In this post, I would like to share a walkthrough of the Timelapse Machine from Hack the Box


This room will be considered as a Easy machine on Hack The box

What will you gain from the Timelapse machine?


For the user flag, you will need to abuse a vulnerability on asgaros-forum and use an exploit that is available on the internet. We also enumerate MySQL database and wp-login to escalate to user privileges access.


As for the root flag, you need to take advantage of the cron job where we can throw a reverse shell on the machine

Information Gathering on Timelapse Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


From the Nmap result, I notice that there is no port 80 and port 443 is open to the public. However, i am aware that port 45 which is assigned to smb is open


Let’s enumerate the smb service using smbclient -L <IP Address> command

Enumerate the smb service using smbclient


Based on my experience, i normally access the SMB sharename such as Shares which there could contain an interesting file stored.


We can use the tool such as smbclient by using the command smbclient \\\\<IP Address>\\<sharename> to access Shares


I notice that there are two directories such as Dev and HelpDesk


Inside Dev Directory, I notice that winrm_backup.zip that we can download into our attacker’s machine


We can use the command get to download the file


There are a few more files that can be found inside the HelpDesk Directory


Let’s extract the file but sadly the file is been encrypted with a password.


Firstly, we need to change the zip file into the john file by using zip2john


We can obtain the password when we cracked using john


Finally, we can unzip the file


I found only one file that was stored inside the zip which is called legacyy_dev_auth.pfx


We can change the pfx file into john by using the tool pfx2john.py


However, some people will use other tools such as crackpkcs12

Disclaimer: I managed to obtain the password during my first run test but i didn’t manage to obtain the password during the second run.


Next, we can obtain the cert and key by running the command shown above.


We can use that cert and keys to access the machine using evil-wirnm command such as evil-winrm -i <IP Address> -c <cert> -k <key> -p ” -u legacy -S


There is a user flag on the legacyy Desktop


We can read the user flag by running the command “type user.txt

Escalate to Root Privileges Access


Let’s see the console history and required to enter the password


From my understanding of the command above., we managed to retrieve a username and password


Let’s access the machine using the credentials that we found earlier.


Sadly, there’s no root flag on svc_deploy privileges access.


We can execute the command such as the following to retrieve the password

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

As a result, let’s access the machine using the administrator’s credentials.


Sadly, we still cannot retrieve the root flag even though we are accessing it as administrator.


Let’s see the listing of the user that assigned to the machine


I notice that TRX is another user that we can investigate


Finally, we sighted the root flag inside TRX’s Desktop directory


We can read the root flag by executing the “type root.txt” command


-THE END-


Happy Learning Guys!

Extra Information


We can use the secretdump.py command such as below so that we can unlock and read the write-up