THM-Retro-Writeup

Can you time travel? If not, you might want to think about the next best thing.

Make every campaign better than the last with GetResponse! Track sign-ups, click-throughs, sales, and more!

GetResponse | Professional Email Marketing for Everyone

Retro CTF

Find This Room: Retro

Let’s Pwn Retro

Start

1- Recon

Nmap

Wow, look at The RDP, we will discuss it later

2- We will use gobuster to search for hidden directories

gobuster dir -u 10.10.69.12 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -q -t 105 -x php,asp,aspx,txt,html
/retro (Status: 301)

We found it /retro

Dentro de la pagina encontramos un post el cual contiene un comentario del usuario wade.

Username

Let’s Connect To RDP

RDP

use parzival for RDP connection

Windows Server

System Informations

Build 14393

Let’s Get The First Flag

User Flag

Now how can we escalate the privilege to open cmd as administrator?

following images so that you can obtain the root flag

Open Recycle Bin

1

2

3

4

5

6

7

8

Make sure you saved to System32

Search for cmd and open it normally, not as administrator

CMD

Now we can get root flag

Root Flag

Happy Hacking

Follow Me On Linkedin and Facebook