Timelapse writeup by evyatar9

Read my writeup for Timelapse machine on


User 1: By enumerating the shares we found a zip file called winrm_backup.zip , By cracking the zip we found legacyy_dev_auth.pfx file (Client certificate authentication with WinRM), Using the pfx file we create a certificate and private key and we use them to login using evil-winrm as legacyy user.

User 2: By enumerating the PowerShell history we found the password of svc_deploy user.

Root: Extracting the password of Administrator user from LAPS Using pyLAPS.