ColddBox — TryHackMe
This is an easy machine with 2 flags to capture.
I like to start off with a full Nmap scan to see which ports are open.
A detailed Nmap scan is complete on the open ports. In this case, port 80 & port 4512.
We can see that SSH is running on port 4512. We can also see that wordpress is running. The Homepage also reveals this.
I always like to inspect the elements of the page (ctrl+u) to see if there is anything interesting. Nothing interesting here though.
I ran a basic wpscan, but nothing useful shows up.
Using the ‘—enumerate u’ argument will search for usernames. This displays 4 possible users.
I attempt a password attack on the ‘c0ldd’ user.
This reveals a password.
If you find credentials and SSH is running, then its good to attempt to log in. No luck here though.
Logging into Wordpress was successful!
To get a shell, navigate to the plugins page and press ‘Add New’.
Upload plugin.
This is the shell I used:
As you can see, I used port 80. I like to use a port that I know is already open on the target machine.
I zipped the file.
Click on Browse.
‘myshell.zip’ is selected.
Then installed.
I then navigated to the directory and clicked on ‘shell.php’.
The shell works!
Using ‘which python3’ we can see that it is installed, so im going to use a Python3 one-liner to get a reverse shell.
I set up the listener on port 80.
Here is the link for a list of reverse shells, including the Python3 one-liner I used for this machine:
I enter the one-liner.
I get a reverse shell.
I upgraded the shell to allow tab completion and so I can clear the terminal.
I also increased the row size to fit the inputthat I type. I did this using this one line:
The first thing I like to do is check the home directory. Looks like we have ‘c0ldd’ user with user.txt flag.
We dont have permission to view this though.
Since It has Wordpress installed, I always like to check the wp-config.php file in the /var/www/html/wordpress directory.
Sure enough, it reveals the user’s password.
This works!
user.txt is now readable.
Sudo -l reveals some interesting possibilities to PrivEsc.
I used the ftp option and got a root shell.
I usually go to the gtfobins website for SUID or sudo PrivEsc possibilities.
Root flag easily captured.
Machine fully compromised!
Thank you for following this walkthrough and I hope you learned something. :)