Retro is a Hard Level CTF on TryHackMe.It has a similar room called “Blaster” which is basically the same room except it has more hints and questions which makes it easier.In this room, the initial part of getting a shell is pretty straightforward however there are multiple ways to Privilege Escalate to become Admin which will be covered in this writeup along with links.

Nmap scan shows us that port 80 and 3389(which is used for RDP) is open….lets find hidden directories using dirsearch.

Lets look at the /retro directory

We find various blogs in the webpage related to old school retro games and nothing special in source code.we also find that the target is using Wordpress in /retro/wp-content.

Now Honestly after this i tried using wpscan to scan wordpress and also tried to bruteforce wordpress using wpscan in order to find valid usernames however it was a rabbit hole.After looking at a writeup i got to know that there is a user called Wade (who has pasted all the blogs ) moreover he has also left a Note in one of the blogs.So Enumeration is really important!

all posts are from a a person called “Wade” who can be a user in wordpress
There was also a Note left by Wade which might contain a potential password !

This was a bit tricky to find as there were a lot of Bogus blogs on the webpage.

Privilege Escalation

Now coming to the main part…There are multiple ways to Privilege Escalate

We can log in as user Wade (Do notice that if you enter a wrong password in wordpress it shows an ERROR which confirms that we indeed have a valid username called Wade but the password is incorrect)

Credentials- Wade:parzival

After loggin in, we can get a shell by uploading a reverse shell in 404.php template in the wordpress theme.I have covered this method multiple times in other writeups.You can refer this one-

After getting the shell, you can run Windows Exploit Suggester and Run a Kernel Exploit for windows and You will be Admin! For Reference,you can use this writeup-(

It is a windows machine so i ran Windows-Exploit-Suggester made by Aon’s Cyber Labs it’s a very powerful python script and straight forward so I saved the systeminfo of the machine, ran the command and got all the exploits that can be used for this specific version of window server, in the command I added at the end -l to tell our script to find local exploits, because we want Administrator user

python --database <xls database  of exploits provided with the script> --systeminfor <systeminfo saved in a txt file> --ostext <Os> -l

Let’s use MS16–075, as we can see the bug is considered a medium risk because you need to have access first to the machine and then exploit it if you want to read more about this vulnerability click MS16–075

metasploit does have the exploit there, all you have to do is use the exploit look at the options, one of the requirements is a session in metasploit that we already have you set the number of the session, run the exploit and we have a shell running NT AUTHORITY\SYSTEM.

This part requires a bit of research through google,First we connect to the target through RDP running on port 3389.This can be done using Remmina or xfreerdp(which i have used here) using the credentials Wade:parzival

The file user.txt contains the user flag.

We also find a file in Recycle Bin(hhupd) which we can restore on our desktop

Also when we look at the History of Internet Explorer,we find some searches regarding a CVE which the user might be trying to patch(CVE-1019–1388)

Now we need to research on how to exploit it.A google search shows us many results however this YouTube video demonstrated the method easily compared to blogs and github.

The only error you can get it is this one:

This is normal since we are not connected to the internet.Press Ctrl+C to continue the attack method.You can also take a look at this writeup by Muri who has explained it in depth.

If you followed the method, you will get a Admin shell(nt authority).The root flag can be found in C:\Users\Administrator\Desktop

we are ROOT !!!

RDP into the target machine and run the systeminfo command in cmd for Enumerating system information to find out more information about the operating system, its version/build and any hotfixes installed:

This specific build of Windows 10 is affected by a kernel exploit that allows for privilege escalation (2017–0213), as mentioned in PayloadAllTheThings:

This GitHub repository contains an executable that can be used to exploit this vulnerability:

The “Affected Products” section of the repository also confirms that the build the box is running is vulnerable:

Downloading the archive containing the exploit and decompressing it, then setting up a Python Simple HTTP Server to host it:

Transferring the exploit to the target machine using the Powershell Invoke-WebRequest CMDLet:

The request was received

Executing the exploit on the target machine:

Upon execution, the exploit has spawned a new CMD shell as SYSTEM:

[Suggested writeups]

Firstly we get info about the system using “systeminfo” to find the version of the system running and also the build.

We also check the users and their privileges using “whoami /privs”

As you can see, the current privileges are listed on the screen. The “SeImpersonatePrivilege” is enabled on this current user.

SeAssignPrimaryToken or SeImpersonateprivilege are very powerful and allow you to run code or even create a new process in the context of another user.

Usually if the machine is a Windows 10 with version 1809 or higher, or a Windows Server 2019, we can use something like Rogue Potato attack to escalate privileges. Otherwise, we can try a Juicy Potato attack. I am not going to enter into details regarding this type of attack, but in order for it to be possible, we need a low privilege account with one of the following privileges:

  • ‘SeImpersonatePrivilege’
  • ‘SeAssignPrimaryTokenPrivilege’.

So we conclude that the machine is running Windows Server 2016 and the user doesn’t have privileges to leverage our access to SYSTEM using something like a Potato privilege escalation attack.

History of Potato Attack

There are a lot of different potatoes used to escalate privileges from Windows Service Accounts to NT AUTHORITY/SYSTEM.

Hot, Rotten, Lonely, Juicy and Rogue are family of potato exploits. To understand more about these attacks click on the type of attack and read the blog from the exploit devs.

TL;DR — Every potato attack has it’s own limitations
If the machine is >= Windows 10 1809 & Windows Server 2019 — Try Rogue Potato
If the machine is < Windows 10 1809 < Windows Server 2019 — Try Juicy Potato

This can only be done if current account has the privilege to impersonate security tokens. This is usually true of most service accounts and not true of most user-level accounts. In our case, we don’t have Privilege to impersonate security tokens.

Upload a windows PHP reverse shell on the 404.php theme of wordpress and get a shell using netcat listener(as discussed in METHOD-1)

Now when we try to create a directory using “mkdir” we get “Access Denied”.So go to /C: and make a directory called “temp”

cd C:\
mkdir temp
cd temp

Firstly we need to download the exploit(JuicyPotato.exe) from here-

On our machine we run this Python module on the directory where we have our exploit:

Python3 -m http.server 80

And we should be able to access our web server using our IP address:

You also need to create your reverse shell windows binary using msfvenom,

We use x64 as our target architecture is 64 bit.This was found by systeminfo command

SO we have our exploit and our reverse shell which we created using msfvenom.Transfer both of these to the target machine in C:/temp directory.You can use certutil or Invoke-Webrequest to transfer files.We need one more thing called CLSID (which is a serial number that represents a unique ID for any application component in Windows.).Valid CLSID for windows server 2016 can be found here-

For any other windows version CLSID, visit-

and choose the correct version according to your target accordingly.

We are Done.Run the JuicyPotato.exe on windows target and it will show the usage.The usage is also shown in the github page of Juicy Potato

Lets copy the First CLSID from the list and run the exploit FINALLY!!

.\JuicyPotato.exe -l 9090 -p final.exe -t * -c “TYPE_YOUR_CLSID_HERE”

Here -l is the listening port, -p is the payload we wanna execute which must be a windows reverse shell.Now this reverse shell can be created using msfvenom which i found easier or can also be a .bat file using Powershell.To find out how, refer( MOVING ON….. -t * must be set as it is and -c is for our CLSID.

NOTE: Not all CLSID will work and you might get an error so try some other ones too from the list or refer hacktricks(

Also NOTE that i can also use port 777 for listening (-l 7777) which is the same port set for my msfvenom reverse shell(final.exe) However in my case it was not working and i had to try multiple times to get a shell.

If everything worked find, you will get a shell !

We are ADMIN !!!

JuicePotato indeed was a bit tricy but a learning point.Feel free to drop your questions in the comment section or you can also reach me on instagram(sparsh_jaiswal_) in case of any queries regarding this room.

I hope you found this writeup helpful and learned from this CTF.The room does require a bit of research and good enumeration as well.I have also covered ALL the possible ways to privilege escalate this room.A room called Blaster is exactly same as this one except, it has been made easy through hints and flags.Make sure to drop any queries in the comment section and follow me for more such ctf writeups-ZEUS

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube