c0lddbox : Walkthrough đ
This is a write-up for the VulnHub CTF machine, COLDDBOX: EASY (download here). Recently, I had a project to solve this machine, and hereâs how I obtained the two flags. This machine works best with VirtualBox, but I have a secret sauce too at the end to make it work on VMware too ;)
Methodology, I used :
⢠Reconnaissance
⢠Scanning
⢠Enumerating Users
⢠Uploading Payload
⢠Gaining Access
⢠Privilege Escalation
Download the machine from the above link then import the machine from the .ova file and spin up both the attacker (using Kali Linux here) and target machines (i.e. the c0lddbox).
> Reconnaissance
This machine has DHCP service enabled so an IP address should get automatically assigned to it. Here, I did an arp-scan using ânetdiscoverâ tool to find out our target machineâs IP.
Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without dhcp server. It can passively detect online hosts, or search for them, by actively sending ARP requests.
> Scanning
I followed up with an ânmapâ scan with -T4 -p- -A flags for aggressive, all ports and advanced scan options.
Nmap, short for Network Mapper, is a free and open-source tool used for vulnerability checking, port scanning and, of course, network mapping.
The scan results reveals two ports being open on our target :
Port: 80/tcp open | Service: http | Version: Apache httpd 2.4.18 ((Ubuntu))
Port: 4512/tcp open | Service: ssh | Version: OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
Here we can ssh into our target machine, but we need a valid user to login as, so I landed on the site hosted on port 80 of the target ip.
Clicking the âLog inâ option in the left corner under Meta of the above photo, takes us to a wordpress login page. So it has a WordPress CMS (Content Management System) running on it.
> Enumerating Users
For enumerating valid credentials, we can use the BurpSuite or Metasploit Framework or WPScan.
I used WPScan here, to find out the usernames first.
WPScan can detect the versions of WordPress core, plugins and themes, Publicly accessible sensitive data. WPScan can check for publicly accessible wp-config. php backups and other database exports.
Upon the WPScan execution, 4 users were found. I tried with âc0lddâ first cause itâs obvious as the machine itself is named after the same.
I went for brute-forcing the password of the user c0ldd, using the same tool, WPScan, and in-built rockyou.txt wordlist in Kali.
Soon a valid password was found for the user c0ldd !
Password: 9876543210
Now that we have a valid credential, I logged in using the same on the WordPress login page, and voila! It took me to the WordPress Admin Dashboard!
> Uploading Payload
Now as we can modify any theme templates within âAppearanceâ, so I went ahead to edit the 404.php template to upload our payload i.e. the php-reverse-shell from pentest monkey (link here).
A reverse shell, also known as a remote shell or âconnect-back shellâ, takes advantage of the target systemâs vulnerabilities to initiate a shell session and then access the victimâs computer.
Here we need to modify a couple of parameters to successfully listen to the incoming reverse shell connection from our victim.
We need to change the $ip and $port accordingly, so did I. You need to put in there, your attacker machineâs IP and a port to listen to.
> Exploiting & Gaining Access
After uploading our payload, we need to stage up our ânetcatâ or nc listener first to listen to any connect-back shells and trigger our payload by visiting the 404.php page.
netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
To setup netcat listener : nc -nlvp 4444
URL path to the 404.php page :
http://<your_target_ip>/wp-content/themes/twentyfifteen/404.php
As soon as I hit the 404.php page, weâll get a reverse-shell on our listener.
I checked if python3 is installed there or not and found itâs there. So weâll upgrade the basic shell to spawn a python tty shell using the following command:
python3 -c 'import pty;pty.spawn ("/bin/bash")'
Now we need to find the WordPress config file as in most scenarios , it contains valid database credentials. And eventually I found out the wp-config.php file in the /var/www/html directory and also a username and password combo in it.
Now at this point, if thereâs a password-reuse, we can try ssh-ing into the machine using the credentials and get a successful login or we can just su (switch user) into c0ldd. I logged in using the ssh on port 4512, since ssh was running on the same port & there was password-resuse.
And here, I got the first flag! Letâs go! Itâs base64 encoded, so after decoding and translation, we get â âCongratulations, first level achieved!â
> Privilege Escalation
We need to get root access on this machine since thereâs one more flag left for the root level user, so here we have to do privilege escalation.
Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
To do so, we need to check what binaries are available to be run as root without the root credentials. I used sudo -l to list out the available binaries that can be used for elevated access to root and do a priv-esc.
Here, we take help from the very popular GTFOBins to privilege-escalate, and can easily escalate those three binaries i.e. vim, chmod & ftp.
Iâll be showing the three methods to escalate the privileges here:
a) Using vim:
sudo vim -c ':!/bin/sh'
b) Using chmod:
sudo -u root chmod 6777 /bin/bash
bash -p
c) Using ftp:
sudo ftp
!/bin/bash
And here, I got the second flag! Letâs go! Itâs also base64 encoded, so after decoding and translation, we get â âCongratulations, machine completed!â
So that was the solution for this CTF machine, it was a pretty easy one. I hope you find this write-up useful.
Now itâs time for the secret sauce to make it work on VMware [although this method is a bypass without solving the machine]:
Since, we have the valid credentials of the user âc0lddâ, you can directly log into the machine using username: c0ldd & password: cybersecurity.
After this, you need to do privilege escalation using any of the above three methods to get into the root account and execute the âdhclientâ command.
This will let the Dynamic Host Configuration Protocol Client fetch and assign an IP address to the c0lddbox itself.
Although Iâve already solved some CTF machines in the past, this is my first write-up on this one. Let me know your thoughts on this!
Cheers!đ
~WhiteFight18
The Gray Area is a collection of great cybersecurity and computer science posts. The best articles are highlighted in a weekly newsletter, sent out every Wednesday. To get updates whenever The Gray Area publishes an article, check out our Twitter page, @TGAonMedium.