code.
The PFX file is always password protected because it contains a private key.
At this point, I did not really know what to do with the file. So I went back in the Official Discussion to find some hints and while scrolling, found the following:
Well! Interesting…
So the first thing to do is to split the pfx file
I entered split a pfx file
in Google search engine and got the following results as first proposal:
So in order to use the pfx file, I needed to extract it private key and certificate.
I first tried to extract those with the previous found ppassword but it did not work 🥲
Well, had to crack his password too 😐
I installed Crackpkcs12 and used his dictionnary attack mode with rockyou.txt as dictionnary to crack the pfx file.
Obtained the following after a couple of minutes.
The password was thuglegacy.
Came back on the process of retrieving its private key and got the following:
To complete it I also needed to have the certificate. So I extracted it the same ay as for the private key.
I also decrypted the private key as follow:
With this completed, the next step was to use the backup name and find how to exploit his service.
As reminder, the backup name was winrm_backup.zip
WinRM, Windows Remote Management, is based on HTTP and is Microsoft's implementation of the SOAP-based WS-Management standard. This implies that it is no longer an RPC protocol and can therefore pass firewalls more easily.
At the level of the ports used, it is running on HTTPS: 5986 on the current target machine.
Most results on how to exploit winRM?
all referred on using Evil WinRM.
Evil-WinRM can be used on any Windows server running WinRM service.Of course, only if you have the credentials and permissions to use it.
It has many features such as :
So I installed evil-winrm
Using it with the previous artifacts I already collected (private key and certifcate), I tried to got access into the system and found the user flag.
-S: ssl parameter connection
-k: private key
-c: public key
It only remained to get administrator privileges.
Well, this has not been an easy one. I tried a ton of things before I found this conversation in the chat and started googling about WinPEAS
The goal of WinPEAS is to search for possible privilege escalation paths in the Windows environment.
In order to gain the Administrator privileges I proceeded as follow:
Downloaded winpeas
Uploaded and Run winpeas
After running there was so much information and I did not still know what to do.
At least, I could find all the user accounts and their privileges
So back in the chat reading the comments, I got the following:
Especially looking for history, I found the file that stores the history of commands that have been run lately in the console, ConsoleHost_history.txt. This file is basically like the bash_history on Linux Os.
I downloaded it on my local machine for further investigations.
When checking the contents of the file, I found that it stored a username svc_deploy
and password E3R$Q62^12p7PLlC%KWaxuaV
that were set as parameters for a potential connection.
The other commands is using the System.Management.Automation.PSCredential Object that is used to initializes a new instance of the PSCredential class with a username and password and use it to connect to remote machine.
As a reminder the centralized way to manage usernames, passwords, and credentials is Local Administrator Password Solution.
Below its architecture:
The principle of operation of LAPS is relatively simple. The client-side component on each computer generates a random password. The password is stored in Active Directory, an attribute of the computer object. Only domain administrators can see the value of the attribute. The client often creates a new password as defined in the configuration and updates Active Directory with the new password and expiration.
Like most problems with Active Directory, these problems are due to incorrect settings. Typically, users who are not part of the domain administrators group need local administrator access to systems, such as technical support staff. For this reason, the ability to read LAPS passwords FOR computer objects will be delegated to groups other than the domain administrators group. It can be all IT objects or only objects of a specific organizational unit. Over time, this privilege will often be granted to groups to which it should not have been granted. Also, if the account or group owns the computer object, it can change the permissions on the system to be able to view the password.
It then exists multiple cases when a regular domain user can read the LAPS password, either for only a few systems, or for more than 50 in the domain.
So if a user has the permissions, it is easy to read this attribute using the Get-Admpdspassword cmdlet.
After few research I found that it is possible to export the local account password of the computer in the domain using Kali LAPS dumper. It source code is available here
So using svc_deploy
as domain user and its password E3R$Q62^12p7PLlC%KWaxuaV
, I tried to pull every LAPS password the account has access to read within the entire domain.
As shown below, it dumped the computer name and the password for the local administrator account.
$ sudo lapsdumper -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb -l 10.10.11.152 [sudo] password for pacome: DC01$:9$]6kGXv6ogbJ7qkV5/B11a3
I finally attempted an admin session and it works 😭
Got the root flag under TRX yser
4181af89d2e02dab32dfe97a85a0052d
And here ended this challenge.