🔗 ColdBox
🎯 Target IP: 10.10.100.105
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
Of course, start to check information scanning open ports:
command | result |
---|---|
sudo | run as root |
sC | run default scripts |
sV | enumerate versions |
A | aggressive mode |
T4 | run a bit faster |
oN | output to file with nmap formatting |
It looks like there are 2 open ports on the machine: 80, 4512
Now, we need to search which services are running on open ports:
Then we can start to see website (port 80):
we can see that's a wordpress web site, then we can try to see page source for checking information disclosure.
but we don't find precious info.
Another good thing to do, is find hidden paths on website using gobuster
Very good, we can start to check these web dir:
/hidden/
Very good, there're precious info about usernames: C0ldd, Hugo and Philip.
We can confirm it watching error message at login in a default login path for wordpress: /wp-admin/
Finally the's another good info
If we don't waste time, we can use wpscan to find user list, but we'll take it if we take results with our three users, then try to login with C0ldd/Hugo/Philip:password123 (what we've see in the hidden path).
Nothing to do, we need to use brute force attack.
Then, we save them in a file called users.txt, and run hydra with a password wordlist to take a brute force attack:
C0ldd:9876543210
Now we can use this credentials to log in wordpress and ssh.
Check user list, to see them and theirs role/permissions:
Very good, C0ldd is administrator.
Now, we need to access at machine using web shell, find it on our kali web-shells folder or use pentester monkey website:
We need to edit it using our credentials (LHOST and LPORT):
and upload it on media library page:
But, trying to change extension, upload doesn't work.
Then, we can try to use wordpress themes or plugins how vector to inject our web-shell.
Starting with themes, we edit header.php page in the twentyfifteen theme using the same php web-shell:
Update file, run netcat listener on the same port '1234':
Go to: http://coldbox.thm/wp-content/themes/twentyfifteen/header.php
We can upgrade this to a fully interactive shell by running:
and retrieve credentials inside wp-config.php file.
we know credential for access how c0ldd user and read user.txt flag
We can do sudo -l command to discover user's permissions.
We see that c0ldd user has root permissions for these commands, we can use gtfobins to find them.
https://gtfobins.github.io/gtfobins/vim/ using vim sudo command below, we obtain a root permission:
spawn /bin/sh to use shell:
Well done! Root flag found!