Coldbox Write-up

Description

This is a writeup for “Coldbox”. “Coldbox” is a boot2root machine on TryHackMe. During playing this box you have to collect 2 flags.

Enumeration

During enumeration we can see that Wordpress is running on port 80.

Next we can use wpscan to enumerate the users. I have saved these users into a file called “users.txt”. With the users list we can start a bruteforce attack. The following command will use the “rockyou.txt” wordlist to perform the brute force.

This bruteforce was successful. We could get the password for the user C0ldd.

Initial access

Fortunatly, the user “C0ldd” can edit pages. We will change the 404 page with a reverse shell. I have used the PHP reverse shell from Pentestmonkey. You have to change the IP field to your attacker machine’s tun0 IP. After that we have to start a Netcat listener on port 1234: nc -lvnp 1234.

After saving the file we can start the reverse shell by navigating to the following URL: http://10.10.45.254/?p=404.php.

Privilege escalation

After getting a reverse shell we are logged in as “www-data”. The next step is to find a way to escalate our privileges to “root”. For this purpose we could search for misconfigured SUID binaries. The following “find” command will list all binaries that have the SUID bit set. Interestingly, the “find” command has the SUID bit set and is owned by “root”. This can be abused to gain a “root” shell.

The following find command will spawn a root shell:

Finally, we can read the root flag.

Mitigation

The password policy should prevent using too common and easy to guess passwords. The user C0lddshoud change the wordpress password to something more complex. Also misconfigurations with the SUID bit should be avoided. The find command should not have the SUID bit set.

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!