Open in app

Sign in

Write

Sign in

RETRO TryHackMe WriteUp 2023

Irsyad Muhammad Fawwaz
4 min readFeb 9, 2023

--

ok, this is my first machine in tryhackme. I usually use HTB. but now i havea project to finished. the project is “Search for one of the CTF engines on TryHackMe. Finish it and make the writeup!”, and then I chose a retro machine.

this machine is a little bit tricky for me. because I have to focus on small details. I finished this machine in 1 and a half hours. this machine has a CVE-2019–1388.

ok lets go……

Information Gathering — NMAP

first thing when i’m doing pentest is always using nmap

  • p- -sV is blocked, so im using -Pn

after that, found port 80 is open, is the a website windows server

now I'm trying to bruteforce website directory using gobuster, and I found interesting directory called “retro”

Information Gathering — GOBUSTER

when I opened the homepage I found the post uploaded by wade, and I clicked the link(Wade)

when I exploring the webpage posted by wade, I look at recent comment section, and I clicked it

look at comment “Ready Player One”, I think parzival is a hint or something for username or password.

now, I'm trying to connect to server via RDP

Exploitation

I'm using remmina for the RDP

and I trying to fill password using “parzival”

and now I'm logged as a wade.

user.txt is the first flag I found.

Privilage Escalation — CVE-2019–1388

when I checked chrome, I found this.

and in Recycle Bin I found hhupd, maybe the administrator want to fix CVE-2019–1388

after i searching in google how to exploit the cve-2019–1388

i restore the file

the restored file will appear on Desktop

and i clicked the hhupd.exe

the file asked for the password, but we don’t use password instead we click on show more details

then click on “Show information about the publisher’s certificate”

now click on “VeriSign Commercial Software Publisher CA”

and choose internet explorer, because we using it for exploitation

wait for the website finishing load and follow the method above

after we clicked Save as the website will open file explorer.

we can save the file on C:\Windows\System32

and save as a *.* so that all the files in System32 are listed, not just files with the .mht format, because we need the cmd to exploit this vulnerability.

after enter the file we must scroll until it finds a file called 12520437.cpx

and then scroll again until cmd.exe, and click open

after I explored the existing directory.

Boom !! we logged as a Admisintrator without password and I found the flag root.txt.txt at C:\Users\Administrator\Desktop.

Summary

alright after Im trying this machine i feel like easy level on HTB is much difficult than tryhackme, i don't know why even though this is a machine with a Hard level.

for me the hard part when playing this machine is on exploring the website, because I didn’t realize “parzival” is the password for the server.

okay that’s all from me thank you for reading my writeup :)

Tryhackme
Writeup
Retro

--

--

Irsyad Muhammad Fawwaz
Irsyad Muhammad Fawwaz

Written by Irsyad Muhammad Fawwaz

101 Followers
14 Following

https://github.com/irsyadsec

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams