In this post, I would like to share a walkthrough of the Timelapse Machine from Hack the Box
This room will be considered as a Easy machine on Hack The box
What will you gain from the Timelapse machine?
For the user flag, you will need to abuse a vulnerability on asgaros-forum and use an exploit that is available on the internet. We also enumerate MySQL database and wp-login to escalate to user privileges access.
As for the root flag, you need to take advantage of the cron job where we can throw a reverse shell on the machine
Information Gathering on Timelapse Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the Nmap result, I notice that there is no port 80 and port 443 is open to the public. However, i am aware that port 45 which is assigned to smb is open
Let’s enumerate the smb service using smbclient -L <IP Address> command
Enumerate the smb service using smbclient
Based on my experience, i normally access the SMB sharename such as Shares which there could contain an interesting file stored.
We can use the tool such as smbclient by using the command smbclient \\\\<IP Address>\\<sharename> to access Shares
I notice that there are two directories such as Dev and HelpDesk
Inside Dev Directory, I notice that winrm_backup.zip that we can download into our attacker’s machine
We can use the command get to download the file
There are a few more files that can be found inside the HelpDesk Directory
Let’s extract the file but sadly the file is been encrypted with a password.
Firstly, we need to change the zip file into the john file by using zip2john
We can obtain the password when we cracked using john
Finally, we can unzip the file
I found only one file that was stored inside the zip which is called legacyy_dev_auth.pfx
We can change the pfx file into john by using the tool pfx2john.py
However, some people will use other tools such as crackpkcs12
Disclaimer: I managed to obtain the password during my first run test but i didn’t manage to obtain the password during the second run.
Next, we can obtain the cert and key by running the command shown above.
We can use that cert and keys to access the machine using evil-wirnm command such as evil-winrm -i <IP Address> -c <cert> -k <key> -p ” -u legacy -S
There is a user flag on the legacyy Desktop
We can read the user flag by running the command “type user.txt“
Escalate to Root Privileges Access
Let’s see the console history and required to enter the password
From my understanding of the command above., we managed to retrieve a username and password
Let’s access the machine using the credentials that we found earlier.
Sadly, there’s no root flag on svc_deploy privileges access.
We can execute the command such as the following to retrieve the password
$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
As a result, let’s access the machine using the administrator’s credentials.
Sadly, we still cannot retrieve the root flag even though we are accessing it as administrator.
Let’s see the listing of the user that assigned to the machine
I notice that TRX is another user that we can investigate
Finally, we sighted the root flag inside TRX’s Desktop directory
We can read the root flag by executing the “type root.txt” command
Happy Learning Guys!
We can use the secretdump.py command such as below so that we can unlock and read the write-up