Retro - TryHackMe Walkthrough

Retro - “New high score! Can you time travel? If not, you might want to think about the next best thing.” This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.

URL: Retro

Difficulty: Hard

Author: DarkStar7471

We are given the IP 10.10.120.163, add it to /etc/hosts and run a portscan:

nmap -p- -A retro.thm -o portscan
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: RETROWEB
|   NetBIOS_Domain_Name: RETROWEB
|   NetBIOS_Computer_Name: RETROWEB
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2020-07-29T15:13:43+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2020-07-28T15:04:04
|_Not valid after:  2021-01-27T15:04:04
|_ssl-date: 2020-07-29T15:13:44+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Check out port 80

port 80

What is the hidden directory which the website lives on?

Let’s run a dirbuster scan. The normal wordlist didn’t get any results so I used directory-list-2.3-medium.txt

Wordlist:

/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Results:

results

We found a directory called Retro.

http://retro.thm/retro/

Retro directory

user.txt

We have more to enumerate. I saw some Wordpress related directories on our dirbuster scan so let’s visit wp-admin to confirm.

The URL redirects us to

https://localhost/retro/wp-login.php?redirect_to=http%3A%2F%2Fretro.thm%2Fretro%2Fwp-admin%2F&reauth=1

Let’s add localhost to our hosts file:

sudo nano /etc/hosts
10.10.120.163 retro.thm localhost

Revisit the wp-admin page:

wp-admin

Let’s run WPScan:

wpscan --url http://retro.thm/retro -e u

This will scan the website and find possible users.

[i] User(s) Identified:

[+] wade
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://retro.thm/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] Wade
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

We’ve found Wade. The first result says it was found by Author posts so I began studying their content.

I saw that there was a comment made by Waze on one of his posts:

Comment side

Here is the comment:

Comment

Leaving myself a note here just in case I forget how to spell it: parzival

Turns out this is the password for his account. Log into his account:

wp admin login

I looked for a bit but this seems to be a dead end. Looked up all the installed plugins, Wordpress version etc but no obviously vulnerabilities.

What else could we do with these credentials? Maybe the other open port for RDP. Let’s try and connect using the following command:

xfreerdp /u:wade /p:parzival /v:retro.thm

We successfully got an RDP session:

RDP

The user flag is on the desktop.

root.txt

I saw the machine has Chrome installed which is not by default so I checked to see if I could find anything on there.

I saw this:

Bookmarked

https://nvd.nist.gov/vuln/detail/CVE-2019-1388

I found this exploit:

CVE-2019-1388 - Github

Let’s download the .exe file to our local machine and set up an HTTP server so we can transfer it to the Windows machine.

For simplicity, I visited http://10.9.6.63:8080/ on Chrome and installed the binary.

I followed the steps but this didn’t lead me anywhere. Some further inspection of the Windows system:

C:\Users\Wade\Documents>systeminfo

Host Name:                 RETROWEB
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation

I researched a bit about OS 10.0.14393 N/A Build 14393 and also ran Windows Exploit Suggester:

Windows Exploit Suggester - Github

And I found this exploit:

CVE-2017-0213 - Github

So all we need to do is install CVE-2017-0213_x64.exe and run it on our target system.

Binary 2

Now run the executable (not from terminal) and you will be given a terminal with elevated privileges.

rooted

The last flag is in the admins Desktop directory. Thank you for reading.

Written on July 30, 2020