narancs's blog

TryHackMe – ColddBox: Easy walkthrough


TryHackMe ColddBox Easy logo

ColddBox: Easy is an easy difficulty room on TryHackMe. We can get into a WordPress admin panel after a quick enumeration of the website. Once we are logged in, we can insert a PHP reverse shell into the page to get initial access on the host. Then we need to escalate privileges to a normal user, then root user to get both flags.


Note: I have added the IP address of the VM to /etc/hosts as colddbox.thm, so I don’t have to use the IP


Results of nmap scan:

There are 2 open ports. HTTP server is running on port 80, and SSH is open on port 4512. Since we don’t know any possible usernames yet, I started to enumerate the website first.


I used gobuster to get a list of files/directories on the page.

					dir --url http://colddbox.thm -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 32 -x txt,sql,php,html

We can see that this is a website built with WordPress. Also there is a /hidden directory. I checked that first. It contains some text, that gives us a few possible usernames.

  • c0ldd
  • hugo
  • philip


Since I found 3 possible usernames, I started brute-forcing the password for WordPress login. So, I went to /login.php page, and tried entering some passwords for each user. I noticed, that if I enter the username admin and try a password, I receive the following error message:

ERROR: Invalid username.

However, if I enter one of the 3 usernames I listed above, I receive a different error. For example:

ERROR: The password you entered for the username hugo is incorrect.

This indicates that those 3 users actually exist in WordPress. I used hydra to brute-force the password. Eventually I found a valid password for c0ldd, who happened to be the administrator of WordPress, so I did not need to continue with the other 2 users.

First, I sent a login request to login.php that I captured in BurpSuite. This helps to quickly find the payload that has to be used in hydra for brute-forcing.

The data that has to be sent to the login page is


where ^USER^ and ^PASS^ are special placeholders used by hydra. I know that the error message will contain the word “incorrect” if the login attempt is failed with a valid username, but incorrect password. So, I can use that word in hydra to filter out the unsuccessful login attempts. The final command is:

					hydra -l c0ldd -P /usr/share/wordlists/rockyou.txt colddbox.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1:incorrect"


I logged in with the found credentials. Since c0ldd user is the administrator, I can edit any of the PHP files in menu Appearance -> Editor. Then, I modified the Sidebar (sidebar.php) file to add a reverse shell.

I used the following reverse shell code: I removed the opening and closing php tags (first and last row), then updated the IP address and port number in the file accordingly. Then, I pasted the code into the sidebar.php file right after the opening php.

I started a listener in my Kali VM, then reloaded the home page of the colddbox website and I received a shell as www-data user.


There is only 1 user who has home directory: c0ldd. It contains the user flag, but as www-data user we cannot read the file. Somehow we need to switch to c0ldd user.

I was checking the files in the root directory of the website, when I found the configuration file for WordPress (/var/www/html/wp-config.php). It contained the credentials for the database user. I tried to switch to c0ldd user using the same password, and it worked.

					www-data@ColddBox-Easy:/home/c0ldd$ su - c0ldd
c0ldd@ColddBox-Easy:~$ cat user.txt 


Then I had to escalate my privileges to root. I checked the sudo permissions of the user, and there are 3 commands that c0ldd user can execute with sudo.

						c0ldd@ColddBox-Easy:~$ sudo -l
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
    env_reset, mail_badpass,
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp

GTFOBins website contains a bypass for any of these commands to gain root access. I used vim to spawn a root shell and get the root flag:

					c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'
# cat /root/root.txt

Table of Contents

Notify of
Inline Feedbacks
View all comments

Related posts

Would love your thoughts, please comment.x