Retro is typical blackbox CTF. Initial nmap scan shows 2 open ports:
Another scan shows that remote desktop is enabled on port 3389
Gobuster scan showed /retro directory
It is a wordpress site so I went to login page and did a few log-in attempts. There was an output which indicate if username is correct or not. I took username from post maker.
I did brute force attack with rockyou for this username, but it wasn’t successful. I decided to try a few sql injection, but also I had no outcome
After going through the post on webpage I noticed an interesting one:
I used this credentials to login to wordpress account and rdp.
Unfortunately I couldn’t download any malware on this user, maybe I should have tried in another directory. Even though I could proceed with this box
I went back to wordpress and opened theme editor. 404.php is a good file for php reverse shell, because you don’t destroy whole site. Reverse shell will start if you try to open not existing site
I have edited ip and port in lower part of this shell code.
Remember to start listener, before opening “wrong” directory of site. There is an example of such a directory below:
To use this vulnerability you need use f.x. Juicy Potato. I download some another files to this machine. I wanted to find also another way to escalate privileges to administrator.
You need to download an extra .bat shell to run Juicy Potato. Remember to edit this shell and choose port which is not used.
Remember to run a listener, before running JuicyPotato
Box is rooted 🙂