ColddBox: Easy
07 Jan 2021So, I noticed a new room appeared on TryHackMe, called ColddBox: Easy. The description says it’s an easy level machine with multiple ways to escalate privileges. Considering I’m relatively new to this, I consider this a good challenge, as well as an opportunity to learn something new. So I booted it up and started cracking.
External analysis
Let’s start off with a port scan. Looks like port 80 is open and it leads to a website. Powered by WordPress, interesting. And it allows html in comments, so maybe we can just drop a reverse shell in there?
Let’s try this one. Drop it in the comment, replace the IP address, start netcat with nc -lvnp 1234 and… Nothing! The reverse shell didn’t come up and the comment needs admin approval. I guess I could try using XSS, but it wouldn’t help much since I’m the only user on this instance.
Gaining access to WordPress
Let’s try busting that WordPress. First of all, login screen has different error messages for wrong usernames and wrong passwords, allowing for username enumeration. Don’t do that! We can enumerate users using wpscan, available in Kali Linux or on Github. Running wpscan --url http://$IP enumerate -u gives us a bunch of info and 3 usernames: c0ldd, hugo and phillip!
Alright, next step is busting their passwords. I’m not sure if there’s a better way and I haven’t found one, so I’ll try a dictionary attack using rockyou password list.
wpscan --url http://10.10.160.78 --usernames c0ldd,hugo,phillip --passwords /usr/share/wordlists/rockyou.txt --max-threads 50
A while later, we get a hit, user c0ldd has a password from the list. Finally, we can log in. And the account has admin access, score!
Gaining access to host
Now to see how we can get access to the host. Media upload seems good, but basic attempts to get a php script through don’t work. There’s apparently a metasploit exploit to get a reverse shell uploaded (unix/webapp/wp_admin_shell_upload), but I couldn’t get it to authenticate. However, we can edit the theme and just drop a reverse shell into the header. That one works just fine! Now, let’s stabilize the shell real quick. First of all, let’s start a bash shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
// Ctrl + Z
stty raw -echo; fg
Ok, we’re in as www-data user. The first flag is located in /home/c0ldd/user.txt, let’s work our way around to that. The password is not the same as for the WordPress user, it’s not that simple.
Going for root access
Let’s see if we can find a way to get root access, then. /etc/passwd is read-only, we cannot read /etc/shadow, there are no easily exploitable cronjobs. Let’s try an enumeration script, like linpeas. After getting the script to the machine and running it, I see a very interesting bit in the output: find has the SUID bit set! That one is easily exploitable, as GTFOBins quickly shows.
bash-4.3$ find . -exec /bin/sh -p \; -quit
# echo "We have root access!"
At this point, both flags, located in /home/c0ldd/user.txt and /root/root.txt are accessible.
Wrapping up
All in all, a pretty interesting machine. Also my first time exploiting a WordPress site! I’ll admit, hitting that admin account password was probably very lucky on my side, especially since the dictionary attack seemed like it would take ages to finish. But I had fun and learned something new. Thanks a lot to @C0ldd__ for creating the machine, as well as TryHackMe for hosting it!