I quickly grabbed the open ports with threader6000 and ran the suggested nmap scan. There only seems to be two ports open: 80 for an apache webserver and 4512 for SSH. It’s a bit odd seeing SSH on port 4512 as it’s usually used with port 22.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 # Nmap 7.91 scan initiated Thu Jan 7 12:02:10 2021 as: nmap -p80,4512 -sV -sC -Pn -T4 -oN 10.10.38.227 10.10.38.227 Nmap scan report for 10.10.38.227 Host is up (0.070s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.1.31 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: ColddBox | One more machine 4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA) | 256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA) |_ 256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jan 7 12:02:20 2021 -- 1 IP address (1 host up) scanned in 9.60 seconds
Navigating to the website on port 80 showed a common wordpress blog-type website with a single post and a comment.
I’ve ran feroxbuster, a content discovery tool written in rust to find hidden directories. I like this tool because it only takes a single command line argument and does an okay job of finding directories recursively.
After the scan finished, feroxbuster found a couple entries with one standing out, a “hidden” directory.
Going to that endpoint by entering
http://machine-ip/hidden displayed a simple message:
1 2 U-R-G-E-N-T C0ldd, you changed Hugo's password, when you can send it to him so he can continue uploading his articles. Philip
This message gives us 3 potential usernames for later use, so keeping a note of them is always a good idea.
Then, I’ve ran a
wpscan scan to check out more information about the underlying wordpress install.
wpscan –url http://machine-ip
This scan didn’t show much information so I’ve navigated to the wordpress login page to try some of the usernames from the previously found note. Trying to basic username-password combinations did not yield any successful results, so I went back to
wpscan to use it’s wordpress login attack functionality.
As the previously found note mentioned that the user
c0ldd changed Hugo’s password, I figured c0ldd might be the adminstrator of the site, so I ran a password attack against this user.
wpscan –url http://machine-ip -P /usr/share/wordlist/rockyou.txt -U c0ldd –max-threads 50
This attack was successful and gave me the password for c0ldd. After logging in, I was indeed an administrator, meaning I could add and edit users/pages/themes etc. in the wordpress install.
This kind of vector can allow an attacker to inject malicious payloads into the wordpress page to get code execution. In boot2root machines this vulnerability is often exploited to execute a reverse shell script in order to get command line access on the target machine. The exploitation is done by uploading a PHP reverse shell script to either the plugins or themes of the wordpress install.
In this case, after some trial and error, I’ve changed the landing page to pentesmonkey’s reverse shell PHP script. This is a very crude and unrealistic way to get the script on the page because in a live environment this will break the website completely, making it impossible for users to load the main page (index.php). So it’s a very bad idea to do it. However as this is a contained, learning environment with only me as a single user, it doesn’t really matter if the page breaks or not.
To upload the reverse shell, I navigated to themes -> editor and then replaced index.php with my script.
Then, after setting up a listener on kali with pwncat
pwncat -lp 4444, I’ve refreshed the main page of the website and got a shell on the box.
Finding user was pretty easy. Though, it took me way longer than it should have as I ignored the glaringly simple fact that I had access to the /var/www/ folder. In a wordpress install there is often a database configured as well.
Numerous configuration values, including database credentials are stored in the
wp-config.php file in the /var/www/ directory. Checking out this file, indeed revealed database credentials for the user c0ldd. Using the username and password, I could login to the database, however there didn’t seem to be any useful information in it.
So the next thing I tried was to
su (change user) to c0ldd with the same password and it worked.
Now I had access to user.txt
Root was probably the easiest part in this machine.
Checking sudo privileges with
sudo -l on the user c0ldd showed multiple interesting resulst.
This user could run vim, chmod and ftp as root. A quick GTFOBins search displays multiple results for all three of them on how to elevate privileges and get a root shell.
I decided to choose vim as I already knew how to get a shell from it. To get a root shell from vim, the only thing we need to do is run vim as root
sudo vim Then spawn a shell by entering
And now we have a root shell.
This was a pretty easy but refreshing machine where I got to practice some wordpress enumeration and password attacks as well as manual enumeration. This room also showed me (yet again) the importance of not ignoring little basic things after getting an initial shell.