Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-21 19:43:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Vulnlab/Retro2.md
ARZ 2d96f00d04
Create Retro2.md
2024-10-07 22:21:10 +03:00

4.2 KiB
Raw Permalink Blame History

Vulnlab - Retro2

PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
593/tcp   open  http-rpc-epmap
3268/tcp  open  globalcatLDAP
3389/tcp  open  ms-wbt-server
5722/tcp  open  msdfsr
49154/tcp open  unknown
49156/tcp open  unknown
49173/tcp open  unknown

Enumerating smb shares will null authentication

We have public , which has two directories DB and Temp

Temp directory has staff.accdb which is a microsoft access database file

At the same time enumerating domain users by brute forcing their SIDs with lookupsid.py from impacket with guest account being enabled

We could try AS-REP roasting on these accounts but first let's focus on the access database file that we have retrieved from the smb share

On opening this file on microsoft access, it will prompt us for password, with office2john we can get the hash of the access db file

The hash can be cracked with john with the rockyou.txt wordlist

With the password we can now access the file and retrieve the password of ldapreader

Enumerating the shares with this user again to see if there's any write access that we have

Enumerating the domain with bloodhound with python-bloodhound

From bloodhound, it didn't showed any path leading to other domain users, however there's a group PRE Windows 2000 Compatible Access indicating that there might be a computer account assigned as pre windows 2000 account which means the password will be the same as the machine account in lowercase with the $ symbol

Verifying this through nxc

The status STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT shows that the password is correct but this has not been used so the password needs to be changed

The password can be changed with kpasswd but prior to that, /etc/kr5.conf needs to modified to add retro2.vl as domain realm

[libdefaults]
        default_realm = RETRO2.VL
        dns_lookup_realm = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        rdns = false
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true


[realms]        
        RETRO2.VL = {
                kdc = BLN01.RETRO2.VL
                admin_server = BLN01.RETRO2.VL

                                }

Checking the bloodhound again for FS02

For abusing this, we can use net rpc to change the password of ADMWS01 and add ldapreader to Services group through ADMWS01 using net rpc

net rpc password "ADMWS01$" -U "retro2.vl"/"fs02$" -S 10.10.90.65

Adding the user into services group

We can verify if the user has been added to services group

On attempting to login through xfreerdp, it's going to show an error, tls connection failed due to how old the system was

Specifying /tls-seclevel:0 we'll be able to login

xfreerdp /u:ldapreader /p:password /v:10.10.90.65 /tls-seclevel:0

References

ldapreader:ppYaVcB5R
fs02:fs02