Today, we will be doing an easy box from TryHackMe called ColdBox which is labeled as a beginner-level room that aims at teaching WordPress authentication bypass, finding vulnerable plugins/themes, Privilege Escalation, and web misconfigurations. Without further ado, let’s connect to our THM OpenVPN network and start hacking!!!
From the above results, we can clearly see that only Port 80 is open. Let’s navigate to the web-page hosted by the machine at port 80. There is a WordPress blog running on this machine.
And there is no restriction for accessing the wp-login panel and I got a login portal for the WordPress blog.
Scanning and Enumeration
Out of our arsenal, we then took out dirsearch script to scan for the hidden directories inside the web-server.
After sometime, a suspicious directory is enumerated by the script. Lets check the “hidden” folder.
We found out a password change has occurred recently but there’s not enough clue for the solution. However, we can add these three usernames ‘C0ldd’, ‘Hugo’, and ‘Philip’ to our interesting findings.
Wp-scan has always been the big-boy for the WordPress enumeration. This wonderful tool can be used for pointing out vulnerable themes, plugins, username lists, and even brute-forcing the wp-login panel login.
At first, let’s enumerate all the users of the login portal.
Due to multiple repetitions of the name ‘c0ldd’ throughout our enumeration and also because the machine name is COLDBOX, this name(c0ldd) is under my strong suspect of being the admin. When testing for this name in the admin-panel with a random password, the error-thrown by the portal confirms that the user really exist.
Let’s brute force this wp-panel for the user ‘C0ldd’ with our favourite password-wordlist “rockyou.txt” using the command below:
wpscan –url 10.10.123.120 –passwords /usr/share/wordlists/rockyou.txt –usernames c0ldd
Using this password, we will be able to log into the ColdBox WordPress dashboard.
Popping a reverse shell !!!
Since we have the WordPress dashboard under our control, there can be numerous ways to upload the malicious php reverse shell script in the web-server. I will replace the author-bio page with this reverse shellcode and through local file inclusion, we would be able to execute the script which will give us a command-shell leading to Remote Code Execution on the box. The LFI is performed with the URL given below.
This simple shell was then upgraded to fully interactive TTY by spawning a bash and exporting TERM environment variable as xterm.
Reading user flag
We have got the shell of user ‘www-data’. But the file user.txt is owned by the user ‘c0ldd’ and we are not permitted to cat the file. Lets find a way to become the user ‘c0ldd’. Since the website is hosted in WordPress, there must be some user and database (MySQL) config files inside the default root folder of the webserver i.e. /var/www/html.
After dumping wp-config.php file, we got to obtain the MySQL database password for this user ‘c0ldd’. Lets try these credentials to switch the user with ‘su’ command. Voila! We are now logged in as the admin (c0ldd). This can be verified with the ‘whoami’ command. The user flag can be read without any problems.
Reading root flag
After checking for SUID binaries owned by root, nothing interesting was found. Now let’s check the sudo permissions for this user using ‘sudo -l’ which lists all the binaries that can be run with root privileges. Only three commands namely vim, chmod, and ftp_ were listed. vim looks somewhat fishy to me.
Escalation methods was searched for the vim binary in the GTFOBins. There we found the command which will elevate our user shell to the root shell.
Finally, we can read our system flag. Happy Hacking !!!
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Practitioner by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.