Open in app

Sign in

Write

Sign in

ColddBox — TryHackMe

Andy Gregg
5 min readApr 3, 2021

This is an easy machine with 2 flags to capture.

I like to start off with a full Nmap scan to see which ports are open.

A detailed Nmap scan is complete on the open ports. In this case, port 80 & port 4512.

We can see that SSH is running on port 4512. We can also see that wordpress is running. The Homepage also reveals this.

I always like to inspect the elements of the page (ctrl+u) to see if there is anything interesting. Nothing interesting here though.

I ran a basic wpscan, but nothing useful shows up.

Using the ‘—enumerate u’ argument will search for usernames. This displays 4 possible users.

I attempt a password attack on the ‘c0ldd’ user.

This reveals a password.

If you find credentials and SSH is running, then its good to attempt to log in. No luck here though.

Logging into Wordpress was successful!

To get a shell, navigate to the plugins page and press ‘Add New’.

Upload plugin.

This is the shell I used:

As you can see, I used port 80. I like to use a port that I know is already open on the target machine.

I zipped the file.

Click on Browse.

‘myshell.zip’ is selected.

Then installed.

I then navigated to the directory and clicked on ‘shell.php’.

The shell works!

Using ‘which python3’ we can see that it is installed, so im going to use a Python3 one-liner to get a reverse shell.

I set up the listener on port 80.

Here is the link for a list of reverse shells, including the Python3 one-liner I used for this machine:

swisskyrepo/PayloadsAllTheThings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings

github.com

I enter the one-liner.

I get a reverse shell.

I upgraded the shell to allow tab completion and so I can clear the terminal.

I also increased the row size to fit the inputthat I type. I did this using this one line:

The first thing I like to do is check the home directory. Looks like we have ‘c0ldd’ user with user.txt flag.

We dont have permission to view this though.

Since It has Wordpress installed, I always like to check the wp-config.php file in the /var/www/html/wordpress directory.

Sure enough, it reveals the user’s password.

This works!

user.txt is now readable.

Sudo -l reveals some interesting possibilities to PrivEsc.

I used the ftp option and got a root shell.

I usually go to the gtfobins website for SUID or sudo PrivEsc possibilities.

GTFOBins

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured…

gtfobins.github.io

Root flag easily captured.

Machine fully compromised!

Thank you for following this walkthrough and I hope you learned something. :)

Tryhackme
Colddbox
Tryhackme Walkthrough
Tryhackme Writeup
Vulnhub

--

--

Andy Gregg

Written by Andy Gregg

10 Followers

Pen Testing Student

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams