ColddBox TryHackMe Walkthrough

Hello guys back again with another walkthough. This time we’ll be tackling colddbox from Tryhackme. The box is an easy one except for the initial part which is brute forcing a user’s WordPress password. A concept commonly knows us “spraying and praying”. I know brute force actually works sometimes but am really never a fun of it non the less the box starts off by us finding a WordPress site and running wpscan we are able to enumerate WordPress users and we then perform a password spaying attack using rockyou wordlist and we get one users whose credentials were weak. Logging into WordPress using those credentials we see that, that specific user can edit PHP file use that vulnerability to get a shell on the box. Looking at the database config files for WordPress we get a password and there’s password reuse going on so we use that password to escalate our privilege to another user on the box and find that user can run certain binary as the root user exploit that vulnerability to get root on the box. It was a really simple box without much say let’s jump in

As always we’ll start off with a nmap scan of the box

Looking at the result below you can see that only one port is open on the box and it’s a HTTP server

And the http-generator script from NMAP tell us that the website is running WordPress.

On opening the website using Mozilla we get a standard WordPress site.

The first thing that i always do whenever i find a WordPress site is running wpscan which automatically enumerates the site

While wpscan was running i decided to also run gobuster in the background in-case it comes up with any interesting directories and files

Going back to the to wpscan it had finished it enumeration process and he most useful information that it gave us was a bunch of username

What i did was save those usernames in a text file because i wanted to start a brute force attack and leave it running in the background

After saving the username in the text file i started a brute force attack using wpscan’s inbuilt brute force module

While the brute force was running in the background i decided to cewl the site since i saw some information wasn’t a standard WordPress information

This will give us some words that probably might be user’s password

I also looked at the source code while the the brute force was running but found nothing interesting

Going back to wpscan brute force we had a valid credential for the user c0ldd

Turn out that we did not need that cewl wordlist after all but it took probably 20 minutes to find the valid password so be patient while running the brute force

Next let’s login to WordPress.

And voila looking at the screenshot below the password works.

WordPress just like any other content management system (CMS) always has a way to execute code so long as you are authenticated. In our case we’ll edit a 404.php template and use it to get a shell on the box

Navigating to appearance →editor

And clicking the editor directs us to themes-editor.php which we can use to edit PHP file in our case we’ll edit 404.php template

In the 404 template we are going to add a one liner PHP reverse shell

Updated the file and then navigate to the 404 template using a different tab

We get a blank page but adding the parameter cmd to the PHP file and trying to run a system command you can see in the screenshot below we have a shell on the box

Sweet. Next step is getting a shell on the box. So i intercepted the request using burpsuite and sent the request to repeater tab

Next i used a one liner bash reverse shell payload to get a shell on the box

Next i set up a netcat listener on the box

Next i went back to burpsuite URL encoded the payload and sent the request. Going back to the netcat listener we had a shell on the box

Sweet next i upgraded my shell and started by looking WordPress config file because it always contains a password

And looking at the screenshot below we get password for the user c0ldd

c0ldd is also user on the box looking at the passwd file

Next i decided to try password reuse and see if the password he had used to connect to MySQL is the same as the users password

And voila that was an easy win. c0ldd user had reuses his SQL password

Running sudo -l we see that we can run some certain binaries as the root user without knowing his password which automatically give us a shot of getting root on the box

The first example I’ll use chmod which changes permission of a binary,file or executable

I will add a SUID bit on bash and get a root shell that way

Now executing bash with the argument -p

Argument -p preserves the SUID bit of the file

We become root on the box . Sweet now we can submit the flag on TryHackme and increase our points

The second method I’ll use to get a root shell is using vim

using the command

sudo -u root vim -c ':!/bin/bash'

The third method I’ll use to get root on the box is by using ftp using the command

sudo -u root ftp
ftp> !/bin/bash

The forth way we can privesc is by using the lxd group which we are a part of

I’ve shown this method of privilege escalation four time already in the blog so am not going to show it again but you can check my previous article if you want to see the method

The fifth way we could privesc is by using the find binary which from linpeas results appears to have a SUID bit

Using the command

find . -exec /bin/sh -p \; -quit

We get a root shell on the box

And there you go five ways of privilege escalation. I hope you enjoyed the walkthrough if so clap for me down below and make sure to follow me so that you don’t miss any upcoming articles. The cheat sheet for all those command can be found here

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)