Timelapse machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

At the end of the port scan, we understand that it is an AD machine and there is smb sharing and we detect the “timelapse.htb” domain, we add this domain to the /etc/hosts file and provide smb enumeration.
Crackmapexec smb

We detect Crackmapexec DC01 and add it to our etc/hosts file.
Then we add
crackmapexec smb
crackmapexec smb –users
crackmapexec smb –shares –users
crackmapexec smb -u ” –shares –users
crackmapexec smb -u ‘.’ –shares –users
crackmapexec smb -u ” -p ” –shares –users
commands, but we did not get any information

We didn’t get much information from the enum4linux tool, let’s use smbclient

With smbclient we saw the shares, it is always best for us to use different tools here.
Then we connected to the /Shares share area and looked at the files in it. We downloaded the remarkable winrm_backup.zip file to our local machine to examine it.

The zip file we want to examine is password protected and we are trying to crack it with john

We decrypted the zip file supremelegacy. We unzipped this file and found a pfx file.
(pfx files are encrypted files used for authentication processes including digital certificates. You can access a network, device, user or specific files).
We tried to extract the keys using the legacyy_dev_auth.pfx file, but it asked us for a password and gave us an error when it was empty. Let’s break the password of this file with john

We found the password for the pfx file as thuglegacy
Now we extract this pfx file.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt

Then we connect with evil-winrm
evil-winrm -i -S -k legacyy_dev_auth.key-enc -c legacyy_dev_auth.crt

Here we have obtained our user flag but we could not access it when using adminsitrator Here we got permissiondenied error so we provide local enumeration.

We’re looking at the Powershell histoyry file

Here we detected svc_deploy and the password ‘E3R$Q62^12p7PLlC%KWaxuaV’

Let’s connect with evil-winrm using this credential

Here we are connected but still cannot log in to the administrator user
We continue to local enumeration

Here *LAPS_Readers is remarkable

LAPS provides management of local account passwords for computers joined in the active directory. Passwords are stored in Active Directory.
Let’s understand how to do privilege escalation here
Let’s dump the passwords in LAPS with crackmapexec as shown in
crackmapexec ldap -u svc_deploy -p ‘E3R$Q62^12p7PLlC%KWaxuaV’ –kdcHost -M lap

](Qr9{{$2Vkn,8,t@i[g7+Rs password dump.
Here we are connected from the administrator user
We did not see root.txt under Administrator folders, we detected root flags under C:\Users\TRX\desktop directory.

Here we got the root flag.


  1. najlepszy sklep

    Hello! Do you know if they make any plugins to help with Search Engine Optimization? I’m
    trying to get my blog to rank for some targeted keywords but I’m not seeing very
    good success. If you know of any please share. Thank you!
    You can read similar blog here: Sklep internetowy

  2. Rastrear Celular

    Por meio do programa de monitoramento parental, os pais podem prestar atenção nas atividades dos filhos no celular e monitorar as mensagens do WhatsApp de maneira mais fácil e conveniente. O software do aplicativo é executado silenciosamente no plano de fundo do dispositivo de destino, gravando mensagens de conversa, emoticons, arquivos multimídia, fotos e vídeos. Ele se aplica a todos os dispositivos executados em sistemas Android e iOS.

  3. List of Backlinks

    Howdy! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my
    blog to rank for some targeted keywords but I’m not seeing very good
    results. If you know of any please share. Cheers! I saw similar article here: Backlink Building

  4. Delana Ludden

    Hello would you mind letting me know which hosting company you’re using? I’ve loaded your blog in 3 completely different internet browsers and I must say this blog loads a lot faster then most. Can you recommend a good web hosting provider at a reasonable price? Cheers, I appreciate it!

  5. pinealxt reviews

    I simply could not go away your website before suggesting that I actually loved the standard info a person provide to your visitors? Is gonna be back continuously in order to check up on new posts

  6. fitspresso review

    I’ve been browsing online greater than three hours today, but I by no means discovered any fascinating article like yours. It is beautiful worth enough for me. In my opinion, if all website owners and bloggers made just right content material as you did, the web will likely be a lot more helpful than ever before.

  7. Sugar defender review

    The subsequent time I learn a weblog, I hope that it doesnt disappoint me as much as this one. I imply, I know it was my option to learn, but I actually thought youd have something attention-grabbing to say. All I hear is a bunch of whining about one thing that you may repair in the event you werent too busy on the lookout for attention.

  8. Fitspresso review

    What i don’t realize is in reality how you’re no longer actually a lot more well-preferred than you may be right now. You’re very intelligent. You already know therefore considerably relating to this topic, produced me in my view believe it from so many numerous angles. Its like men and women are not fascinated except it is something to accomplish with Woman gaga! Your individual stuffs nice. At all times handle it up!

  9. cbd online kaufen

    Good blog! I really love how it is easy on my eyes and the data are well written. I’m wondering how I might be notified whenever a new post has been made. I have subscribed to your feed which must do the trick! Have a great day!

  10. uweed.ch

    Wow! This can be one particular of the most beneficial blogs We have ever arrive across on this subject. Basically Fantastic. I’m also a specialist in this topic therefore I can understand your effort.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir