TryHackMe — Retro WalkThrough

Source

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

There are two flags to collect to complete this room.

Enumeration

Nmap Result
Gobuster cmd
Gobuster result
gobuster cmd
gobuster result
wpscan cmd
Wpscan version
Wpscan user info
password
WP portal
Modify 404.php
netcat listener
reverse connection

“If you have SeAssignPrimaryToken or SeImpersonateprivilege, you are SYSTEM”. @decoder_it

These two privileges are very powerful indeed. They allow you to run code or even create a new process in the context of another user.

systeminfo
no permission to access

History of Potato Attack

There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM.

Hot, Rotten, Lonely, Juicy and Rogue are family of potato exploits. To understand more about these attacks click on the type of attack and read the blog from the exploit devs.

TL;DR — Every potato attack has it’s own limitations
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato

msfvenom

Note: I know I said we won’t need Metasploit to complete this room, using this reverse shell we can receive remote connection using netcat (nc) from target.

HTTP server
netcat listener
download files

The Class ID, or CLSID, is a serial number that represents a unique ID for any application component in Windows.

JuicyPotato Execution
system privileges
user flag
root flag

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store