Jacob the Boss
An easy level machine with multiple ways to escalate privileges.
This is ColddBox from THM.
Ports
HTTP on port 80 and SSH hiding away on port 4512. We won’t need it anyway.
HTTP
What’s that - did someone say Wordpress?
root@kali:/opt/tryhackme/colddbox# wpscan -e --url http://10.10.0.137
Gets 3 users; let’s run a password attack:
root@kali:/opt/tryhackme/colddbox# wpscan -U 'hugo,c0ldd,philip' -P /usr/share/wordlists/rockyou.txt --url http://10.10.0.137
Bingo. From there, it’s upload a plugin and get a shell.
c0ldd
This is our user; we can find the database password:
This is also the user password for c0ldd, so let’s run sudo -l:
Wow, we do have a few methods we can practice if we want. But let’s not; find has the SUID bit set as well:
Okey dokey. I’ve also got user on HTB Ready; I haven’t been on HTB for quite a while before now. I’m not allowed to write it up anyway.