In this post, I would like to share a walkthrough of the Timelapse Machine from Hack the Box

This room will be considered as a Easy machine on Hack The box

What will you gain from the Timelapse machine?

For the user flag, you will need to abuse a vulnerability on asgaros-forum and use an exploit that is available on the internet. We also enumerate MySQL database and wp-login to escalate to user privileges access.

As for the root flag, you need to take advantage of the cron job where we can throw a reverse shell on the machine

Information Gathering on Timelapse Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

From the Nmap result, I notice that there is no port 80 and port 443 is open to the public. However, i am aware that port 45 which is assigned to smb is open

Let’s enumerate the smb service using smbclient -L <IP Address> command

Enumerate the smb service using smbclient

Based on my experience, i normally access the SMB sharename such as Shares which there could contain an interesting file stored.

We can use the tool such as smbclient by using the command smbclient \\\\<IP Address>\\<sharename> to access Shares

I notice that there are two directories such as Dev and HelpDesk

Inside Dev Directory, I notice that that we can download into our attacker’s machine

We can use the command get to download the file

There are a few more files that can be found inside the HelpDesk Directory

Let’s extract the file but sadly the file is been encrypted with a password.

Firstly, we need to change the zip file into the john file by using zip2john

We can obtain the password when we cracked using john

Finally, we can unzip the file

I found only one file that was stored inside the zip which is called legacyy_dev_auth.pfx

We can change the pfx file into john by using the tool

However, some people will use other tools such as crackpkcs12

Disclaimer: I managed to obtain the password during my first run test but i didn’t manage to obtain the password during the second run.

Next, we can obtain the cert and key by running the command shown above.

We can use that cert and keys to access the machine using evil-wirnm command such as evil-winrm -i <IP Address> -c <cert> -k <key> -p ” -u legacy -S

There is a user flag on the legacyy Desktop

We can read the user flag by running the command “type user.txt

Escalate to Root Privileges Access

Let’s see the console history and required to enter the password

From my understanding of the command above., we managed to retrieve a username and password

Let’s access the machine using the credentials that we found earlier.

Sadly, there’s no root flag on svc_deploy privileges access.

We can execute the command such as the following to retrieve the password

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

As a result, let’s access the machine using the administrator’s credentials.

Sadly, we still cannot retrieve the root flag even though we are accessing it as administrator.

Let’s see the listing of the user that assigned to the machine

I notice that TRX is another user that we can investigate

Finally, we sighted the root flag inside TRX’s Desktop directory

We can read the root flag by executing the “type root.txt” command


Happy Learning Guys!

Extra Information

We can use the command such as below so that we can unlock and read the write-up

Leave a Reply

Your email address will not be published. Required fields are marked *