New high score!
Created by DarkStar7471
There are two distinct paths that can be taken on Retro. One requires significantly less trial and error, however, both will work.
OK Then…
1.0 scanning
As always, we discover open ports and running services with the “NMAP”
You can review the man page to explore the different parameters for nmap scans. I usually use this but of course you don’t have to scan 65535 ports (“-p-”)
nmap -A -T4 -p- -vvv <ip addr>
Here we see that the port 80 and the 3389 port is open. 3389 is used by windows remote desktop or windows terminal server. 80 is default http port.
As we can see from the output, we will hack windows lol. Anyway, naturally we open the 80 port to examine and the default windows server greets us.
At this point, we will explore the hidden directories by scanning the folder. I will use “gobuster” for this. I usually use this wordlist first old habit. “directory-list-2.3-medium.txt”
gobuster dir -u http://<ip addr> -w directory-list-2.3-medium.txt
I got this output while the process was running and i believe this is the one.
When we go to /retro, a blog welcomes us. here are retro fanatic “Wade”. Tron, Zelda etc. He seems to have written blog posts about it. I’m examining.
While reviewing wade’s profile after discovering the blog, I noticed a detail that was overlooked. 1 comment from Ready Player One blog post.
Also, as you can see from here, our blog is made with wordpress.
And this is the comment.
The first thing that came to my mind here was of course it’s a password so let’s try. “parzival”
1.1 exploitation
Hooray we are in the Dashboard!
After this point, it can use plugins or themes to access the system. because we know that the wordpress version used is an old version and contains such vulnerabilities. Here you can examine the vulnerabilities of the working version 5.2.1.
Anyway, here we come to the crossroads mentioned at the beginning. here I am trying to use RDP with the credentials we have obtained before. (wade:parzival)
When we log in, we succeed and we encounter user.txt also recycle bin is full and google chrome is installed. hmm
These are the recycle bin and chrome, here we see that the hhupd.exe file has been deleted. When we search the internet, we discover that it is used for windows privelege escalation. Also, the CVE we see in chrome bookmarks points to the same vulnerability.
When I looked in the browser history, I couldn’t find anything.
So, starting from the information we have, let’s start PrivEsc!
1.2 PrivEsc
At this point I searched for hhupd.exe and realized there are thousands of resources but I used a video solution and it’s not work. Actually nothing works about hhupd.exe. Totally stuck here ;
I started looking for a different way and I found a python tool called Windows Exploit Suggester. It needs the “systeminfo” output of the target system to use it.
We take the output with the terminal and save the sysinfo.txt file in the attacker system.
I tried that too and since the script is old and needs editing (I think), I kept encountering various errors and it didn’t work… (⌣́_⌣̀)
Finally, I researched the OS build version with the system info file I had previously and found an exploit that allows PrivEsc.
For the magic to happen, we download the exploit to the attacker machine and send it to the other side with the python server.
python3 -m http.server
We find an exe in the zip file we downloaded.
All we have to do is run the exe!
Hooray!! We are in the system with the highest authority! So we take our flag rn.
Good challenge despite the difficulties! Thanks for reading and Thanks to DarkStar7471 for this challenge.
Keep Hacking!!
