diff --git a/Vulnlab/Retro2.md b/Vulnlab/Retro2.md
new file mode 100644
index 0000000..5b6825f
--- /dev/null
+++ b/Vulnlab/Retro2.md
@@ -0,0 +1,141 @@
+# Vulnlab - Retro2
+
+```bash
+PORT STATE SERVICE
+53/tcp open domain
+135/tcp open msrpc
+139/tcp open netbios-ssn
+445/tcp open microsoft-ds
+593/tcp open http-rpc-epmap
+3268/tcp open globalcatLDAP
+3389/tcp open ms-wbt-server
+5722/tcp open msdfsr
+49154/tcp open unknown
+49156/tcp open unknown
+49173/tcp open unknown
+```
+
+
+Enumerating smb shares will null authentication
+
+
+
+We have `public` , which has two directories `DB` and `Temp`
+
+
+
+Temp directory has `staff.accdb` which is a microsoft access database file
+
+
+
+At the same time enumerating domain users by brute forcing their SIDs with `lookupsid.py` from impacket with guest account being enabled
+
+
+
+We could try AS-REP roasting on these accounts but first let's focus on the access database file that we have retrieved from the smb share
+
+
+
+On opening this file on microsoft access, it will prompt us for password, with `office2john` we can get the hash of the access db file
+
+
+
+The hash can be cracked with john with the rockyou.txt wordlist
+
+
+
+With the password we can now access the file and retrieve the password of `ldapreader`
+
+
+
+Enumerating the shares with this user again to see if there's any write access that we have
+
+
+
+Enumerating the domain with bloodhound with `python-bloodhound`
+
+
+
+From bloodhound, it didn't showed any path leading to other domain users, however there's a group `PRE Windows 2000 Compatible Access` indicating that there might be a computer account assigned as pre windows 2000 account which means the password will be the same as the machine account in lowercase with the `$` symbol
+
+
+
+Verifying this through nxc
+
+
+
+The status `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ` shows that the password is correct but this has not been used so the password needs to be changed
+
+
+
+The password can be changed with `kpasswd` but prior to that, `/etc/kr5.conf` needs to modified to add retro2.vl as domain realm
+
+```bash
+[libdefaults]
+ default_realm = RETRO2.VL
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ rdns = false
+ kdc_timesync = 1
+ ccache_type = 4
+ forwardable = true
+ proxiable = true
+
+
+[realms]
+ RETRO2.VL = {
+ kdc = BLN01.RETRO2.VL
+ admin_server = BLN01.RETRO2.VL
+
+ }
+```
+
+
+
+Checking the bloodhound again for FS02
+
+
+
+For abusing this, we can use `net rpc` to change the password of `ADMWS01` and add ldapreader to `Services` group through ADMWS01 using net rpc
+
+
+
+```bash
+net rpc password "ADMWS01$" -U "retro2.vl"/"fs02$" -S 10.10.90.65
+```
+
+Adding the user into services group
+
+
+
+We can verify if the user has been added to services group
+
+
+
+On attempting to login through xfreerdp, it's going to show an error, tls connection failed due to how old the system was
+
+
+
+Specifying `/tls-seclevel:0` we'll be able to login
+
+```bash
+xfreerdp /u:ldapreader /p:password /v:10.10.90.65 /tls-seclevel:0
+```
+
+
+
+# References
+
+- https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
+- https://medium.com/@offsecdeer/finding-weak-ad-computer-passwords-e3dc1ed220df
+- https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword
+- https://www.thehacker.recipes/ad/movement/dacl/addmember
+- https://github.com/asbru-cm/asbru-cm/issues/688
+
+
+```
+ldapreader:ppYaVcB5R
+fs02:fs02
+```
+