as the name suggests ColddBox: Easy is another easy machine that teaches us how to exploit WordPress site to access the machine
You can the access the machine directly from here
Let’s Start With Nmap Scan to see what are the available and open ports on the machine
nmap -sC -sV IP
So we have one service running which is Apache running on port 80
we can only see that it runs on WordPress 4.1.31
Let’s open the site then and check if there are any information before we enumerate it more
while we check the site, i will run GoBuster to check if there are any hidden directories
gobuster dir --url http://10.10.228.122 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
i didn’t see or get anything from the page source or inside the post on the site other than the default login URL “wp-login” which should be detected by GoBuster anyway, so let’s check GoBuster.
well, there we have an interesting one, so let’s check the “hidden”
so we have someone called Hugo, Philip and we might have a username called C0ldd, let’s run gobuster again on “hidden”
gobuster dir --url http://10.10.228.122/hidden --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
well, i got nothing, let’s open WPScan and see what can we get from it
wpscan --url http://IP
we get a hint that the site is insecure and it hasn’t been update for a long time, nothing that important was found.
Now let’s enumerate the wp-login and see the available users by using wpscan again
wpscan --url http://IP -e u
and as we already expected we have the following users available on the site
so let’s search for an exploit that we might be able to run it on the system.
searchsploit wordpress 4.1.31
perfect, so we have couple of core vulnerabilities, let’s try the unauthorized password reset to rest one of our above user’s password But first, this is a simple example on how the Vulnerability works, so let’s send a post request t
So let’s open our burp suite and edit the request so we can exploit the vulnerability
So i tried the exploit and changed what I have to, but none of it worked and I got the following error message which I think stopped the exploit from running
we’ll go back to the traditional way which is brute forcing the password with the help of wpscan, I will use c0ldd since it looks like he’s the admin on the site
wpscan --url http://IP -U c0ldd -P /usr/share/wordlists/rockyou.txt
and voila! we got it, so let’s login to the site and see where we can go from there.
Since we’re in, then what’s better than putting a reverse shell to access the machine, we usually can’t upload php files in the media BUT we can have code running in theme files, so let’s open the theme editor and add our php reverse shell.
Don’t forget to change the IP and Port to your machine’s
one of the files that we can add the code directly into it is header.php, since it will run of any page we open on wordpress.
so you go to Appeareance->Editor then you choose header.php file, then you paste the reverse shell.
after we update the file, we open a netcat listener on our machine to connect to the shell.
nc -lvp 1234
And we got the shell
now, let’s try if we can access the user flag or we need to escalate our privileges.
and apparently we can’t, so let’s get first a proper bash shell then we try to escalate our privileges,
and for that we can use the famous python command
python3 -c "import pty; pty.spawn('/bin/bash')"
now time to escalate our privileges, first let’s try to use c0ldd password to see if we can execute cat as him
and nothing works, the user www-data has a password setup for it, so we can’t launch sudo without www-data’s password.
we can go to wp-config.php and see what is the database password since that’s the place for it.
Let’s connect to the database and see what we can get.
Lets try to change user c0ldd with the above password we found.
su - c0ldd
and Voila! it’s the same password
so now we can go and get the user flag.
and it’s base64 encoded, so let’s decode that first.
base64 -d user.txt
and we get the following, which im not sure if that was the flag, but if you clicked on the hint, apparently they want the flag in its base64 encoded format, so you can provide that.
Now it’s time to escalate our priviles to the root, first let’s see which sudo commands we can run
and we have the following, i will use Vim as i am more familiar with its escalation, you can access
you can access the command from here or copy the following
sudo vim -c ':!/bin/sh'
that easily and we get the root shell
Now let’s just print the root flag
Yay! we just need to pass the flag encoded just like the last time, and that’s all
and that’s all for Colddbox, hope you learned something new.