The goal of the challenge is to gain root access (Windows Server) to two text files,
root.txt, by manually invoking privilege escalation to root via RDP. There are two methods to achieve this. The first involves hijacking a
404.php page on a WordPress site to spawn a reverse
meterpreter shell. The second uses RDP to gain initial access to the system. I use various tools such as
dirb, windows privesc suggester, and
vim to carry out enumeration and exploit the system.
- Link: https://tryhackme.com/room/retro
- Difficulty: hard
- Highlight: manually gaining privesc to root via rdp
- Tools used:
vim, windows privesc suggester
- Tags: windows, ctf, privesc
There are two ways to solve this box.
In this walkthrough, I’ll demonstrate method one of rooting the box using RDP (remote desktop protocol) and manually invoking
privesc to root.
In part II of this walkthrough, I’ll demonstrate the other way to solve the box, by hijacking a
404.php page on a WordPress site to spawn a reverse
meterpreter shell. Let’s get started!
First, I’ll note down my IPs in export format to use later as bash variables.
export myIP=10.6.2.23 export targetIP=10.10.158.189
First, let’s kick it off with a standard
# Nmap 7.92 scan initiated Wed Feb 22 07:56:51 2023 as: nmap -A -oN nmap-initial.txt -p- -Pn 10.10.158.189 Nmap scan report for 10.10.158.189 Host is up (0.081s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: RETROWEB | NetBIOS_Domain_Name: RETROWEB | NetBIOS_Computer_Name: RETROWEB | DNS_Domain_Name: RetroWeb | DNS_Computer_Name: RetroWeb | Product_Version: 10.0.14393 |_ System_Time: 2023-02-22T18:05:52+00:00 | ssl-cert: Subject: commonName=RetroWeb | Not valid before: 2023-02-21T17:54:49 |_Not valid after: 2023-08-23T17:54:49 |_ssl-date: 2023-02-22T18:05:55+00:00; +5h00m00s from scanner time. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016|2012 (89%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 Aggressive OS guesses: Microsoft Windows Server 2016 (89%), Microsoft Windows Server 2012 R2 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 11.12 ms 10.6.0.1 2 ... 3 4 82.93 ms 10.10.158.189 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 22 08:05:55 2023 -- 1 IP address (1 host up) scanned in 544.32 seconds
It looks like we have a webserver running on port 80 and probably a windows
rdp on port 3389. Let’s run
dirb to see if we can sniff out any hidden directories on the web server.
dirbuster with the medium wordlist and discovered a curiously named directory:
/retro. We will use this in the alternate solution in part II.
WALK THE WEBSITE
Next, we can walk the website and keep an eye out for any potential credentials revealed in the text.
The user Wade has posted everything, so it seems likely that wade might be a username.
The avatar of the main character in Ready Player One is mentioned and even spelled out in one of the comments (Parzival).
Let’s test our hunch that
parzival may be a password and proceed with
wade:parzival as our login credentials. We know there is an
rdp service so that may be a place to use them.
Also, the blog is hosted by WordPress, so the credentials may also be used for the WordPress admin portal. Let’s move ahead first with RDP.
Let’s attempt to log in to
rdp with our credentials above.
My normal attack box on parrot OS running
rdesktop didn’t work to log into this box, presumably because windows defender was activated on the target windows machine.
xfreerdp worked from my Kali attack box.
xfreerdp /u:wade /p:parzival /w:1367 /h:768 /v:10.10.158.189:3389
Now we are in with a foothold! Let’s get to our local recon.
We found the
user.txt flag on the desktop!
Right away, I noticed that the recycling bin had something inside.
I dragged the curious file back to the desktop. Checking the browser’s history and bookmarks (Chrome and Internet Explorer) led to discovering a bookmarked exploit.
A quick google search led me to a Github page with instructions for manually carrying out privesc to root.
After opening the mystery program from the recycling bin as Administrator and triggering the UAC prompt screen, we follow the rest of the instructions from GitHub and gain
nt authority (the windows equivalent of
root on Linux) on a shell!
Now that we are root, let’s grab the root.txt flag and finish off this box!
It is nice to see challenge boxes on THM that have multiple pathways toward success.
In the Retro Part II write-up and walkthrough I’ll demonstrate the other method using the WordPress
404.php file to spawn a reverse meterpreter shell and privesc to root via the terminal.
That’s all for now. See you next time!
👉 Recommended: TryHackMe – DogCat Walkthrough
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.