ColddBox: Easy TryHackMe Writeup

Hey Guys, I’m Ayush bagde aka Overide and in this writeup we’re gonna learn how to solve ColddBox: Easy TryHackMe Machine.

You can access the machine from here

Machine Name: ColddBox
Level: easy
About: An easy level machine with multiple ways to escalate privileges.

Let’s Start,

Task 1: boot2Root

Can you get access and get both flags?
Good Luck!.

Doubts and / or help in twitter: @C0ldd__ or @ColddSecurity

Thumbnail box image credits, designed by Freepik from www.flaticon.es

First of all deploy the machine and wait for the IP address. Once you got the IP then open a new terminal and type

sudo nano /etc/hosts

and edit in this way.

Now we will start with basic enumeration

INFORMATION GATHERING

sudo nmap -sS -sCV -T4 10.10.48.215 -vvv -oA basic_agg_scan

We can clearly see that port number 80 is open with Apache 2.4.18 running. Let’s visit this website and see what we can find there.

In browser type http://colddbox.thm, instead of the ip address because we edited the hosts early. Now we don’t have to access the machine through IP address we can access it from the domain we set.

This is what showed up when i visited the page:

I used wappalyzer tool for some information from there I got to know that the website is built using wordpress.

The website is using wordpress 4.1.31. Lets use wpscan tool to find more information.

WPscan is a tool used to gather information about the websites which are made on wordpress.

This is the output of the wpscan:

Found Nothing. Then I though why not to bruteforce directories. I used gobuster to find some hidden directories.

gobuster dir -u http://colddbox.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py

We can see some directories which are quite interesting. Let’s visit one by one.

Note: Search and visit every directory. Because interesting things are under non interesting directories.

Found some interesting directories

I visited /wp-content/ but nothing showed. Then I visited /wp-login.php

We’ll look into this after visiting all directories or files.

After that I visited /wp-trackback.php :

Found nothing important

Then I visited /wp-admin

Note: wp-admin/ and wp-login.php are same. You can note it by seeing the url.

Then I visited /hidden. I found a note there.

From here You can guess that C0ldd can be the username for admin page. we can just hit and trial on form. But let’s go futher in checking the remaining things.

/xmlrpc.php showed me:

I thought nothing is interesting here. So I came back on the login form and tried enter C0ldd as username and random password. This showed me an error which basically proved me that C0ldd is the admin.

Note: Here ERROR showed that password for username C0ldd is incorrect which means C0ldd is the correct username which exists. Now we will brute force the admin login form.

You can use hydra also. Here I’m using wpscan to bruteforce it.I’m using rockyou.txt as password list. The command is

wpscan — url http://colddbox.thm/wp-login.php -U C0ldd -P <file path to rockyou.txt>

After some time I got the password.

Now login using the credentials. Congrats!!!

ATTACKING:

Now we’ll upload a php reverse shell and execute it for remote code execution. I’m using PenTest monkey php reverse shell.

Go to Appearence -> Editor

Then from the templates in Right hand side choose header.php. Edit the file with the reverse shell.

Change IP address to the machine ip and port can be anything. I kept 1234 only. Once done update the file.

Now we have to run our payload. But before that start your netcat listener by typing command

nc -nvlp 1234

now we’ ll go to header.php to execute our payload. You can do this by enter the following url.

http://coldd.thm/wp-content/themes/twentyfifteen/header.php

As you can see we got the shell. But its unstable, to make it stable enter the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo && fg
reset
Ctrl+D
export TERM=xterm-256color
export TERM=xterm-256color
stty columns 149

Now we have the stable shell. Go to /home directory then /c0ldd then cat user.txt

As you can see we got the error because we are normal user and normal user don’t have permission to access the flag. Let’s get the su password.

After taking time and searching the directories I found something interesting in /var/www/html directory.

After searching every file. I found the su password in wp-config.php

login with the super user from the username and password.

now go to /home -> /c0ldd and cat the user.txt flag.

PRIVILEGE ESCALATION

Enter the command :

sudo -l

Notice: We can escalate our privilege in three manner.

By /bin/chmod

Just enter the following command

sudo chmod 777 /root/

and the go to root directory and cat the root flag.

By /usr/bin/vim

By /usr/bin/ftp

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

CyberSecurity Expert | Hacker | Trainer and mentor | CTF Player | Writeups writer