Retro
Room Info
Name
đ Retro
Description
đ There are two distinct paths that can be taken on Retro. One requires significantly less trial and error, however, both will work. An alternative version of this room is available in it's remixed version Blaster.
Target IP
đ¯
10.10.181.110
Recon
Perform Web Server directories enumeration.
The enumeration found a folder named /retro
.
Use a browser to navigate to:
http://10.10.181.110/retro/index.php/2019/12/09/ready-player-one/
đ Wade user left a comment with his password
Use the credentials to login to the target via the open RDP Port 3389
Wade
:parzival
I suggest to set the
Remmina
RDP resolution to a higher one,e.g
Open Remmina,
+
to create a Quick RDP Connect, select the resolution andSave as Default
Open the user.txt
file on Wade's user desktop to get the first flag.
Exploitation
Open Internet Explorer
to initialize it.
Open Google Chrome
and set it as Default web browser in Windows.
The bookmarked link refers to the CVE-2019-1388 - Windows Certificate Dialog Elevation of Privilege Vulnerability.
Check the Recycle Bin and restore the hhupd
file.
Exploit the privesc vulnerability present in the Windows Certificate Dialog Box and run cmd
with Administrator privileges.
Even after the initialization of both the IE and Chrome browsers, there might not be any option for selecting the browser in the opened window.
Meterpreter
Generate a manual payload to get a Metasploit Meterpreter session on the target.
Download the payload on the target browser from this link
http://10.18.65.48/unprivileged-payload.exe
Open Metasploit and set up a handler to listen on the 4444
port
Run the unprivileged-payload.exe
file on the target machine
Get systeminfo
from the target and save the output to a file.
Privilege Escalation
Exploit the CVE-2017-0213 - Windows COM Elevation of Privilege Vulnerability
Download the
CVE-2017-0213_x64.zip
package, unzip it and upload theCVE-2017-0213_x86.exe
to the target.
Run the CVE-2017-0213_x86.exe
file from the Meterpreter session or using the RDP connection on the target.
Check the
CMD
as Administrator session on the target.
Remember that there can be other attack vectors to exploit target's vulnerabilities.
Last updated