# Timelapse **Date**: 30/05/2022 **Difficulty**: EASY **CTF**: *** First of all, let’s test the connectivity with the target machine:
ttl = 127 may indicate that the target machine is a Windows machine. Let’s launch an nmap scan to detect the open TCP ports on the machine:
Wow, the nmap scan reported a lot of open TCP ports… let’s launch a detailed scan in all this ports:
Interesting, we have Kerberos in port 88, ldap, http… and other services. It catches my eye the details of the http service. The ssl certificate contains `dc01.timelapse.htb`. timelapse.htb sounds like a domain and dc01 as the DomainController01 (Computer Name maybe?). Also, the ldap services detail show the domain timelapse.htb0.
Let’s add the timelapse.htb domain to /etc/hosts and take a look to the webpage:
Nothing useful there… Let’s take a look to ports 135 and 445 (smb):
Mmm… we have READ permissions on IPC and Shares. Let’s take a look inside:
Let’s download that zip file to see the content later:
Let’s see the content of the other folder also:
Mmmm… let’s download everything:
Let’s enumerate IPC$ just in case:
I’m not sure if any of this file would be useful, but I’ll keep the list. Let’s see what was inside the compressed file:
Mmm… the zip is password protected. Maybe we can crack it with John, but before doing that, let’s take a look to the other files: The .docx files describe the use of a tool called Local Administrator Password Solution that can manage the domain passwords. There is also an .msi installer. Maybe is an application that is installed in the target machine. Let’s see if we can crack the password of the zip file:
It was very fast! John cracked successfully the zip password. Let’s unzip it:
Okay, so I don’t really know what to do with this file and its password… let’s do a bit of research. In [this page](https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file) and [this one](https://stackoverflow.com/questions/40399690/enter-pem-pass-phrase-when-converting-pkcs12-certificate-into-pem) it’s explained how to extract the keys and certificates from the PFX file.
Now, let’s see what can we do with this certificate and key… First of all we have to clean the certificate and key files:
Apparently we can use the certificate and key to connect to the target machine via SSL using evil-winrm:
Let’s try with an obfuscated version of winPEAS:
Being unable to use winPEAS, let’s enumerate the machine manually:
```bash whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E#################V' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit ``` let’s execute the same commands:
Now we can execute commands as svc\_deploy user… Let’s check the privs of svc\_deploy user:
This users is member of LAPS\_Readers group…
We can see that the admin password of DC01! With this credentials, let’s try to log as Administrator using evil-winrm:
And after some navigation we found the root flag:
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://angellm.gitbook.io/hacknotes/htb/2022/timelapse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.