New high score! Can you time travel? If not, you might want to think about the next best thing.
Tags: windows, ctf, privesc
TryHackMe Difficulty: Hard
Link: https://tryhackme.com/room/retro
Retro is the original room by Dark, which was then remixed into Blaster. We’ll be taking a look at both rooms, but focusing on Retro for this post.
Note per Dark: There are two distinct paths that can be taken on Retro. One requires significantly less trial and error, however, both will work.
We’re tasked with 3 items:
- A web server is running on the target. What is the hidden directory which the website lives on?
- user.txt
- root.txt
We’re told the machine does not respond to pings, so we’ll modify our Nmap scan to reflect as such.
Nmap:
┌─[loki@parrot]─[~/TryHackMe/Retro]
└──╼ $nmap -A -p- -Pn 10.10.7.138 -oN retro.nmap
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 13:32 EST
Nmap scan report for 10.10.7.138
Host is up (0.085s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2020-12-28T18:36:06+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2020-12-27T18:30:11
|_Not valid after: 2021-06-28T18:30:11
|_ssl-date: 2020-12-28T18:36:08+00:00; +22s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 21s, deviation: 0s, median: 20sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.19 seconds
So we’ve got a web server on 80, and RDP on 3389. Visiting the web server directly, we’re met with the familiar ‘IIS Windows Server’ page. Let’s run gobuster to see if we can’t find the hidden directory referenced.
┌─[loki@parrot]─[~/TryHackMe/Retro]
└──╼ $gobuster dir -u http://10.10.7.138 -x .html,.php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o retro.gobuster
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.7.138
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
2020/12/28 13:37:38 Starting gobuster
===============================================================
/r**** (Status: 301)
Now that we have our hidden directory, let’s navigate to it and see if we can find anything helpful. We find out shortly our users name is ‘Wade’ and he quite enjoys all things retro related. However, Wade has made a critical mistake. “I keep mistyping the name of his avatar whenever I log in but I think I’ll eventually get it down”, so we can try a combination of Wade and the avatar name via RDP. I used xfreerdp, feel free to try alternatives. Eventually, you should be able to access the desktop.
Right away, we can see user.txt. Opening this should give us our first flag.
So now where is our root flag? Based on the users on the box, we’ll assume this is in C:\Users\Administrator\Desktop, but how do we get there as Wade?
If we look at the users history/bookmarks, we can see they’ve been doing some research on CVE-2019-1388. We should take a look at this. You can either host the exploit on your host machine (use something like python3 -m http.server) or…check the Recycle Bin.
Once we have the exploit, we’ll go ahead and perform the required steps. jas502n has a great visual aid on how to accomplish this. Under normal circumstances, this would work. However, there is a bug presented to us here, so the standard method doesn’t work as we cannot select a browser to launch.
To remedy this issue, we’ll need to pre-launch Internet Explorer and Chrome before doing our exploit. I’m not sure if this is due to Edge being the default and it not being installed, or something else. I wasn’t able to track down the bug for this, but reading through the forum afterwards indicated the bug.
Navigating to C:\Users\Administrator\Desktop, we can ‘more’ the flag file and complete our room.
Now, reading the description “There are two distinct paths that can be taken on Retro“, it seems there are more than one way to skin a….an avatar. So what else could we have potentially done? Which ‘paths’ do they mean? Let’s assume our friend Wade did not give us our little breadcrumbs to figure out that this machine was vulnerable to 2019-1388. What can we do to figure out our next steps?
We can run ‘systeminfo’ as Wade to give us our OS information to see what additional exploits this could be vulnerable to. You can also go to the Windows Settings menu, navigate to ‘System’, and then ‘About’.
After a bit of Googling, we find that we could possibly utilize something such as CVE-2017-0213. Locate either a functional binary, or a POC for this to work with. Our current permissions allows us to launch the file from the desktop (or we could use our \Wade\ users folder, your call), and initiate the exploit.
So now we have 2 different ways to exploit the machine once we have a foothold as Wade.
It appears there are other ways we can gain a foothold (such as utilizing Wade credential stuffing in WordPress). How did you manage to access as root? Let me know.
Middle of the Web 