Coldbox Write-up

Description

This is a writeup for “Coldbox”. “Coldbox” is a boot2root machine on TryHackMe. During playing this box you have to collect 2 flags.

Enumeration

During enumeration we can see that Wordpress is running on port 80.

Landing page of the web server

Next we can use wpscan to enumerate the users. I have saved these users into a file called “users.txt”. With the users list we can start a bruteforce attack. The following command will use the “rockyou.txt” wordlist to perform the brute force.

wpscan --url http://10.10.45.254/ -U users.txt -P /usr/share/wordlists/rockyou.txt
Brute forcing passwords of Wordpress users

This bruteforce was successful. We could get the password for the user C0ldd.

Initial access

Fortunatly, the user “C0ldd” can edit pages. We will change the 404 page with a reverse shell. I have used the PHP reverse shell from Pentestmonkey. You have to change the IP field to your attacker machine’s tun0 IP. After that we have to start a Netcat listener on port 1234: nc -lvnp 1234.

Changing the 404 page with a reverse shell

After saving the file we can start the reverse shell by navigating to the following URL: http://10.10.45.254/?p=404.php.

Privilege escalation

After getting a reverse shell we are logged in as “www-data”. The next step is to find a way to escalate our privileges to “root”. For this purpose we could search for misconfigured SUID binaries. The following “find” command will list all binaries that have the SUID bit set. Interestingly, the “find” command has the SUID bit set and is owned by “root”. This can be abused to gain a “root” shell.

Misconfigured SUID binary

The following find command will spawn a root shell:

Elevating our privileges to root with the find command

Finally, we can read the root flag.

Mitigation

The password policy should prevent using too common and easy to guess passwords. The user C0lddshoud change the wordpress password to something more complex. Also misconfigurations with the SUID bit should be avoided. The find command should not have the SUID bit set.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

161 Followers

Passionate about Cyber Security. I am publishing CTF Writeups and Cybersecurity Content!