sec👨‍💻fortress:~#

Defensive By Offensive!.

View on GitHub

ColddBox

Difficulty = Easy

running our nmap scan we have -:

# Nmap 7.94 scan initiated Wed Oct 25 23:53:54 2023 as: nmap -p80,4512 -sCV -T4 -v --min-rate=1000 -oN nmap.txt 10.10.44.62
Nmap scan report for 10.10.44.62
Host is up (0.14s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ColddBox | One more machine
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
|   256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_  256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 25 23:54:13 2023 -- 1 IP address (1 host up) scanned in 18.58 seconds

Navigating to port 80/HTTP we have a word press website

Running a word press scanner called wpscan , i was able to find some valid usernames we can try to bruteforce under /wp-login.php

$ wpscan --url http://10.10.44.62/ -e u,cb --verbose

Nice, so we have hugo, c0ldd and philip, we can also navigate to /wp-login.php and try out this usernames with the wrong password to confirm if it is true

We can therefore save this username into a text file and bruteforce with wpscan

$ wpscan --url http://10.10.44.62/ -U users.txt -P /usr/share/wordlists/rockyou.txt

We found only one user password which is user c0ldd

We can therefore upload our shell by changing the content of the plugin files and navigating to the URL

The URL :

We got our shell back as user www-data

Navigating to the /var/www/html directory we have the wp-config.php file

concatenating it gives us user c0ldd password

we can therefore su to user c0ldd

Running sudo -l we see that we have the permission to run vim, chmod and ftp with super user permissions

i will be using /usr/bin/vim to gain root, on the command line do

$ sudo /usr/bin/vim

Hit enter and You should then be given a prompt like this

Then just type in :shell and you should be root

GG 😃