Hello world.
Defender is activate on this box… Winpeas is detected
have you encountered the same problem ?
use .bat instead of .exe
1 Like
Thanks. I hadn’t even thought about it 
mine ran ok with a hint in its output
Finally rooted, main hold up was issues with a snake not playing nice.
Found another way…yay…
I have foothold in the box after setting up e—W–R- but the session is very unstable and it keeps asking me for P-- p------d, am I the only one having this issue? Also some security protections are blocking me to spawn a rev shell.
Either way I managed to run both winpeas and Bloodhound.
Ver good machine timelapse. Loads to learn.
Tips - Dont get lost in the info available after recon. Most obvious of all vulnerabilities will help you get in and once you are in, find another user through past & that user can help with “root” problem. Happy to help if anyone needs a hand.
Thanks @ctrlzero
What are you guys using to crack? im using p** 2 J*** and several wordlists and its maxing my system as well as taking forever. is there a dedicated KAli tool to split the pfx file?
Finally got root, had to go the manual enumeration route as I couldn’t get our favourite green vegetable script to bypass AMSI. Might have missed the important file while manually enumerating if it weren’t for some of the little hints on here. Very curious how some people were able to get the w******s.bat or .exe file to run past AMSI, tried so many different variants of it and AMSI bypass techniques. From a few chats with people on discord and here it seems like AMSI just didn’t pick it up at all for some people…
1 Like
doesn’t work for me either , I am so stuck with in the with root and trying with som *********ec and getting errors …on domain…
Finally rooted.
Foothold: ask john
root: history will tell + name of the machine
1 Like
In your initial enumeration before foothold you probably came across something else you haven’t used yet. Find a way to use that now.
1 Like
#pwned
This is my first Windows/DC machine, thanks to @ctrlzero for this experience, i learned a lot of things like:
- Do not give up. I loose perspective at the begining and i forgot to properly enumerate smb. Thanks @Laemboh for giving me the little push i needed.
- I explored millions of tools to hack into Windows from my Kali, rpcclient, crackmapexec, bloodhound, winPEAS, evil-WINRM, smbclient, Metasploit, also used john and SSL Converter to get my rsa from the cert. Many of this tools does not work in this machine altough, due to AMSI and domain policies i guess. Others does no work at the begining and we are able to use them later on.
- I used so much evil-WINRM here, that was a little like a downside but at least i master the tool now
- Also, why the root flag is not in the Administrator folder and the otherone instead?, i lost like 10 min to figure it out.
I can say that timelapse.htb was a nice machine anyway, thanks
2 Likes
Woah so many spoilers in this!
This is my first windows box on HTB and this one has me stumped. I was able to get the PW for the .z** file. and i made two files from one. but .k** and the .p** files are empty and im not sure where to go from here. should those 2 files be empty?
FINALLY got user, that was fun. Gonna go for root tonight!
How did you manage to run SharpHound? I keep getting Unable to connect to LDAP, verify your credentials using the latest x64 binary (1.0.3). And the .ps1 version is caught by Defender.
I used the python version remotely
I’m stuck, I have the .k** file and the possible user, but when I use e—W–R- I can’t stop it from asking for the p—w–d. I’ve searched and searched, I don’t know what to do anymore…
I’m stuck and am currently in need of a little guidance. i’ve logged in as the initial user on the domain, ran the popular script for esc and started trying to find a pathway from there… took a look into the past, found what appears to be a p******* for the s**_****** user however I appear to be unable to login as that user via w-rm receiving generic errors on attempts via evil… which confuses me as I get a 'logon successful via metaslpoit enumeration (though i receive another error after login that closes the session) am i on the right path or should i abandon w-rm login for this user and find another way?