TryHackMe: Retro — Walkthrough

caesar
7 min readJun 22, 2021

--

Introduction

This article aims to walk you through Retro box produced by DarkStar7471 and hosted on TryHackMe. Anyone who has access to TryHackMe can try to pwn this Windows box, this is a hard box. Hope you enjoy reading the walkthrough!

Reconnaissance

First of all, we are going to start the box after accessing the relevant page.

Waiting for a while, we are provided with IP address of the box, so we will scan it via Nmap.

Scanning

We are going to scan the IP for all open ports by typing the following command on our terminal. -p- indicates that we want to check all open ports and -Pn tells nmap that the target box does not respond to ping (ICMP) (it is also stated by the creator of the box), so nmap will not ping ports, it will suppose all addresses are up.

nmap -p- -Pn 10.10.x.x

After waiting for a while, we have got our results as shown below:

From open ports found by nmap, we understand that it is a Windows box as port 3389 is open on the box and we know that it is for Remote Desktop Connection. To gather further information on ports found by nmap, we will add some more arguments specifying open ports. -sV will scan to show service versions of applications on open ports, and -sC will run default scripts on services in order to check whether there is a vulnerability. As the box does not respond to ping, we will again add -Pn argument.

nmap -Pn -p 80,3389 10.10.x.x -sV -sC

In a short while, we have got our results and more details regarding open ports. And we decide to enumerate port 80 since we do not have more options.

Enumeration

First of all, we type IP address on our browser.

We see that there is an IIS web server on the box and we do not come across any other information that shows us a way to go further.

In this case, we run gobuster to bruteforce directories to see if we have something useful. We will use -u argument to specify URL and -w argument to provide the wordlist we want to use for directory bruteforcing. And to make bruteforcing process fast, we will specify threads as 30 by -t argument.

gobuster dir -u http://10.10.x.x/ -w /usr/share/wordlists/dirbuster/directory-list-2.3.-medium.txt -t 30

After waiting for a while, we have a result that we will check to see what /retro directory includes.

We see that there is a blog related to retro arcade games.

To enumerate further, we will bruteforce /retro directory via gobuster again to see if there is useful or some information that we can go on further.

gobuster dir -u http://10.10.x.x/retro/ -w /usr/share/wordlists/dirb/common.txt -t 30

We discover that it is a WordPress site, which is a low hanging fruit for us to get a low shell on the box.

It redirects to localhost, so to prevent redirection and to be able to access the web server, we need to add the box IP to our /etc/hosts file.

Now, we will use wpscan to enumerate plugins, themes, and users.

wpscan --url http://retro.thm/retro -e

We discover that everything on the box is updated, which straitens our attack surface, but we have a username on the box which is wade.

Since we have a username and our attack possibilities are limited to just a couple of ways. We are going to create a custom wordlist from WordPress blog we came accross earlier. To do this, we will use CeWL tool. We scan to a depth of 3 (-d 3) and use a minimum word length of 7 (-m 7), then save the words to a file (-w retrowl.txt), targeting the URL (http://retro.thm/retro/).

cewl -d 3 -m 7 -w retrowl.txt http://retro.thm/retro/

After we create our custom wordlist, we will bruteforce WordPress admin login page to see if we can get a valid password to log in.

wpscan --url http://retro.thm/retro --passwords retrowl.txt --usernames Wade

We wait for a while, then results come out and we have got credentials to log in on WordPress admin panel.

We log in using credentials we found via wpscan bruteforce, we try to get a reverse shell through editing /404.php page and we get a reverse shell; however, the shell we get drops the connecting every minute and we are not able to download files such as nc.exe nor a reverse shell we create via msfvenom to get a stable shell.

While this is the case, we remember that there is another open port on the box which allows us to connect via RDP.

Exploitation

So, we use credentials we found to log in via xfeerdp to see if we are able to have a connection to the box.

xfreerdp /u:wade /p:p**** /v:10.10.x.x

And it works. We are able to RDP into the box.

We are now on the box and it is time to enumerate for privilege escalation after getting our low shell hash located on Desktop inside user.txt.

We get our low shell hash.

Privilege Escalation

We enumerate the machine to find weak services, permissions, and files on the server.

We see that we can leverage CVE-2019–1388 on the box.

However, after trying that exploit for a while, we understand that we are not able to get root privileges on the box (this is personal experience, it may work for someone else). We decide to enumerate box further to find another way to escalate our privilege.

Therefore, since the box is Microsoft Windows Server 2016 Standard and OS version is 10.0.14393 N/A Build 14393, we decide to google it to find another way for post-exploitation.

We find a CVE-2017–0213, and we decide to use this exploit to escalate our privilege on the box.

In order to download file to target box, we set up an Http server on our attacking box via python3 and we move .zip file to the location of the web server we set up.

python3 -m http.server 80

Then on the target box, Google Chrome is installed, we open it and type our attacking box IP on the web browser and download it.

After downloading is done, we extract files to a directory of our preference.

And we double click on the binary to run it.

Then we click on run button, and after two seconds, we see a new terminal welcomes us, when we check who we are on the box, we see that we are NT Authority, which means we are root on the target box.

Then, we change our directory to Administrator’s Desktop to get the root hash.

And we get the root hash.

Now we have full authority on the box. Enjoy!

References

--

--