ColddBox: Easy Walkthrough

as the name suggests ColddBox: Easy is another easy machine that teaches us how to exploit WordPress site to access the machine

You can the access the machine directly from here

Let’s Start With Nmap Scan to see what are the available and open ports on the machine

nmap -sC -sV IP
ColddBox Nmap Results

So we have one service running which is Apache running on port 80

we can only see that it runs on WordPress 4.1.31

Let’s open the site then and check if there are any information before we enumerate it more

ColddBox WordPress Site

while we check the site, i will run GoBuster to check if there are any hidden directories

gobuster dir --url --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

i didn’t see or get anything from the page source or inside the post on the site other than the default login URL “wp-login” which should be detected by GoBuster anyway, so let’s check GoBuster.

well, there we have an interesting one, so let’s check the “hidden”

so we have someone called Hugo, Philip and we might have a username called C0ldd, let’s run gobuster again on “hidden”

gobuster dir --url --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

well, i got nothing, let’s open WPScan and see what can we get from it

wpscan --url http://IP

we get a hint that the site is insecure and it hasn’t been update for a long time, nothing that important was found.

Now let’s enumerate the wp-login and see the available users by using wpscan again

wpscan --url http://IP -e u

and as we already expected we have the following users available on the site

so let’s search for an exploit that we might be able to run it on the system.

searchsploit wordpress 4.1.31

perfect, so we have couple of core vulnerabilities, let’s try the unauthorized password reset to rest one of our above user’s password But first, this is a simple example on how the Vulnerability works, so let’s send a post request t

So let’s open our burp suite and edit the request so we can exploit the vulnerability

So i tried the exploit and changed what I have to, but none of it worked and I got the following error message which I think stopped the exploit from running

we’ll go back to the traditional way which is brute forcing the password with the help of wpscan, I will use c0ldd since it looks like he’s the admin on the site

wpscan --url http://IP -U c0ldd -P /usr/share/wordlists/rockyou.txt 

and voila! we got it, so let’s login to the site and see where we can go from there.


Since we’re in, then what’s better than putting a reverse shell to access the machine, we usually can’t upload php files in the media BUT we can have code running in theme files, so let’s open the theme editor and add our php reverse shell.

Don’t forget to change the IP and Port to your machine’s

one of the files that we can add the code directly into it is header.php, since it will run of any page we open on wordpress.

so you go to Appeareance->Editor then you choose header.php file, then you paste the reverse shell.

after we update the file, we open a netcat listener on our machine to connect to the shell.

nc -lvp 1234

And we got the shell

now, let’s try if we can access the user flag or we need to escalate our privileges.

and apparently we can’t, so let’s get first a proper bash shell then we try to escalate our privileges,

and for that we can use the famous python command

python3 -c "import pty; pty.spawn('/bin/bash')"

now time to escalate our privileges, first let’s try to use c0ldd password to see if we can execute cat as him

and nothing works, the user www-data has a password setup for it, so we can’t launch sudo without www-data’s password.

we can go to wp-config.php and see what is the database password since that’s the place for it.

Let’s connect to the database and see what we can get.

Lets try to change user c0ldd with the above password we found.

su - c0ldd

and Voila! it’s the same password

so now we can go and get the user flag.

and it’s base64 encoded, so let’s decode that first.

base64 -d user.txt

and we get the following, which im not sure if that was the flag, but if you clicked on the hint, apparently they want the flag in its base64 encoded format, so you can provide that.


Now it’s time to escalate our priviles to the root, first let’s see which sudo commands we can run

sudo -l

and we have the following, i will use Vim as i am more familiar with its escalation, you can access

you can access the command from here or copy the following

sudo vim -c ':!/bin/sh'

that easily and we get the root shell

Now let’s just print the root flag

Yay! we just need to pass the flag encoded just like the last time, and that’s all


and that’s all for Colddbox, hope you learned something new.