HackTheBox Writeup — TimeLapse

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.11.152

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.11.152

Found multiple open ports, interesting ones being the SMB ports

Way to User

Since we had port 139 and 445 open, I started enumerating the SMB shares and found there is an open share by the name Shares

Checking the Dev folder inside the share, there is a backup zip file for winrm which I downloaded to my local system. On the other hand, on the HelpDesk folder, I found tools related to LAPS.

Unzipping the file requires password, which at the moment we dont have and dont know as well

Successfully cracking the password of the zip file using fcrackzip tool and rockyou.txt wordlist

The zip file contained two files, mycerts.crt and legacyy_dev_auth.pfx, I used pfx2john tool to convert the file into a john format hash

Successfully cracked the password through john tool and rockyou.txt wordlist

Creating the key and crt file using openssl so that we can use them further for winrm connection to the remote target

Using the Key and CRT file with evil-winrm tool and providing the user dev through guesswork and finding the connection successful

Getting the user flag on the home directory of the user

Way to Root

Importing PowerView and SharpHound after bypassing AMSI

Didnt got anything much from it so used WinPEAS and found that LAPS is Enabled

From PowerView, I checked that the current user doesnt have the permissions to get the LAPS Password

Checking the Powershell history, we can find connection details of svc_deploy user which contains the password too

Using evil-winrm to connect with the user svc_deploy user on the machine

Getting the LAPS password through this user as this user had the permissions

Connecting to the machine successfully with Administrator user with the LAPS Password we got

Getting the root flag

References

--

--

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover