Retro - wook413

#tryhackme #windows #hard I honestly didn't enjoy this machine -- not just because the privilege escalation part wasn't working properly, but also because it was not a traditional and not so "Offsec-ish" type of machine. Don't get me wrong -- I enjoy exploring different methods for enumeration, exploitation, and privilege escalation. But right now, my main goal is to obtain OSCP, so I prefer content that aligns more closely with that path. I don't know. I'm just throwing a bit of a tantrum because this machine took up a lot of my time and left me feeling frustarted haha. ![[Pasted image 20250709000133.png]] --- # Information Gathering - Nmap Nmap TCP scan against all ports reveals 2 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-08 20:04 CDT Nmap scan report for 10.10.131.207 Host is up (0.13s latency). Not shown: 65533 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 43.97 seconds ``` A more detailed scan reveals the versions and configurations of the services running on those two ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,3389 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-08 20:11 CDT Nmap scan report for 10.10.131.207 Host is up (0.13s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=RetroWeb | Not valid before: 2025-07-08T00:48:03 |_Not valid after: 2026-01-07T00:48:03 | rdp-ntlm-info: | Target_Name: RETROWEB | NetBIOS_Domain_Name: RETROWEB | NetBIOS_Computer_Name: RETROWEB | DNS_Domain_Name: RetroWeb | DNS_Computer_Name: RetroWeb | Product_Version: 10.0.14393 |_ System_Time: 2025-07-09T01:11:52+00:00 |_ssl-date: 2025-07-09T01:11:56+00:00; -1s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.60 seconds ``` UDP scan against top 10 ports discovered the following ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --top-ports 10 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-08 20:15 CDT Nmap scan report for 10.10.131.207 Host is up. PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 3.18 seconds ``` # Footprinting ##### Port 80 The landing page of the service on port 80 is just a default Microsoft IIS Server page. ![[Pasted image 20250708202138.png]] `gobuster` tool discovered `/retro` directory. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.131.207 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /retro (Status: 301) [Size: 150] [--> http://10.10.131.207/retro/] ``` Then I ran another `gobuster` on `/retro` and it found the CMS running behind the server is `Wordpress`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP/retro -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.131.207/retro [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /wp-content (Status: 301) [Size: 161] [--> http://10.10.131.207/retro/wp-content/] /wp-includes (Status: 301) [Size: 162] [--> http://10.10.131.207/retro/wp-includes/] /wp-admin (Status: 301) [Size: 159] [--> http://10.10.131.207/retro/wp-admin/] ``` Unfortunately we haven't found any set of credentials yet. However, on the `/retro` page, this name `Wade` has been found everywhere. I could probably try and use that as `username` when attempting brute-force attack. ![[Pasted image 20250708204619.png]] This is the error message I get when I attempted to login with credentials `wook:abcd` ![[Pasted image 20250708205620.png]] And this is the error message I get when attempted to log in with credentials `wade:abcd`. It's telling us there actually exists a user with username `wade` ![[Pasted image 20250708205659.png]] Before we move onto brute-force attack, I thought it's a good idea to make a custom wordlist using `cewl` since there are quite amount of words on the `/retro` page. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cewl http://$IP/retro -w retro_wordlist.txt CeWL 6.2.1 (More Fixes) Robin Wood ([email protected]) (https://digi.ninja/) ``` `retro_wordlist.txt` ![[Pasted image 20250708210255.png]] Looks like we got the password :) I am not a big fan of brute-force attacks because it's a task that causes a lot of noises and time-consuming. ![[Pasted image 20250708215642.png]] Wade left a comment including his password `parzival` in `/retro/index.php/2019/12/09/ready-player-one/#comment-2`. ![[Pasted image 20250708215546.png]] Successfully logged in and we are taken to `/wp-admin` ![[Pasted image 20250708220124.png]] # Exploit - Initial Access Wordpress CMS that I have dealt with in the past usually allowed me to get a reverse shell by modifying a file in `Appearance` > `Theme Editor`. However, I was not able to get a connection. ![[Pasted image 20250708221237.png]] However, we have an even easier solution to get an initial access. I remembered the system had port 3389 opened. `xfreerdp /v:$IP /u:wade /p:parzival /dynamic-resolution` command was successfully executed. In Desktop, I found `user.txt` flag! ![[Pasted image 20250708221758.png]] ![[Pasted image 20250708221910.png]] # Privilege Escalation `systeminfo` ![[Pasted image 20250708222840.png]] `whoami /all` ![[Pasted image 20250708222909.png]] Google Chrome browser in the RDP server bookmarked this NVD website. The path points to this vulnerability `CVE-2019-1388`. ![[Pasted image 20250708233236.png]] I searched for `CVE-2019-1388 exploit` and found this. The first step of the exploit is `find a program that can trigger the UAC prompt screen`. ![[Pasted image 20250708233507.png]] I found a suspicious program in the Recyle Bin. ![[Pasted image 20250708233252.png]] First step was to run the program. Second step is to select `Show more details` ![[Pasted image 20250708233711.png]] Step #3 is to select `Show information about the publisher's certificate` ![[Pasted image 20250708233936.png]] Step #4 - Click on the `Issued by` URL link it will prompt a browser interface. ![[Pasted image 20250708234044.png]] For some reason, I was stuck here for a lot of time. Then I saw other people were having the same issue and they couldn't exploit the machine with this method either. ![[Pasted image 20250708234925.png]] The other method people came up with us to exploit `CVE-2017-0213` using this payload https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213. I downloaded the payload above in my local Kali and successfully transferred the file over to the remote victim server. ![[Pasted image 20250708235831.png]] As soon as I executed the payload, `cmd` popped up as `administrator`. ![[Pasted image 20250708235859.png]] Found the `root.txt` ![[Pasted image 20250709000001.png]]