This is my writeup for the TryHackMe room “Retro” at https://tryhackme.com/room/retro.
This room is labeled a “hard” room so I wasn’t quite sure what to expect. I still feel like there’s so much I still need to learn, but I’m definitely getting into the red team mindset and these rooms are getting easier. The description mentioned two ways to approach the room. The “hard” difficulty rating was intimidating so I decide to take whatever approach seemed the most plausible.
I started off with the nmap scan, as usual. There were two ports open: an IIS webserver running on 80 and RDP enabled on the default port 3389.
Accessing the IP in the browser just showed the default IIS landing page. Any website living there is on some unknown subdirectory.
Time to fire up gobuster and start running through some lists! Turns out I only needed two lists. The dirb\common list had no matches so I tried the dirbuster 1.0 list next and found a match. In hindsight, I probably should have been able to guess the directory without enumeration…
Viewing the page, it looks like a list of old video game articles. In the footer are a couple links including a link to a WordPress login page. Now we’re making progress! The target is starting to take shape and it looks like another WordPress blog exploitation.
Given the author on the blog is named “Wade”, that seemed a safe guess to start brute-forcing the login credentials with. While I started that running with wpscan for some additional enumeration, I browsed the posts on the blog. The “Welcome” post looked like the default WordPress post and there was nothing out of the ordinary so I moved on. “Ready Player One” stood out because it was the only post not about a video game. It also had no images. There was one cryptic comment by Wade himself. Surely, that couldn’t be the admin password. Could it be?
Well, turns out it was. Now I’m into the admin panel. I added a PHP webshell code to the author page, fired up msf with a handler and… the shell dropped.
It took me a couple tries to find a webshell that would work. The ones that would directly spawn a reverse shell would connect and immediately drop. I wound up having to use a webshell where I could paste in my command and then let it execute on the server back end.
Using the base64 PowerShell reverse shell code from my favorite site https://www.revshells.com/ I was finally able to catch a stable shell on my Kali box.
I wound up with a PowerShell session under NT AUTHORITY\IUSR, the default user that IIS runs under. The iusr user doesn’t have many privileges, but it’s enough that I can see the light at the end of the cable pull!
I generated a meterpreter exe with msfvenom and shared it with a Python webserver from my Kali box. With the PowerShell session, I downloaded the exe to the target machine and executed it. I now have a stable meterpreter session under the IUSR, too.
I used the non-staged meterpreter payload because I was having trouble keeping a connection with the PHP webshell and wanted to eliminate the need to make multiple connections to my machine. The non-staged meterpreter payload contains all the code it needs to execute the reverse shell so it wouldn’t have to connect to me, download the rest of the payload, execute it, and then connect back to me again. I was fairly certain I wouldn’t have to deal with antivirus flagging the file in this room so I could send the whole payload at once and only have to make one connection that would (hopefully) persist.
As we see in meterpreter, the iusr user doesn’t have many privileges. But the getsystem command worked and I was able to elevate the session to full NT AUTHORITY\SYSTEM privileges.
Now that I’m SYSTEM, I own the machine and just have to type the flag files and log them in TryHackMe to finish pwnage.
Retro Revisit
I still had an hour left on my machine, and—not being one to leave well enough alone—I decided to try a second approach to see if I could get SYSTEM access again on this machine.
Having already taken the WordPress route, the other option was RDP. I figured the Administrator password would be prohibitively complex, so I would target the Wade account. Hydra can brute-force RDP passwords, but it’s a slow process. Who even has 9961 hours to test one wordlist?!
My other option was to try the password I found earlier. I’m operating on the assumption that I would have discovered that comment during enumeration anyway. Using Wade’s credentials I was able to remote onto the server desktop. Because, of course, Wade reused his Windows account password as his WordPress account password. His User.txt flag is right there on the desktop.
From here, it’s the same process to download my meterpreter payload, catch the shell, and getsystem. I ran winPEAS enumeration script and it found a couple of vulnerabilities I could have tried to exploit to escalate to Administrator, but ran out of time to pursue these avenues. I would think there would have been an alternate method to gain system privileges through exploiting one of those vulnerabilities.
As a final comment, I will point out that Wade’s password is included in the rockyou.txt wordlist, so eventually hydra or another brute-force tool would have discovered it. But depending on attack speed and account lockout policies, this would have taken long enough to be dismissed as implausible. I doubled the recommended speed, and with no lockouts, it would have taken 125+ days to brute-force, assuming the password was at the very bottom of the list.
