Read my writeup for Timelapse machine on
TL;DR
User 1: By enumerating the shares we found a zip file called winrm_backup.zip
, By cracking the zip we found legacyy_dev_auth.pfx
file (Client certificate authentication with WinRM), Using the pfx
file we create a certificate and private key and we use them to login using evil-winrm
as legacyy
user.
User 2: By enumerating the PowerShell
history we found the password of svc_deploy
user.
Root: Extracting the password of Administrator
user from LAPS
Using pyLAPS
.