Hey Guys, I’m Ayush bagde aka Overide and in this writeup we’re gonna learn how to solve ColddBox: Easy TryHackMe Machine.
You can access the machine from here
Machine Name: ColddBox
About: An easy level machine with multiple ways to escalate privileges.
Task 1: boot2Root
Can you get access and get both flags?
Doubts and / or help in twitter: @C0ldd__ or @ColddSecurity
First of all deploy the machine and wait for the IP address. Once you got the IP then open a new terminal and type
sudo nano /etc/hosts
and edit in this way.
Now we will start with basic enumeration
sudo nmap -sS -sCV -T4 10.10.48.215 -vvv -oA basic_agg_scan
We can clearly see that port number 80 is open with Apache 2.4.18 running. Let’s visit this website and see what we can find there.
In browser type http://colddbox.thm, instead of the ip address because we edited the hosts early. Now we don’t have to access the machine through IP address we can access it from the domain we set.
This is what showed up when i visited the page:
I used wappalyzer tool for some information from there I got to know that the website is built using wordpress.
The website is using wordpress 4.1.31. Lets use wpscan tool to find more information.
WPscan is a tool used to gather information about the websites which are made on wordpress.
This is the output of the wpscan:
Found Nothing. Then I though why not to bruteforce directories. I used gobuster to find some hidden directories.
gobuster dir -u http://colddbox.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py
We can see some directories which are quite interesting. Let’s visit one by one.
Note: Search and visit every directory. Because interesting things are under non interesting directories.
Found some interesting directories
I visited /wp-content/ but nothing showed. Then I visited /wp-login.php
We’ll look into this after visiting all directories or files.
After that I visited /wp-trackback.php :
Found nothing important
Then I visited /wp-admin
Note: wp-admin/ and wp-login.php are same. You can note it by seeing the url.
Then I visited /hidden. I found a note there.
From here You can guess that C0ldd can be the username for admin page. we can just hit and trial on form. But let’s go futher in checking the remaining things.
/xmlrpc.php showed me:
I thought nothing is interesting here. So I came back on the login form and tried enter C0ldd as username and random password. This showed me an error which basically proved me that C0ldd is the admin.
Note: Here ERROR showed that password for username C0ldd is incorrect which means C0ldd is the correct username which exists. Now we will brute force the admin login form.
You can use hydra also. Here I’m using wpscan to bruteforce it.I’m using rockyou.txt as password list. The command is
wpscan — url http://colddbox.thm/wp-login.php -U C0ldd -P <file path to rockyou.txt>
After some time I got the password.
Now login using the credentials. Congrats!!!
Now we’ll upload a php reverse shell and execute it for remote code execution. I’m using PenTest monkey php reverse shell.
Go to Appearence -> Editor
Then from the templates in Right hand side choose header.php. Edit the file with the reverse shell.
Change IP address to the machine ip and port can be anything. I kept 1234 only. Once done update the file.
Now we have to run our payload. But before that start your netcat listener by typing command
nc -nvlp 1234
now we’ ll go to header.php to execute our payload. You can do this by enter the following url.
As you can see we got the shell. But its unstable, to make it stable enter the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo && fg
stty columns 149
Now we have the stable shell. Go to /home directory then /c0ldd then cat user.txt
As you can see we got the error because we are normal user and normal user don’t have permission to access the flag. Let’s get the su password.
After taking time and searching the directories I found something interesting in /var/www/html directory.
After searching every file. I found the su password in wp-config.php
login with the super user from the username and password.
now go to /home -> /c0ldd and cat the user.txt flag.
Enter the command :
Notice: We can escalate our privilege in three manner.
Just enter the following command
sudo chmod 777 /root/
and the go to root directory and cat the root flag.
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!