GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • Lab Setup
  • Enumeration
  • Exploitation
  1. TryHackMe Writeups

ColddBox: Easy

PreviousDreamingNextOllie

Last updated 1 year ago

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/ColddBox
cd ~/Documents/TryHackMe/eJPT/ColddBox
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

Enumeration

Upon obtaining an IP address, my initial step involves conducting a comprehensive scan of the targeted machine for open ports, employing both rustscan and nmap.

# RUSTSCAN
rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init
# NMAP
nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Subsequently, I focus on the HTTP port, seeking potential vulnerabilities in the system.

┌──(kali㉿kali)-[~/Documents/TryHackMe/ColddBox]
└─$ whatweb $URL                                                            
http://10.10.140.126 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.140.126], JQuery[1.11.1], MetaGenerator[WordPress 4.1.31], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[ColddBox | One more machine], WordPress[4.1.31], x-pingback[/xmlrpc.php]

In the context of a WordPress website, once I complete the enumeration of files and directories, I come across something noteworthy.

Exploitation

Upon attempting to log in as the user c0ldd, I receive an error that serves as confirmation of the user's existence. Interestingly, I encounter the same error when trying to log in as both hugo and philip.

I use wpscan to brute force this credentials.

Obtaining root access seems surprisingly straightforward in this case.

sudo vim -c ':!/bin/sh'

Following successful access to the website, I employ a reverse shell to establish control over the machine. Utilizing a text editor, I modify a file and insert a reverse shell obtained from the GitHub repository.

PentestMonkey