Posts Tryhackme - ColddBox - Easy
Post
Cancel

Tryhackme - ColddBox - Easy

Posted Jan 26, 2021 2021-01-26T03:00:00+08:00 by Ara-kun

ColddBox - Easy is a beginner level room in Tryhackme. The final objective is to get the user and root flag.


cover_image

AuthorC0ldd
DescriptionAn easy level machine with multiple ways to escalate privileges.

Deploy the VM and lets go.

Enumeration

Let’s start with the usual nmap scan.
nmap_scan
The results from the nmap scan showed that the ports 80/http and 4512/ssh. It is unusual for ssh to be working in the port 4512 is what I thought…but it’s fine, let’s do this.

The first thing I noticed after checking the http service is that it runs Wordpress. Moreover, the username can be found in the introduction comment.
wordpress_coldbox
I tried common credentials in the page /wp-admin but my effort was of no use. So, I used gobuster to find the hidden directories. 

gobuster dir -u http://machine-i-addr/ -w /usr/share/dirb/wordlists/common.txt


gobuster_result
After visiting the /hidden dir in the webpage, I found this message.
hidden_dir
This further backed up the fact that c0ldd is the username.

I used wpscan to bruteforce the password for that username using the rockyou.txt wordlist. 

wpscan -U c0ldd -P path-to-rockyou.txt --url http://machine-ip-addr/


By the way, you can also use hydra to bruteforce the password.
wpscan_bruteforce

Reverse shell

A common way to get the reverse shell from when the webpage uses Wordpress is to edit the template file. So, I edited the twenty fifteen/404.php file with the contents of php reverse shell file. Remember to change the ip and port fields in the file.
php_reverse_shell
Click on update file in the page. Before accessing the page remember to open a netcat listener in your local machine. Then go to… 

http://machine-ip-addr/?p=404.php


The reverse shell successfully popped up. Stabilize the shell using python pty.
reverse_shell

User flag

I searched around a bit and found that the wp-config.php file contains the password for the used c0ldd. It can be found in the /var/www/ directory.
user_pass
We can change the user to c0ldd and get the user flag.
user_flag
We got the user flag…let’s also get the root flag.

Root flag

After messing around for a while to find a way for priviledge escalation, I finally ended up with using sudo -l.
priv_esc
I searched for ftp in gtfobins and found the commands to spawn the root shell. 

sudo ftp
!/bin/bash


Going into the /root directory we can get the root flag.
root_flag
I tried and found other ways for priviledge escalation but for this post this should do. I also insist you to try out other ways for priviledge escalation. Good luck!!!

That’s it folks. Happy hacking!!!

Tryhackme, Easy
thm linux easy boot2root gtfobins reverse-shell
This post is licensed under CC BY 4.0 by the author.
Contents

Tryhackme - Overpass 3 - Hosting

Hackthebox - Worker