TryHackMe-Retro
Retro is a Hard Level CTF on TryHackMe.It has a similar room called “Blaster” which is basically the same room except it has more hints and questions which makes it easier.In this room, the initial part of getting a shell is pretty straightforward however there are multiple ways to Privilege Escalate to become Admin which will be covered in this writeup along with links.
Enumeration
Nmap scan shows us that port 80 and 3389(which is used for RDP) is open….lets find hidden directories using dirsearch.
Lets look at the /retro directory
We find various blogs in the webpage related to old school retro games and nothing special in source code.we also find that the target is using Wordpress in /retro/wp-content.
Now Honestly after this i tried using wpscan to scan wordpress and also tried to bruteforce wordpress using wpscan in order to find valid usernames however it was a rabbit hole.After looking at a writeup i got to know that there is a user called Wade (who has pasted all the blogs ) moreover he has also left a Note in one of the blogs.So Enumeration is really important!
This was a bit tricky to find as there were a lot of Bogus blogs on the webpage.
Privilege Escalation
Now coming to the main part…There are multiple ways to Privilege Escalate
METHOD -1 [WORDPRESS]
We can log in as user Wade (Do notice that if you enter a wrong password in wordpress it shows an ERROR which confirms that we indeed have a valid username called Wade but the password is incorrect)
Credentials- Wade:parzival
After loggin in, we can get a shell by uploading a reverse shell in 404.php template in the wordpress theme.I have covered this method multiple times in other writeups.You can refer this one-
After getting the shell, you can run Windows Exploit Suggester and Run a Kernel Exploit for windows and You will be Admin! For Reference,you can use this writeup-(https://fr33s0ul.tech/ghostcat-write-up/)
It is a windows machine so i ran Windows-Exploit-Suggester made by Aon’s Cyber Labs it’s a very powerful python script and straight forward so I saved the systeminfo of the machine, ran the command and got all the exploits that can be used for this specific version of window server, in the command I added at the end -l to tell our script to find local exploits, because we want Administrator user
python windows-exploit-suggester.py --database <xls database of exploits provided with the script> --systeminfor <systeminfo saved in a txt file> --ostext <Os> -l
Let’s use MS16–075, as we can see the bug is considered a medium risk because you need to have access first to the machine and then exploit it if you want to read more about this vulnerability click MS16–075
metasploit does have the exploit there, all you have to do is use the exploit look at the options, one of the requirements is a session in metasploit that we already have you set the number of the session, run the exploit and we have a shell running NT AUTHORITY\SYSTEM.
Method- 2 [RDP & Exploiting hhupd(CVE-2019–1388)]
This part requires a bit of research through google,First we connect to the target through RDP running on port 3389.This can be done using Remmina or xfreerdp(which i have used here) using the credentials Wade:parzival
The file user.txt contains the user flag.
We also find a file in Recycle Bin(hhupd) which we can restore on our desktop
Also when we look at the History of Internet Explorer,we find some searches regarding a CVE which the user might be trying to patch(CVE-1019–1388)
Now we need to research on how to exploit it.A google search shows us many results however this YouTube video demonstrated the method easily compared to blogs and github.
The only error you can get it is this one:
This is normal since we are not connected to the internet.Press Ctrl+C to continue the attack method.You can also take a look at this writeup by Muri who has explained it in depth.
If you followed the method, you will get a Admin shell(nt authority).The root flag can be found in C:\Users\Administrator\Desktop
Method -3 [Kernel Exploit (CVE-2017-0213)]
RDP into the target machine and run the systeminfo command in cmd for Enumerating system information to find out more information about the operating system, its version/build and any hotfixes installed:
This specific build of Windows 10 is affected by a kernel exploit that allows for privilege escalation (2017–0213), as mentioned in PayloadAllTheThings:
This GitHub repository contains an executable that can be used to exploit this vulnerability:
The “Affected Products” section of the repository also confirms that the build the box is running is vulnerable:
Downloading the archive containing the exploit and decompressing it, then setting up a Python Simple HTTP Server to host it:
Transferring the exploit to the target machine using the Powershell Invoke-WebRequest CMDLet:
The request was received
Executing the exploit on the target machine:
Upon execution, the exploit has spawned a new CMD shell as SYSTEM:
METHOD-4 [Juicy Potato Attack]
[Suggested writeups]
Firstly we get info about the system using “systeminfo” to find the version of the system running and also the build.
We also check the users and their privileges using “whoami /privs”
As you can see, the current privileges are listed on the screen. The “SeImpersonatePrivilege” is enabled on this current user.
SeAssignPrimaryToken or SeImpersonateprivilege are very powerful and allow you to run code or even create a new process in the context of another user.
Usually if the machine is a Windows 10 with version 1809 or higher, or a Windows Server 2019, we can use something like Rogue Potato attack to escalate privileges. Otherwise, we can try a Juicy Potato attack. I am not going to enter into details regarding this type of attack, but in order for it to be possible, we need a low privilege account with one of the following privileges:
- ‘SeImpersonatePrivilege’
- ‘SeAssignPrimaryTokenPrivilege’.
So we conclude that the machine is running Windows Server 2016 and the user doesn’t have privileges to leverage our access to SYSTEM using something like a Potato privilege escalation attack.
History of Potato Attack
There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM.
Hot, Rotten, Lonely, Juicy and Rogue are family of potato exploits. To understand more about these attacks click on the type of attack and read the blog from the exploit devs.
TL;DR — Every potato attack has it’s own limitations
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato
This can only be done if current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts. In our case, we don’t have Privilege to impersonate security tokens.
How to Use IT?
Upload a windows PHP reverse shell on the 404.php theme of wordpress and get a shell using netcat listener(as discussed in METHOD-1)
Now when we try to create a directory using “mkdir” we get “Access Denied”.So go to /C: and make a directory called “temp”
cd C:\
mkdir temp
cd temp
Firstly we need to download the exploit(JuicyPotato.exe) from here-https://github.com/ohpe/juicy-potato/releases/tag/v0.1
On our machine we run this Python module on the directory where we have our exploit:
Python3 -m http.server 80
And we should be able to access our web server using our IP address:
You also need to create your reverse shell windows binary using msfvenom,
SO we have our exploit and our reverse shell which we created using msfvenom.Transfer both of these to the target machine in C:/temp directory.You can use certutil or Invoke-Webrequest to transfer files.We need one more thing called CLSID (which is a serial number that represents a unique ID for any application component in Windows.).Valid CLSID for windows server 2016 can be found here-
For any other windows version CLSID, visit-https://github.com/ohpe/juicy-potato/tree/master/CLSID
and choose the correct version according to your target accordingly.
We are Done.Run the JuicyPotato.exe on windows target and it will show the usage.The usage is also shown in the github page of Juicy Potato
Lets copy the First CLSID from the list and run the exploit FINALLY!!
.\JuicyPotato.exe -l 9090 -p final.exe -t * -c “TYPE_YOUR_CLSID_HERE”
Here -l is the listening port, -p is the payload we wanna execute which must be a windows reverse shell.Now this reverse shell can be created using msfvenom which i found easier or can also be a .bat file using Powershell.To find out how, refer(https://medium.com/azkrath/tryhackme-walkthrough-retro-273f8b35a20d) MOVING ON….. -t * must be set as it is and -c is for our CLSID.
NOTE: Not all CLSID will work and you might get an error so try some other ones too from the list or refer hacktricks(https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/juicypotato#clsid-problems)
Also NOTE that i can also use port 777 for listening (-l 7777) which is the same port set for my msfvenom reverse shell(final.exe) However in my case it was not working and i had to try multiple times to get a shell.
If everything worked find, you will get a shell !
JuicePotato indeed was a bit tricy but a learning point.Feel free to drop your questions in the comment section or you can also reach me on instagram(sparsh_jaiswal_) in case of any queries regarding this room.
I hope you found this writeup helpful and learned from this CTF.The room does require a bit of research and good enumeration as well.I have also covered ALL the possible ways to privilege escalate this room.A room called Blaster is exactly same as this one except, it has been made easy through hints and flags.Make sure to drop any queries in the comment section and follow me for more such ctf writeups-ZEUS