ColddBox: Easy is an easy difficulty room on TryHackMe. We can get into a WordPress admin panel after a quick enumeration of the website. Once we are logged in, we can insert a PHP reverse shell into the page to get initial access on the host. Then we need to escalate privileges to a normal user, then root user to get both flags.
Note: I have added the IP address of the VM to /etc/hosts as colddbox.thm, so I don’t have to use the IP
Results of nmap scan:
There are 2 open ports. HTTP server is running on port 80, and SSH is open on port 4512. Since we don’t know any possible usernames yet, I started to enumerate the website first.
I used gobuster to get a list of files/directories on the page.
dir --url http://colddbox.thm -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 32 -x txt,sql,php,html
We can see that this is a website built with WordPress. Also there is a /hidden directory. I checked that first. It contains some text, that gives us a few possible usernames.
Since I found 3 possible usernames, I started brute-forcing the password for WordPress login. So, I went to /login.php page, and tried entering some passwords for each user. I noticed, that if I enter the username admin and try a password, I receive the following error message:
ERROR: Invalid username.
ERROR: The password you entered for the username hugo is incorrect.
This indicates that those 3 users actually exist in WordPress. I used hydra to brute-force the password. Eventually I found a valid password for c0ldd, who happened to be the administrator of WordPress, so I did not need to continue with the other 2 users.
First, I sent a login request to login.php that I captured in BurpSuite. This helps to quickly find the payload that has to be used in hydra for brute-forcing.
The data that has to be sent to the login page is
where ^USER^ and ^PASS^ are special placeholders used by hydra. I know that the error message will contain the word “incorrect” if the login attempt is failed with a valid username, but incorrect password. So, I can use that word in hydra to filter out the unsuccessful login attempts. The final command is:
hydra -l c0ldd -P /usr/share/wordlists/rockyou.txt colddbox.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1:incorrect"
I logged in with the found credentials. Since c0ldd user is the administrator, I can edit any of the PHP files in menu Appearance -> Editor. Then, I modified the Sidebar (sidebar.php) file to add a reverse shell.
I used the following reverse shell code: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php. I removed the opening and closing php tags (first and last row), then updated the IP address and port number in the file accordingly. Then, I pasted the code into the sidebar.php file right after the opening php.
I started a listener in my Kali VM, then reloaded the home page of the colddbox website and I received a shell as www-data user.
There is only 1 user who has home directory: c0ldd. It contains the user flag, but as www-data user we cannot read the file. Somehow we need to switch to c0ldd user.
I was checking the files in the root directory of the website, when I found the configuration file for WordPress (/var/www/html/wp-config.php). It contained the credentials for the database user. I tried to switch to c0ldd user using the same password, and it worked.
www-data@ColddBox-Easy:/home/c0ldd$ su - c0ldd
c0ldd@ColddBox-Easy:~$ cat user.txt
Then I had to escalate my privileges to root. I checked the sudo permissions of the user, and there are 3 commands that c0ldd user can execute with sudo.
c0ldd@ColddBox-Easy:~$ sudo -l
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
GTFOBins website contains a bypass for any of these commands to gain root access. I used vim to spawn a root shell and get the root flag: https://gtfobins.github.io/gtfobins/vim/.
c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'
# cat /root/root.txt