ColddBox: Easy

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/ColddBox
cd ~/Documents/TryHackMe/eJPT/ColddBox
mkdir recon enumeration notes
touch/{README.md,vulns,creds}

export IP=10.10.106.147
export URL=http://$IP

Enumeration

Upon obtaining an IP address, my initial step involves conducting a comprehensive scan of the targeted machine for open ports, employing both rustscan and nmap.

# RUSTSCAN
rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init
# NMAP
nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

Subsequently, I focus on the HTTP port, seeking potential vulnerabilities in the system.

In the context of a WordPress website, once I complete the enumeration of files and directories, I come across something noteworthy.

Exploitation

Upon attempting to log in as the user c0ldd, I receive an error that serves as confirmation of the user's existence. Interestingly, I encounter the same error when trying to log in as both hugo and philip.

I use wpscan to brute force this credentials.

Following successful access to the website, I employ a reverse shell to establish control over the machine. Utilizing a text editor, I modify a file and insert a reverse shell obtained from the PentestMonkey GitHub repository.

Obtaining root access seems surprisingly straightforward in this case.

PreviousDreamingNextOllie

Last updated