Try   HackMD

Penetration Testing :Solving Timelapse Challenge on HTB

​​​​Pacome Kemkeu Djoumessi

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

tags: Timelapse LAPS AD

Timelapse

The investigations I conducted through this challenge led me to separate their results into 3 principal chapters:

  • Information Gathering: This is the phase where I used various tools and tried to collect as much information as possible from the target machine and find which were important to conduct further investigation on.
  • Exploitation: This is where the action happened! Here I tried to establish access to the system by exploiting all the hints I could find.
  • Privileges Escalation: In this phase, after accessing the system, I found a way to elevate privileges to become Administrator since the account I obtained during the exploitation phase had low level privileges.

1. Information Gathering

1.1. Scanning

I began by scanning the machine through all its ports, looking for different services running on it.

I also increased the detail to find out the versions of everything that is running, using the flag -sV -sC. -sC here is used to add the default scripts from the Nmap Script Engine arsenal to scanning.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Based on the results of the extended scan, we concluded that:

  • we have an Active Directory domain controller with a domain name of timelapse.htb;
  • microsoft-ds?(aka Microsoft Directory Services, or SMB) - SMB network shares,version 3 on port 445 ;
  • Kerberos authentication system on port 88
  • The host is running Simple dns plus service on port 53

1.2. Enumeration

  • I decided to start by enumerating Kerberos and used kerbrute and a custom wordlists of usernames.

    I got the following results

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Then using this list of usernames, I conducted a bruteforce attack on the enumerated valid Active Directory accounts that resulted unsuccessful after after few times.😩

    I then decided to pass on another service.

  • SMB enumeration

    Tried with enum4linux. Did not get too much informations but at least found that I could log in anonymously.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    So using smbmap, I logged in using null user and null password trying to enumerate samba share drives

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Among them I found the share drive Shares with READ ONLY access.Read only shares are generally prepared to share resources on the domain with guests users. so I recursively downloaded all its contents on my host using smbclient.
    Thanks to Hermann

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

2. Exploitation

  • Exploiting Helpdesk directory

    The HelpDesk folder contains LAPS software and few Documents about its documentation.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    LAPS(Local Password Administration Solution) is a software that provides a simple way to manage local administrator passwords on domain joined Windows Servers and endpoints, ensuring that each password is unique and is changed regularly. I did not found anything useful in this directory.

  • So I turned back to the zip file in Dev folder.

    I first tried to unzip it but it asked for a password that I didn't get any idea what it was

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Using fcrackzip and rockyou.txt as wordlists, I cracked the file and got the password as follow:

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    I then unziped the file with the password and found a pfx file.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    A PFX file indicates a certificate in PKCS#12 format; it contains the certificate, the intermediate authority certificate necessary for the trustworthiness of the certificate, and the private key to the certificate. Think of it as an archive that stores everything you need to deploy a certificate. sslmarket

    These PFX files are useful for protecting users, computers and networks from malicious poeple, third-party users without the consent of accessing system and network resources as well as malicious applications that instruct it to access these protected resources and data code.

    The PFX file is always password protected because it contains a private key.
    At this point, I did not really know what to do with the file. So I went back in the Official Discussion to find some hints and while scrolling, found the following:

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Well! Interesting

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    So the first thing to do is to split the pfx file
    I entered split a pfx file in Google search engine and got the following results as first proposal:

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Source

    So in order to use the pfx file, I needed to extract it private key and certificate.

    I first tried to extract those with the previous found ppassword but it did not work 🥲

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Well, had to crack his password too 😐

    I installed Crackpkcs12 and used his dictionnary attack mode with rockyou.txt as dictionnary to crack the pfx file.

    Obtained the following after a couple of minutes.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    The password was thuglegacy.

    Came back on the process of retrieving its private key and got the following:

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    To complete it I also needed to have the certificate. So I extracted it the same ay as for the private key.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    I also decrypted the private key as follow:

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    With this completed, the next step was to use the backup name and find how to exploit his service.

    As reminder, the backup name was winrm_backup.zip

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    WinRM, Windows Remote Management, is based on HTTP and is Microsoft's implementation of the SOAP-based WS-Management standard. This implies that it is no longer an RPC protocol and can therefore pass firewalls more easily.

    At the level of the ports used, it is running on HTTPS: 5986 on the current target machine.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Most results on how to exploit winRM? all referred on using Evil WinRM.

    Evil-WinRM can be used on any Windows server running WinRM service.Of course, only if you have the credentials and permissions to use it.

    It has many features such as :

    • List remote machine services without privileges
    • Upload and download files
    • Load in memory Powershell scripts
    • Load x64 payloads generated with awesome donut technique
    • SSL and certificates support
    • Command History
    • WinRM command completion

    So I installed evil-winrm

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    Using it with the previous artifacts I already collected (private key and certifcate), I tried to got access into the system and found the user flag.

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

    -S: ssl parameter connection
    -k: private key
    -c: public key

    It only remained to get administrator privileges.

3. Privilege escalation

Well, this has not been an easy one. I tried a ton of things before I found this conversation in the chat and started googling about WinPEAS

The goal of WinPEAS is to search for possible privilege escalation paths in the Windows environment.

In order to gain the Administrator privileges I proceeded as follow:

  • Downloaded winpeas

  • Uploaded and Run winpeas

    After running there was so much information and I did not still know what to do.
    At least, I could find all the user accounts and their privileges


    So back in the chat reading the comments, I got the following:

    Especially looking for history, I found the file that stores the history of commands that have been run lately in the console, ConsoleHost_history.txt. This file is basically like the bash_history on Linux Os.

    I downloaded it on my local machine for further investigations.

    When checking the contents of the file, I found that it stored a username svc_deploy and password E3R$Q62^12p7PLlC%KWaxuaV that were set as parameters for a potential connection.

    The other commands is using the System.Management.Automation.PSCredential Object that is used to initializes a new instance of the PSCredential class with a username and password and use it to connect to remote machine.

    As a reminder the centralized way to manage usernames, passwords, and credentials is Local Administrator Password Solution.

    Below its architecture:

    Image source

    The principle of operation of LAPS is relatively simple. The client-side component on each computer generates a random password. The password is stored in Active Directory, an attribute of the computer object. Only domain administrators can see the value of the attribute. The client often creates a new password as defined in the configuration and updates Active Directory with the new password and expiration.

    Like most problems with Active Directory, these problems are due to incorrect settings. Typically, users who are not part of the domain administrators group need local administrator access to systems, such as technical support staff. For this reason, the ability to read LAPS passwords FOR computer objects will be delegated to groups other than the domain administrators group. It can be all IT objects or only objects of a specific organizational unit. Over time, this privilege will often be granted to groups to which it should not have been granted. Also, if the account or group owns the computer object, it can change the permissions on the system to be able to view the password.

    It then exists multiple cases when a regular domain user can read the LAPS password, either for only a few systems, or for more than 50 in the domain.
    So if a user has the permissions, it is easy to read this attribute using the Get-Admpdspassword cmdlet.

  • After few research I found that it is possible to export the local account password of the computer in the domain using Kali LAPS dumper. It source code is available here

    So using svc_deploy as domain user and its password E3R$Q62^12p7PLlC%KWaxuaV, I tried to pull every LAPS password the account has access to read within the entire domain.

    As shown below, it dumped the computer name and the password for the local administrator account.

    $ sudo lapsdumper -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb -l 10.10.11.152 
     [sudo] password for pacome: 
     DC01$:9$]6kGXv6ogbJ7qkV5/B11a3
         

    I finally attempted an admin session and it works 😭

    Got the root flag under TRX yser

    4181af89d2e02dab32dfe97a85a0052d

    And here ended this challenge.


Resources