Vulnhub’s ColddBox CTF Write-Up
I recently completed the ColddBox VM from Vulnhub and I thought this would be a great box to do a write-up on.
Even though this is a beginner box, there are some tricky parts to it for a beginner.
The privilege escalation is also something that I wanted to put on here because it’s super simple, but it’s not widely talked about.
I am running this VM on VirtualBox, but I’m sure that it would work on VMWare. Let’s get started!
Nmap Scan
user@kali:~$ nmap -sV -Pn -A -p- 192.168.1.133
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020–10–28 11:09 EDT
Nmap scan report for ColddBox-Easy.attlocal.net (192.168.1.133)
Host is up (0.0013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
| 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_ 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds
An Nmap scan reveals that there are two ports open. I already know the web server is running WordPress because of the description from Vulnhub. I ran a Dirb scan anyway.
user@kali:~/Desktop$ dirb http://192.168.1.133
— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -START_TIME: Wed Oct 28 11:14:18 2020
URL_BASE: http://192.168.1.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://192.168.1.133/ — —
==> DIRECTORY: http://192.168.1.133/hidden/
+ http://192.168.1.133/index.php (CODE:301|SIZE:0)
+ http://192.168.1.133/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.133/wp-admin/
==> DIRECTORY: http://192.168.1.133/wp-content/
==> DIRECTORY: http://192.168.1.133/wp-includes/
+ http://192.168.1.133/xmlrpc.php (CODE:200|SIZE:42)
— — Entering directory: http://192.168.1.133/hidden/ — —
+ http://192.168.1.133/hidden/index.html (CODE:200|SIZE:340)
— — Entering directory: http://192.168.1.133/wp-admin/ — —
+ http://192.168.1.133/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.133/wp-admin/css/
==> DIRECTORY: http://192.168.1.133/wp-admin/images/
==> DIRECTORY: http://192.168.1.133/wp-admin/includes/
+ http://192.168.1.133/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.133/wp-admin/js/
==> DIRECTORY: http://192.168.1.133/wp-admin/maint/
==> DIRECTORY: http://192.168.1.133/wp-admin/network/
==> DIRECTORY: http://192.168.1.133/wp-admin/user/
— — Entering directory: http://192.168.1.133/wp-content/ — —
+ http://192.168.1.133/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.133/wp-content/languages/
==> DIRECTORY: http://192.168.1.133/wp-content/plugins/
==> DIRECTORY: http://192.168.1.133/wp-content/themes/
==> DIRECTORY: http://192.168.1.133/wp-content/upgrade/
— — Entering directory: http://192.168.1.133/wp-includes/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://192.168.1.133/wp-admin/css/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://192.168.1.133/wp-admin/images/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://192.168.1.133/wp-admin/includes/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://192.168.1.133/wp-admin/js/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://192.168.1.133/wp-admin/maint/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://192.168.1.133/wp-admin/network/ — —
+ http://192.168.1.133/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://192.168.1.133/wp-admin/network/index.php (CODE:302|SIZE:0)
^C> Testing: http://192.168.1.133/wp-admin/network/outline
There is a hidden directory and when I take a look, there are a few usernames revealled.
Since the VM is running WordPress, I spun up WPScan to get a little more information and try to crack the passwords.
After a few minutes, I got a hit.
So I logged in.
I went to the Editor under Appearance and click on the 404.php template. I then inserted my PHP reverse shell. You can find this in /usr/share/webshells on your Kali box. This method is pretty standard for getting a reverse shell from WordPress sites.
I did try to use the Metasploit wp_admin module, but it didn’t work for some reason.
After uploading the PHP reverse shell, I browsed to the 404.php URL and received my reverse shell.
I transferred LinPeas over to the target’s /tmp folder to look at privilege escalation. Going through the script, I found a username and password stored in the wp-config.php file.
This file is pretty significant since it shows MySQL database information. I decided to try this combination for the open SSH port and it worked.
I went ahead and grabbed the user flag.
I reran the script as user c0ldd and found some interesting things. The first was that c0ldd was part of the lxd group. This is a well known privilege escalation method. I ran sudo -l and found that c0ldd could run vim with sudo privileges.
So I ran sudo /usr/bin/vim and was presented with the vim screen.
There is a privilege escalation method that allows you to get a shell from vim.
I hit enter and I was presented with a root shell.
I navigated to the root folder and grabbed the root flag.
This was a great box for beginners, but there were a few rabbit holes. The vim privilege escalation method is a great one and I’m sure that there are more ways to root, but I haven’t see this in a CTF for a while, so I though I would do a write-up for it.
For more CTF write-ups follow me on here or on twitter @assume_breach
