Hey everyone, here is my walkthrough of the VulnHub Machine ColddBox: Easy created by Martin Frias aka C0ldd. This walkthrough consists of :

Enumeration
Password brute forcing
Reverse shell
Privilege escalation
Threat impacts

Let’s get started,

Enumeration

Step 1: Make sure the VulnHub machine is up and running on the same network adapter as your work machine. Open the terminal and run the command :

sudo netdiscover

we can identify the ip address of the target machine, as it comes with MAC vendor/ Hostname called PCS Systemtechnik GmbH

Step 2: Now that we got the ip address of the target machine, let’s run the nmap scan to find out about the ports and the services.

nmap 192.168.0.104 -A

Here I am running an aggressive scan (-A), which output the most number of information available. You can see that the port 80 is open, which means you can access the http website through the browser. Let’s go and see what is there.

Step 3: Now we are at the target’s website

It looks like a normal website. By going through the introduction message, we get to know that it was designed by C0ldd and there are several ways to escalate the user’s privileges. That is cool, let’s try to out all the ways.

we can see that this a Wordpress site and there is an option for Log in. Let’s click on Log in and see where it takes us.

It takes us to a WordPress login page, Now we need to find a way to figure out the credentials. Before we do that, Let’s enumerate this website further by searching for any hidden directories.

Step 4: We can search for hidden directories using a tool called gobuster. To do that I run the command:

gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

dir : It is a mode that is used to perform directory brute forcing.

-u : To select the URL for the attack.

-w : To select the wordlist for the attack.

we can see the hidden directories of the website, let’s go check the one called /hidden.

We got a message stating that user called C0ldd has permission to change Hugo’s password. This was told by Philips. These could be the names of the people operating this website. Speaking of websites, Since it a WordPress site, we can run a wpscan to enumerate more information about it and we may even find vulnerabilities and the usernames that we are looking for.

Step 5: We can run a wpscan to enumerate the targert website by using the command:

wpscan — url http://198.168.0.104/ -e

— url : To select the target’s url

-e: To enumerate

We can see that this version of WordPress (4.1.31) is insecure and outdated. This means that the website might be vulnerable and we can find exploits for those vulnerabilities online in the website like Exploit-DB and WPScan etc.

Here, we can see the user names of the target website.

Since it is an insecure and outdated version of WordPress. We can conform the legitimacy of the username by typing in the username and random text for the password. When we hit enter, it shows us that the password of said user is wrong. Conforming that the user exists.

Password brute forcing

Step 6: We know the user called c0ldd is one of the main user of the website. Let’s do a password brute forcing attack on this WordPress login portal using the wpscan. To do that, I run the command:

wpscan — url http://192.168.0.104/ -U c0ldd -P /usr/share/wordlists/rockyou.txt

U : To select the username
-P : To select the wordlist/password

Press enter or click to view image in full size

fig.11(password brute force)

We found the password ! Now, let’s log in.

Reverse shell

Step 7: After logging in, we are at the dashboard page. Now our primary objective is to get a reverse shell in to the server. For that, we need find a place to inject our malicious code in this website.

we can do that by clicking on the Appearance>Editor

Here we can find the template files and we can modify them to our likings. When we are trying to get the reverse shell using this method, usually we modify the 404 Template (404.php) but in this case that didn’t work. So we going to modify the Footer (footer.php).

Step 8: There is a reverse shell template available online for this specific scenario involving .php files. We can access that by going to this GitHub page.

Click on the highlighted .php file.

Make sure to copy the entire code.

Step 8: Come back to the Editor page and select the Footer template.

Replace the original code with the code we copied from the GitHub.

Replace the default ip address with your own ip address and replace the port number to your likings ( I am going to use the port 1337). You can find your ip address by running the command ifconfig in your terminal (ipconfig for windows).

Step 9: After replacing the values, click on the update file button and you will get a message saying “File edited successfully”. Which conforms our action.

Step 10: Now, let’s get back to the terminal and use the Netcat tool to listen to the port that we have specified in our malicious code. We can do that by running the command:

nc -lvnp 1377

nc : netcat

-l : Listening mode
v : Verbose
n : To disable DNS resolution to increase the speed
p : port number

Step 11: To make the website run for malicious code that we stored in the footer.php file. we need to refresh our target website.

Now that we refreshed the target website, gets go check our Netcat command that is running on our terminal.

Awesome ! we have successfully performed the reverse shell and got the shell running in our terminal. You are doing great so far, let’s keep going !

Privilege Escalation

Step 12: Let’s start by change our shell to the bash shell, because it is more comfortable. We can do that by running the command:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

python3 : This command is used to run the Python 3 interpreter.

-c : The -c option allows you to provide a Python command as a string to be executed by the interpreter.

import pty : This line imports the pty module, which stands for "pseudo-terminal." This module provides functions to control terminal emulation.

Get Arunfrancis’s stories in your inbox

Join Medium for free to get updates from this writer.

pty.spawn(“/ bin/bash”) : This line uses the pty.spawn function to spawn a new interactive Bash shell (/bin/bash). Essentially, it starts a new Bash shell process within the current shell session, giving you access to a full command prompt.

Step 13: Let’s see what files do we have in here by running the command:

ls

Now that we are inside the server, let’s look for files that contains important information. In a WordPress website, there is a core file that consists of base configuration details of the website and that file is called as wp-config.php. we can find that file in the directory /var/www/html .

Step 14: Let’s open the wp-config.php file by using the cat command:

cat wp-config.php

Step 15: Now that we found the password for the user c0ldd, let’s switch over to that account by using the su command and enter the password.

su c0ldd

su : switch user

Step 16: Let’s go the c0ldd’s home folder and check if we can find anything interesting. We can navigate there by using the command:

cd /home/c0ldd

Inside the home folder of the current user, we found the user.txt, which we opened by using the cat command. The text inside looks like it encoded with base64 algorithm. Let’s decode it and see it.

Step 17: We can decode the text, using the command:

echo “RmVsaWNpZGFKZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==” | base64 -d

echo : prints the stuff inside the “”

| : Acts as a pipe line, transfers the output to the command the comes after it.

base64 -d: Decodes the base64 string

Which translates into:

Step 18: Now that we got our first flag, it is time to escalate our privilege to the root user. Let’s see what our current user’s permissions are, we can do that by using the command:

sudo -l

From this, we can see that our user (c0ldd) can the following commands:

chmod
vim
ftp

with the same permissions of the root user. We can escalate our privileges to the root by using any of this three commands and we will try out all the three ways. Before we begin, there is a website called GTFObins . Which have all kind of tricks to bypass security and we are going to use that website to help us during our tasks.

Using chmod

Step 19: Go to the GTFObin website and search for chmod. Come to the sudo section.

We can use this method to change the permissions of a file, which is restricted to the low privilege user and turn it into an accessible file for every user.

In our case, the file that we want to access is the root file. We can set that by using the command:

LFILE=root

Then execute this command:

sudo chmod 6777 $LFILE

sudo : Runs the command as the root (super user do)

chmod 6777 :

6 = Gives read, write and execute access to the owner of the file

777 = Gives read, write and execute access to every user.

Now, we can access the root file and find the root.txt .

We can see the file permission that have been modified after using the chmod command. Ok, now let’s go and open that root.txt.

Step 20: We can open the root.txt file using the cat command:

cat root.txt

and decode the base64 string using the command :

echo “wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=” | base64 -d

Which translates into

Congratulations for coming this far and completing the machine ! you guys are awesome ! You guys can turn it off now or try out the other ways of escalating the privilege of this machine with me. Alright then, Let’s go !

Using vim:

Press enter or click to view image in full size

fig.36

As you can see, when we use the id command. It shows that we are still the user called c0ldd, not the root. Using vim command, we can access the terminal as the root. Let’s do that now !

Step 21 : Go to GTFObin website and search for vim. Come to the sudo section.

Let’s use the option (a)

sudo vim -c ‘:!/bin/sh’

sudo : super user do

vim : Opens vim

-c : Passes the command into the vim

‘:!/ bin/sh’ : “:” enters the command “!/bin/sh” inside the vim and executes it. Which create a shell session inside the vim with the root privilages.

Press enter or click to view image in full size

fig.38

Now, we have a good news and a bad news. The good news is, we are the root. The bad news is, we are inside the vim. I have struggled many times without knowing a way to exit vim. Now, let’s see how to do it.

Step 22: Here I have changed shell into the bash shell using the python command that I have mentioned above but there is no need to do that. This method works fine with the (/bin/sh) shell too. Type “exit” and click enter.

Click enter again and you will see this screen.

Shift + zz and click enter. We are free. (“shift + zq” to quit without saving the changes)

Using ftp:

Step 23: Go to the GTFObin website and search for ftp. Come to the sudo section.

Step 24: we run the commands:

sudo ftp

sudo : super user do

ftp : Runs an interactive ftp session

With both of the combined, the command opens an interactive ftp session with the root privileges.

Inside the ftp session, we run the command:

!/bin/sh

It creates a /bin/sh shell with root privileges.

Threat impacts:

Having root privileges allows the attacker to change the password of the users.

2. Having root privileges allows the attacker access to modify the sudoers file, which can be used to the allow and restrict the permissions of the users.

Thank you so much for following along this walkthrough and I hope you find this helpful. All the best with your cyber security journey and keep up the good work !

VulnHub Beginners Walkthrough: ColddBox: Easy

Enumeration

Password brute forcing

Reverse shell

Privilege Escalation

Get Arunfrancis’s stories in your inbox

Threat impacts: