BOOK THIS SPACE FOR AD
ARTICLE ADSummary
Timelapse is an HTB Active Directory machine that is an easy machine but as the concept of initial compromise is unique, therefore, I believe it should be categorised as Intermediate. By solving this lab I learn how an attacker can steal a CA certificate to perform a lateral moment.
Table of content
Initial Access
Nmap SMB-client Openssl WinrmPrivilege Escalation
WinPeas Credential Dumping Abusing LAPSInitial Access
Let’s deep dive into the time.
nmap -p- -sV 10.129.227.105From the nmap scan, we can see that this is a Window Server more precisely a domain controller since we have DNS, LDAP, Kerberos and SMB ports open. Also WinRM ( Windows Remote Management) port 5986 is present.
SMBClient
smbclient -L 10.129.227.105Let’s use smb client to find if there are any share folders available for anonymous login. Indeed, there is a sharing enabled with the name of “Shares”.
Now we try to connect to that folder using smb client and browse the directory to find other subfolders. The winrm_backup.zip is actually password-protected. So we need to crack it.
In our scenario, we used fcrackzip to crack the winrm_backup file using the wordlist rockyou.txt.
fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt
Once we have cracked the password, we can use it to unzip the file. Once extracted, we find a .pfx file called: legacy_dev_auth.pfx. PFX files are actually digital certificates that contain both the SSL certificate’s public and private keys.
unzip winrm_backup.zip pfx2john legacyy_dev_auth.pfx >pfxhash
Openssl
Now, we are going to convert that pfx file to the hash and crack it using the hash using John to get the private key and the pem key. As you can see, the password is thuglegacy.
We will try to open the certificate using openssl and as we can see it is a Microsoft Software Key Storage Provider. We can extract the certificate and private key.
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodesopenssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem
Once the private key is available, we can use this key to login into the box.
We will use evil-winrm to login using both the pem certificate and the pem private key. Instead of a password we can login with the keys also.
evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S -r timelapse
Privilege Escalation
Now we have a shell on the box. It seems we don’t have anything in the document library. Let’s browse the desktop library to see if we can find any flags. Indeed we have a user.txt flag on the desktop.
Now we will use updog to upload winPEASx64.exe on the server.
Let’s download updog. Another alternative is to use python httpSimpleServer but in our scenario, we are using updog.
WinPeas.exe
Once installed, let’s run updog on 80. As shown below, updog is running on port 80 now.
Then on the server, we download the winPEASx64.exe using the wget command. Once the download is complete, let’s execute the winPEASx64.exe
Let’s read the ConsoleHost_History.txt file and see what information we can extract from it.
Credential Dumping- LAPS
As we can see from the file, the username is svc_deploy and the password has been assigned to the variable p. now let’s verify in which group the user svc_deploy is a member. It is a member of the LAPS_Readers group. LAPS stands for Local Administrator Password Solution. It randomises all the passwords for all local machines so that you cannot execute pass the hash attack. However, it stores the password on the active directory itself and only members of LAPS_Readers can read the password.
Let’s check all users available on the box by using the command net users. We found a user account named svc_deploy. Let’s check in which group membership this is located. It’s in the LAPS_Readers group.
Now we can try to connect using evil-winrm using the username and password from the consolehost_history.txt file. And the password is in the ‘ms-Mcs-admpwd’
evil-winrm -i 10.129.227.105 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S Get-ADComputer DC01 -property 'ms-mcs-admpwd'
Once we have the administrator password, we can connect using evil-winrm to connect to the box.
evil-winrm -i 10.129.227.105 -u administrator -p 'gU}0649&H)l8VrkJB1n95q0A' -S
And we have logged on. We can now browse and go to the desktop directory to see if we can capture any flags. There you go. We can see the root.txt.
Author: Tirut Hawoldar is a Cyber Security Enthusiast and CTF player with 15 years of experience in IT Security and Infrastructure. Can be Contacted on LinkedIn