Retro : TryHackMe Writeup
Executive Summary
Retro is a fairly challenging windows machine. To pwn this machine, we will first exploit weak passwords to gain an initial foothold, then escalate our privileges to gain system privileges. That being said, enjoy :)
Setup
Note : The target machine does not reply to ICMP request packets. Therefore, we’ll use the -Pn flag to skip the host discovery step. Nmap will consider that the host is up by default.
Reconnaissance
Nmap
We have 2 tcp open ports : 80 and 3389.
Let’s start our enumeration with the web server. Shall we ?
Enumeration
HTTP
This is the default IIS webpage.
It is not really helpful. However, let’s check if the webserver is running other technologies :
Here, we’ve been able to find the version of the IIS server. We can then check if this version is vulnerable :
Unluckily, no exploit was found.
Nevertheless, let’s try to perform a directory enumeration to check if we can find other interesting files or directories. For that, I used feroxbuster which is a recursive content discovery tool written in rust :
As you can see, feroxbuster returned us the /retro directory.
Furthermore, you can notice directories like /wp-content, /wp-includes which are pertained to wordpress. From that, we deduce that website is using wordpress.
With that said, let’s take a look at /retro :
Interesting! We can see a name : Wade.
Let’s first check the technologies run by this webpage as well as their possible versions :
As you can see, this webpage is using wordpress (5.25.1) and php (7.1.29).
With these information in mind, we can try to look for exploits :
We did not find any exploit related to these versions of wordpress and php.
After clicking on Wade, I got this page :
By scrolling down, I have noticed a login link which redirected me on the wordpress login page once I clicked on it :
Nevertheless, curious about the “Hello World!” link, I clicked on it to see what Wade wanted to tell us :
Then, I clicked on “Ready Player One” link :
Here, the text : “I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down” caught my eye.
That means that Wade’s password is probably the name of the avatar.
Now, we need to figure out what’s the name of this avatar.
To get that, I just used google :
Great! We can now test the credentials Wade:Parzival either on the RDP server or the wordpress login page.
Initial Access
Here, I started with the RDP server. For that I used xfreerdp.
After trying the password “Parzival”, I got a failed login attempt, then I replaced the password with “parzival” in lowercase and it worked :
For the sake of it, I also tried the password on the wordpress login page and noticed that it was reused :
Now, let’s try to escalate our privileges in order to retrieve the root flag.
Privilege Escalation
Let’s first generate a reverse shell using msfvenom :
Once the payload generated, let’s upload it on the target system, then execute it to get a shell.
Hmm, guess what ? As soon as I uploaded the reverse shell on the target machine, Windows Defender AV removed it.
You’re probably wondering why I just didn’t disable the AV ? I tried it but it was not possible, as you can see :
Then, I have also tried to run cmd with administrator privileges. However it asked for the administrator’s password :
All these pushed me to be more creative and explore other areas to escalate my privileges.
That is where I decided to use the Windows Exploit Suggester script. After you download the repository, here’s how to proceed :
1/ First of all, let’s execute the systeminfo command on the target system
2/ Let’s copy the output of the systeminfo command in a file located on our attacker machine :
3/ Download the security bulletin database from Microsoft using the --update flag :
4/ Check for possible exploits using the Microsoft bulletin database and the system information :
Unfortunately, I got an error saying that the script was unable to determine the windows versions from the input file specified.
After looking for solutions I found this amazing resource that explained how to fix the issue.
Indeed, we need to add [“2016”,”2016"] to the osnamearray variable in the windows-exploit-suggester python script at line 959. We do that because our target is running windows server 2016.
Once done, save the script and run the command again :
Let’s go ahead and download the kernel exploit :
Once done, let’s upload it to the target machine :
As you can see, we don’t have access to the c:\windows\temp folder. Therefore, let’s use the echo $env:tempcommand to display the temporary directory, then check if it’s writable :
As you can see, we have full control. Let’s now upload our exploit :
Once done, let’s execute it :
Hoorah \0/, the exploit successfully ran and we’ve been able to obtain nt autority\system privileges. Let’s now retrieve the root flag. Shall we ?
Remediations
To gain full control on the server, we exploited the following vulnerabilities :
1/ Usage of weak passwords
To gain an initial access to the server, we used the password “parzival” which is the name of the main character’s avatar in the ready player one film. According to password good practices, users should use complex, lengthy and unpredictable passwords. Here are some useful resources that could help you when creating passwords :
- https://www.cisa.gov/secure-our-world/require-strong-passwords
- https://blog.netwrix.com/2023/11/15/password-best-practices/
2/ Missing security update for Windows kernel
To gain system privileges, we exploited a vulnerable kernel.
Therefore, it’s prominent for you to always install the latest security updates especially when the updates are released for critical vulnerabilities.
Feel free to check the following resources for more information :
Wrapping Up
That’s it guys. Congrats on having made it so far 👏.
I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.
Resources
https://github.com/AonCyberLabs/Windows-Exploit-Suggester/issues/34
https://github.com/epi052/feroxbuster
https://epi052.github.io/feroxbuster-docs/docs/overview/
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
https://github.com/AonCyberLabs/Windows-Exploit-Suggester/issues/34
https://github.com/SecWiki/windows-kernel-exploits
https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS16-135/MS16-135.ps1
https://www.cisa.gov/secure-our-world/require-strong-passwords
https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-135
Contact
GitHub : https://github.com/0liverFlow
