CHALLENGE OVERVIEW
The goal of the challenge is to gain root access (Windows Server) to two text files, user.txt and root.txt, by manually invoking privilege escalation to root via RDP. There are two methods to achieve this. The first involves hijacking a 404.php page on a WordPress site to spawn a reverse meterpreter shell. The second uses RDP to gain initial access to the system. I use various tools such as nmap, dirb, windows privesc suggester, and vim to carry out enumeration and exploit the system.
- Link: https://tryhackme.com/room/retro
- Difficulty: hard
- Target:
user.txt,root.txt - Highlight: manually gaining privesc to root via rdp
- Tools used:
nmap,dirb,rdp,vim, windows privesc suggester - Tags: windows, ctf, privesc
BACKGROUND
There are two ways to solve this box.
In this walkthrough, I’ll demonstrate method one of rooting the box using RDP (remote desktop protocol) and manually invoking privesc to root.
In part II of this walkthrough, I’ll demonstrate the other way to solve the box, by hijacking a 404.php page on a WordPress site to spawn a reverse meterpreter shell. Let’s get started!
First, I’ll note down my IPs in export format to use later as bash variables.
export myIP=10.6.2.23 export targetIP=10.10.158.189
ENUMERATION/RECON
First, let’s kick it off with a standard nmap scan.
# Nmap 7.92 scan initiated Wed Feb 22 07:56:51 2023 as: nmap -A -oN nmap-initial.txt -p- -Pn 10.10.158.189
Nmap scan report for 10.10.158.189
Host is up (0.081s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2023-02-22T18:05:52+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2023-02-21T17:54:49
|_Not valid after: 2023-08-23T17:54:49
|_ssl-date: 2023-02-22T18:05:55+00:00; +5h00m00s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2016 (89%), Microsoft Windows Server 2012 R2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4h59m59s, deviation: 0s, median: 4h59m59s
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 11.12 ms 10.6.0.1
2 ... 3
4 82.93 ms 10.10.158.189
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Feb 22 08:05:55 2023 -- 1 IP address (1 host up) scanned in 544.32 seconds
It looks like we have a webserver running on port 80 and probably a windows rdp on port 3389. Let’s run dirb to see if we can sniff out any hidden directories on the web server.
I used dirbuster with the medium wordlist and discovered a curiously named directory: /retro. We will use this in the alternate solution in part II.
WALK THE WEBSITE
Next, we can walk the website and keep an eye out for any potential credentials revealed in the text.
The user Wade has posted everything, so it seems likely that wade might be a username.
The avatar of the main character in Ready Player One is mentioned and even spelled out in one of the comments (Parzival).
Let’s test our hunch that parzival may be a password and proceed with wade:parzival as our login credentials. We know there is an rdp service so that may be a place to use them.
Also, the blog is hosted by WordPress, so the credentials may also be used for the WordPress admin portal. Let’s move ahead first with RDP.
INITIAL FOOTHOLD
Let’s attempt to log in to rdp with our credentials above.
My normal attack box on parrot OS running rdesktop didn’t work to log into this box, presumably because windows defender was activated on the target windows machine.
The software xfreerdp worked from my Kali attack box.
xfreerdp /u:wade /p:parzival /w:1367 /h:768 /v:10.10.158.189:3389
Now we are in with a foothold! Let’s get to our local recon.
LOCAL RECON
We found the user.txt flag on the desktop!
Right away, I noticed that the recycling bin had something inside.
I dragged the curious file back to the desktop. Checking the browser’s history and bookmarks (Chrome and Internet Explorer) led to discovering a bookmarked exploit.
A quick google search led me to a Github page with instructions for manually carrying out privesc to root.
EXPLOIT
After opening the mystery program from the recycling bin as Administrator and triggering the UAC prompt screen, we follow the rest of the instructions from GitHub and gain nt authority (the windows equivalent of root on Linux) on a shell!
POST-EXPLOITATION
Now that we are root, let’s grab the root.txt flag and finish off this box!
FINAL THOUGHTS
It is nice to see challenge boxes on THM that have multiple pathways toward success.
In the Retro Part II write-up and walkthrough I’ll demonstrate the other method using the WordPress 404.php file to spawn a reverse meterpreter shell and privesc to root via the terminal.
That’s all for now. See you next time!
👉 Recommended: TryHackMe – DogCat Walkthrough
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.