This is a practical walkthrough of room “Retro” from TryHackMe. Although this room is marked as hard level, but for me it felt like medium level.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

There are two flags to collect to complete this room.

Enumeration

We will start our enumeration with Nmap.

Image for post
Image for post
Nmap Result

Two ports are open, HTTP and Terminal Service (RDP). Upon visit to HTTP service, it’s just a default IIS page. Let’s run GoBuster and find any directories and/or pages.

Image for post
Image for post
Gobuster cmd
Image for post
Image for post
Gobuster result

We go one directory and it’s moved permanently, upon visit it look like a blog with retro gaming information. I tried gobuster on /retro/ directory for further more.

Image for post
Image for post
gobuster cmd
Image for post
Image for post
gobuster result

Got some pages and directories. Looks like WordPress is running. Let’s try WPscan on target to find any available users.

Image for post
Image for post
wpscan cmd
Image for post
Image for post
Wpscan version
Image for post
Image for post
Wpscan user info

Target is running WP version 5.2.1 and there are two users. If we visit the blog post of “wade” user, then we’d get this.

Image for post
Image for post
password

If we try to authenticate using enumerated username and this keyword, then we’d login successfully.

Image for post
Image for post
WP portal

At this stage we have two different approach to get initial access (as mentioned on THM room). Either we can upload our PHP webshell and get a reverse shell or we can login through RDP. The former would give us service account access privileges and the latter one gives us local user (Wade) privileges. Both approaches have different way exploiting further (in terms of PrivEsc).

I would like to cover php reverse shell approaches in this walkthrough.

First I we have to gain initial access through wordpress theme editor, where we upload any php shell to get reverse connection.

Get the php reverse shell code from here. It supports Linux, Windows and macOS. Initially I tried with msfvenom php payload, for some reason it disconnects frequently. I could have gone for Meterpreter session, but I wanted to try something else.

Copy the content of php and paste it in theme editor 404.php file and update it. Make sure to change the IP address and Port before updating, it’s at the end of PHP code.

Image for post
Image for post
Modify 404.php

Set up netcat listener on your kali machine.

Image for post
Image for post
netcat listener

That 404.php file is located at following path, “hxxp://10.10.64.153/retro/wp-content/themes/90s-retro/404.php”, we have to access it to trigger the reverse shell php code.

Image for post
Image for post
reverse connection

We got the reverse connection with service account privileges. As you can see, the current privileges are listed on the screen. The “SeImpersonatePrivilege” is enabled on this current user.

“If you have SeAssignPrimaryToken or SeImpersonateprivilege, you are SYSTEM”. @decoder_it

These two privileges are very powerful indeed. They allow you to run code or even create a new process in the context of another user.

If we run “systeminfo” cmd on target, then we’d get system information like OS version and likewise.

Image for post
Image for post
systeminfo

It’s “windows server 2016 standard” and we can try “juicy potato attack”.

But before we do that, if we try to access the Wade user then it gives you access denied message.

Image for post
Image for post
no permission to access

So, now we need to either get user privileges or system privileges. Why to get a user privilege, when we got the opportunity to get system privileges.

History of Potato Attack

There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM.

Hot, Rotten, Lonely, Juicy and Rogue are family of potato exploits. To understand more about these attacks click on the type of attack and read the blog from the exploit devs.

TL;DR — Every potato attack has it’s own limitations
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato

This can only be done if current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts. In our case, we don’t have Privilege to impersonate security tokens.

Get Juicy Potato Binary from here, you also need to create your reverse shell windows binary using msfvenom, set up a netcat listener and set up a http server on your kali machine.

Image for post
Image for post
msfvenom

Note: I know I said we won’t need Metasploit to complete this room, using this reverse shell we can receive remote connection using netcat (nc) from target.

Image for post
Image for post
HTTP server
Image for post
Image for post
netcat listener

Now we need to download both files to target windows machine.

Image for post
Image for post
download files

As you can see, I have created a directory named “demo” to download both files.

Now we need to get a CLSID from here. CLSID’s are different from OS to OS.

The Class ID, or CLSID, is a serial number that represents a unique ID for any application component in Windows.

Image for post
Image for post
JuicyPotato Execution

Execute JuciyPotato and with CLSID and you’d get a reverse connection on your kali netcat.

Image for post
Image for post
system privileges

Aight, *hacker voice* we are in. Now we can retrieve user and root flags at once.

Image for post
Image for post
user flag
Image for post
Image for post
root flag

We got all the flags required to complete this rooms.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store