HackTheBox Writeup — TimeLapse
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.11.152
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.152
Found multiple open ports, interesting ones being the SMB ports
Way to User
Since we had port 139 and 445 open, I started enumerating the SMB shares and found there is an open share by the name Shares
Checking the Dev folder inside the share, there is a backup zip file for winrm which I downloaded to my local system. On the other hand, on the HelpDesk folder, I found tools related to LAPS.
Unzipping the file requires password, which at the moment we dont have and dont know as well
Successfully cracking the password of the zip file using fcrackzip tool and rockyou.txt wordlist
The zip file contained two files, mycerts.crt and legacyy_dev_auth.pfx, I used pfx2john tool to convert the file into a john format hash
Successfully cracked the password through john tool and rockyou.txt wordlist
Creating the key and crt file using openssl so that we can use them further for winrm connection to the remote target
Using the Key and CRT file with evil-winrm tool and providing the user dev through guesswork and finding the connection successful
Getting the user flag on the home directory of the user
Way to Root
Importing PowerView and SharpHound after bypassing AMSI
Didnt got anything much from it so used WinPEAS and found that LAPS is Enabled
From PowerView, I checked that the current user doesnt have the permissions to get the LAPS Password
Checking the Powershell history, we can find connection details of svc_deploy user which contains the password too
Using evil-winrm to connect with the user svc_deploy user on the machine
Getting the LAPS password through this user as this user had the permissions
Connecting to the machine successfully with Administrator user with the LAPS Password we got
Getting the root flag