https://tryhackme.com/room/colddboxeasy

  • Directory brute forcing exposes usernames
    • WPScan can also be used to enumerate WordPress usernames
  • Due to poor password strength, hydra can use rockyou.txt wordlist to perform a dictionary attack against the login form and determine a user’s credentials
  • WordPress plugins can be leveraged to run malicious php code that allows remote interactive reverse shell
  • Low-privileged www-data user can be escalated to root user by exploiting poor permissions on a SUID binary

Dirsearch.py was used with default dicc.txt wordlist and found /hidden directory. 

Can also use wpscan to enumerate usernames:

wpscan --url <ip> -e u

We identified a couple usernames:

  • c0ldd
  • hugo
  • philip

I used hydra to perform a dictionary attack against the login form.  This could also be done with WPScan and Burp Suite Repeater. 

The intercepted login POST request looks like this:

#usage
hydra -l <user> -p <wordlist> <ip> http-post-form "<login path>:<post content>:F=incorrect" -V"
hydra -l C0ldd -P ~/wordlists/secLists/Passwords/Leaked-Databases/rockyou-50.txt 10.10.50.155 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1:F=incorrect" -V

We can successfully login as the C0ldd user.

Now we can login and have access to the admin dashboard.

To get access to the machine, we can edit a plugin’s php code, navigate to its location in the search bar, and it will execute the code. 

The plugin I will modify is ‘hello dolly’, and I will replace the contents with pentestmonkey’s php reverse shell (https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php).

Replace IP and PORT in the script.

Navigate to /wp-content/plugins/hellp.php to execute the reverse shell and this should establish a connection to our listener.

We have an interactive shell as the www-data user.


As this user we can’t do much; we don’t even have permission to read /home/c0ldd/user.txt

Maybe try to escalate to c0ldd or root user.

Search for binaries with the suid bit set (this lets us run binaries owned by root as root without needing to use sudo)

# locate all files with suid bit set
find / -perm -4000 2>/dev/null

Turns out the find program has the suid bit set, we can check gtfobins on how to exploit (https://gtfobins.github.io/gtfobins/find/#suid)


Once exploited, we have a shell as the root user!

Leave a Reply