TryHackMe Retro Walkthrough – How I Gained “NT Authority” on a Windows Server

5/5 - (1 vote)


The goal of the challenge is to gain root access (Windows Server) to two text files, user.txt and root.txt, by manually invoking privilege escalation to root via RDP. There are two methods to achieve this. The first involves hijacking a 404.php page on a WordPress site to spawn a reverse meterpreter shell. The second uses RDP to gain initial access to the system. I use various tools such as nmap, dirb, windows privesc suggester, and vim to carry out enumeration and exploit the system.

TryHackMe Retro Walkthrough - How I Gained "NT Authority" on a Windows Server
  • Link:
  • Difficulty: hard
  • Target: user.txt, root.txt
  • Highlight: manually gaining privesc to root via rdp
  • Tools used: nmap, dirb, rdp, vim, windows privesc suggester
  • Tags: windows, ctf, privesc


There are two ways to solve this box.

In this walkthrough, I’ll demonstrate method one of rooting the box using RDP (remote desktop protocol) and manually invoking privesc to root.

In part II of this walkthrough, I’ll demonstrate the other way to solve the box, by hijacking a 404.php page on a WordPress site to spawn a reverse meterpreter shell. Let’s get started!

First, I’ll note down my IPs in export format to use later as bash variables.

export myIP=
export targetIP=


First, let’s kick it off with a standard nmap scan.

# Nmap 7.92 scan initiated Wed Feb 22 07:56:51 2023 as: nmap -A -oN nmap-initial.txt -p- -Pn
Nmap scan report for
Host is up (0.081s latency).
Not shown: 65533 filtered tcp ports (no-response)
80/tcp   open  http      	Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: RETROWEB
|   NetBIOS_Domain_Name: RETROWEB
|   NetBIOS_Computer_Name: RETROWEB
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2023-02-22T18:05:52+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2023-02-21T17:54:49
|_Not valid after:  2023-08-23T17:54:49
|_ssl-date: 2023-02-22T18:05:55+00:00; +5h00m00s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2016 (89%), Microsoft Windows Server 2012 R2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s

TRACEROUTE (using port 3389/tcp)
1   11.12 ms
2   ... 3
4   82.93 ms

OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Wed Feb 22 08:05:55 2023 -- 1 IP address (1 host up) scanned in 544.32 seconds

It looks like we have a webserver running on port 80 and probably a windows rdp on port 3389. Let’s run dirb to see if we can sniff out any hidden directories on the web server.

I used dirbuster with the medium wordlist and discovered a curiously named directory: /retro. We will use this in the alternate solution in part II.


Next, we can walk the website and keep an eye out for any potential credentials revealed in the text.

The user Wade has posted everything, so it seems likely that wade might be a username.

The avatar of the main character in Ready Player One is mentioned and even spelled out in one of the comments (Parzival).

Let’s test our hunch that parzival may be a password and proceed with wade:parzival as our login credentials. We know there is an rdp service so that may be a place to use them.

Also, the blog is hosted by WordPress, so the credentials may also be used for the WordPress admin portal. Let’s move ahead first with RDP.


Let’s attempt to log in to rdp with our credentials above.

My normal attack box on parrot OS running rdesktop didn’t work to log into this box, presumably because windows defender was activated on the target windows machine.

The software xfreerdp worked from my Kali attack box.

xfreerdp /u:wade /p:parzival /w:1367 /h:768 /v:

Now we are in with a foothold! Let’s get to our local recon.


We found the user.txt flag on the desktop!

Right away, I noticed that the recycling bin had something inside. 

I dragged the curious file back to the desktop. Checking the browser’s history and bookmarks (Chrome and Internet Explorer) led to discovering a bookmarked exploit. 

A quick google search led me to a Github page with instructions for manually carrying out privesc to root.


After opening the mystery program from the recycling bin as Administrator and triggering the UAC prompt screen, we follow the rest of the instructions from GitHub and gain nt authority (the windows equivalent of root on Linux) on a shell!


Now that we are root, let’s grab the root.txt flag and finish off this box!


It is nice to see challenge boxes on THM that have multiple pathways toward success.

In the Retro Part II write-up and walkthrough I’ll demonstrate the other method using the WordPress 404.php file to spawn a reverse meterpreter shell and privesc to root via the terminal.

That’s all for now. See you next time!

👉 Recommended: TryHackMe – DogCat Walkthrough