This is a practical walkthrough of room “Retro” from TryHackMe. Although this room is marked as hard level, but for me it felt like medium level.
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.We won’t be using Metasploit for this challenge
There are two flags to collect to complete this room.
Enumeration
We will start our enumeration with Nmap.
Two ports are open, HTTP and Terminal Service (RDP). Upon visit to HTTP service, it’s just a default IIS page. Let’s run GoBuster and find any directories and/or pages.
We go one directory and it’s moved permanently, upon visit it look like a blog with retro gaming information. I tried gobuster on /retro/ directory for further more.
Got some pages and directories. Looks like WordPress is running. Let’s try WPscan on target to find any available users.
Target is running WP version 5.2.1 and there are two users. If we visit the blog post of “wade” user, then we’d get this.
If we try to authenticate using enumerated username and this keyword, then we’d login successfully.
At this stage we have two different approach to get initial access (as mentioned on THM room). Either we can upload our PHP webshell and get a reverse shell or we can login through RDP. The former would give us service account access privileges and the latter one gives us local user (Wade) privileges. Both approaches have different way exploiting further (in terms of PrivEsc).
I would like to cover php reverse shell approaches in this walkthrough.
First I we have to gain initial access through wordpress theme editor, where we upload any php shell to get reverse connection.
Get the php reverse shell code from here. It supports Linux, Windows and macOS. Initially I tried with msfvenom php payload, for some reason it disconnects frequently. I could have gone for Meterpreter session, but I wanted to try something else.
Copy the content of php and paste it in theme editor 404.php file and update it. Make sure to change the IP address and Port before updating, it’s at the end of PHP code.
Set up netcat listener on your kali machine.
That 404.php file is located at following path, “hxxp://10.10.64.153/retro/wp-content/themes/90s-retro/404.php”, we have to access it to trigger the reverse shell php code.
We got the reverse connection with service account privileges. As you can see, the current privileges are listed on the screen. The “SeImpersonatePrivilege” is enabled on this current user.
“If you have SeAssignPrimaryToken or SeImpersonateprivilege, you are SYSTEM”. @decoder_it
These two privileges are very powerful indeed. They allow you to run code or even create a new process in the context of another user.
If we run “systeminfo” cmd on target, then we’d get system information like OS version and likewise.
It’s “windows server 2016 standard” and we can try “juicy potato attack”.
But before we do that, if we try to access the Wade user then it gives you access denied message.
So, now we need to either get user privileges or system privileges. Why to get a user privilege, when we got the opportunity to get system privileges.
History of Potato Attack
There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM.
Hot, Rotten, Lonely, Juicy and Rogue are family of potato exploits. To understand more about these attacks click on the type of attack and read the blog from the exploit devs.
TL;DR — Every potato attack has it’s own limitations
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato
This can only be done if current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts. In our case, we don’t have Privilege to impersonate security tokens.
Get Juicy Potato Binary from here, you also need to create your reverse shell windows binary using msfvenom, set up a netcat listener and set up a http server on your kali machine.
Note: I know I said we won’t need Metasploit to complete this room, using this reverse shell we can receive remote connection using netcat (nc) from target.
Now we need to download both files to target windows machine.
As you can see, I have created a directory named “demo” to download both files.
Now we need to get a CLSID from here. CLSID’s are different from OS to OS.
The Class ID, or CLSID, is a serial number that represents a unique ID for any application component in Windows.
Execute JuciyPotato and with CLSID and you’d get a reverse connection on your kali netcat.
Aight, *hacker voice* we are in. Now we can retrieve user and root flags at once.
We got all the flags required to complete this rooms.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
