ColddBox — TryHackMe Walkthrough

Tejas Anerao
4 min readJan 7, 2021

--

ColddBox is a Beginner Friendly machine. It’s a free machine on TryHackMe(no need of subscription).

Link: https://tryhackme.com/room/colddboxeasy

ColddBox Machine

Overview:

Nmap Scanning, WordPress Enumeration, Brute-forcing and multiple ways to escalate privileges.

Enumeration:

First step as always carry out Nmap scan

nmap -sT -A -v <target-IP>

Nmap Scan
Nmap Scan

In nmap scan you will see that port 80 is open and its running Apache httpd server 2.4.18. Also you can see there’s WordPress site running. Now have a look at the website in the browser.

Wordpress site

After having a look at whole website you can see at the bottom left section there is a ‘login’ for the website. Its a WordPress login. Now do a WordPress scan with wpscan and enumerate for users.

wpscan --url http://<target-IP>/ -e u

WP Users

You will see that there are 4 users. Now try to get the password for the user by brute-forcing with wpscan. I personally used SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt for cracking the password.

The command syntax is:

wpscan --url http://<target-IP>/ --passwords wordlist.txt

WP Password

Great!! You have cracked the password for user c0ldd. Login to the wordpress dashboard.

Gaining Foothold:

Now navigate to Appearance->Editor->Select 404 Template. You can see its a php code in the editor. You have to replace that code with php-reverse-shell code from pentestmonkey. Change the IP to your TryHackMe Ip address. See the image below for reference.

404Template

Update the file and leave the dashboard and go the the blog site.

Now to get the 404 error code in order the execute the php shell you need to access the blog which is not present on the site. Before that start a listener on your attacking machine.

nc -nvlp 1234

nc Listener

To access the 404 error page, do the following:

Click on the first blog with title “The Colddbox is here”

Have a look at the URL now. You can see that there is a parameter p= which is point to the current blog. Now all you need to do is change the parameter to any random number and press enter. Make sure that you have a listener running before doing this.

URL Param

You will get a shell which is unstable for now. Execute following commands to make the shell stable:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm

Shell

More Enumeration:

Now enumerate more to find a way to escalate the privileges.

You know that there’s a WordPress site running. Go the /var/www/html and have look at the files. Check through those which you feel will contain some important information. There is a file which has credentials in plain text.

The file ‘wp-config.php’ is what you need. Read the file and you will get the credentials for MySQL database.

Credentials

You cannot access mysql database as the current user. But there is always a high possibility that MySQL password and login password for the user is the same. Try to login to the user c0ldd.

su c0ldd

Enter the password

User Shell

Cool!! You got it.

Now check for the user flag in user’s directory.

User Flag

Privilege Escalation:

Now it’s time to escalate privileges. Try to check for the sudo permissions for the user c0ldd.

sudo -l

SudoPerms

Awesome!! We can escalate privileges with multiple commands.

1. /usr/bin/vim

Execute sudo vim in terminal, enter the password for the user c0ldd.

You will get vim interface. There you have to type “:!/bin/bash” and press enter

Vim

2. /usr/bin/chmod

With “sudo chmod” you could change the permissions of any directory or file and access it. That’s a big hint. I guess you can get through this…

3. /usr/bin/ftp

All you need to do is this…

FTP

Now get the root flag…

RootFlag

That’s it. Although there may be more ways to escalate privileges. You can try to find those if you are curious.

Thankyou!!

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Tejas Anerao
Tejas Anerao

Written by Tejas Anerao

CTF Player, Penetration Tester, Bug Bounty, and much more

No responses yet

Write a response