Hacking, Misconfigured Permissions, Wordpress

TryHackMe — ColddBox: Easy Walkthrough

A walkthrough with my tactics, techniques, and procedures.

Reconnaissance/Scanning:

Let’s start things off with a network scan to see which ports are open and the services running on each.

$ nmap -A -O -sC -sV -p- <machine_IP>

Nmap scan results

Scanning for directories with Gobuster:

Gobuster scan results

When viewing the main webpage I’m taken to a WordPress site.

Main webpage.

Clicking on the link C0ldd takes me to a twitter page with a username that might be useful later.

Twitter redirection link.

Viewing the /hidden directory shows three potential usernames.

Content of /hidden directory.

Viewing the /wp-trackback.php directory:

Content of /wp-trackback.php directory.

Viewing the /xmlrpc.php directory:

Content of /xmlrpc.php directory.

Vulnerability assessment:

Since Wordpress is used, I’ll use the tool wpscan to enumerate users.

$ wpscan --url <machine_IP> -e u

Found usernames are confirmed the names from the /hidden directory. Now I’ll try to enumerate their passwords.

$ wpscan --url <machine_IP> -U <username_list> -P <password_list>

Found password.

Awesome, I can log in to the site now!

Initial foothold:

I needed to find a way to add either a file or the code for a reverse shell. I tried looking for a way to upload a profile image, add the script as a new page, and add it to comments but none of those worked for me.

The way I found that worked was going to the Appearance section, then Editor, and added the script code to those already made pages on the right hand side.

I added the code from pentest monkey’s reverse php shell script to the index.php and refreshed the main page and got a reverse shell on my netcat listener!

Proof of reverse shell.

Checking for all the users only returned two that have shell access.

Snippet of /etc/passwd file.

Exploit:

My next step was to see if there were any files/executables I could run as the current user that have the SUID bits set. I’ll use the find command for that.

$ find / -perm -u=s -type f 2>/dev/null

Result of command above for finding SUID bit files/executables.

Since I can run find with higher privileges, I’ll use it to execute the cat command on the user and root flags.

Using find to read the user flag.

$ find /home/c0ldd -exec cat "user.txt" \;

Proof of user flag.

Since I could tell it was base64 encoded, I copied it to a file then decoded it on my local machine.

$ base64 -d <filename>

The decoded message reads:

Decoded user flag.

Now for the root flag!

$ find /root -exec cat "/root/root.txt" \;

Proof of root flag.

The decoded message reads:

Decoded root flag.

Reporting:

• Be sure to use strong passwords/passphrases or even a password manager to help generate and store the password.
• Make sure files containing sensitive information are accessible by the proper people only and password protected with a strong password.
• Ensure correct user/group permissions are assigned on all files, especially executable files.

Note from Publication: This story was uploaded at the permission of user “xocybersec” on 1/23/24. Please direct any feedback, comments, or citations to the original writer! Thank you — Infosec WatchTower

© [2024] Infosec WatchTower. All rights reserved. Unauthorized use or reproduction of content is prohibited. For inquiries, contact Infosec WatchTower.