ColddBox: Easy Vulnhub Write-up

Hey there! today we will try a beginner level boot2root challenge called colddbox created by ‘c0ldd’. You can download this machine form the link:- https://www.vulnhub.com/entry/colddbox-easy,586/.

1.) Target Discovery

# netdiscover -i wlan0

By this command i got the target’s ip address which is 192.168.1.9

2.) Port Scanning and Service Detection

# nmap -sT -sV -p- 192.168.1.9

With the help of nmap I found two service running on this VM, first HTTP on port 80 and second SSH on port 4512.

3.) Web Enumeration

After doing some manual enumeration I found that there is a wordpress installation, So whenever we found wordpress our first approach is to use wp-scan.

# wpscan — url http://192.168.1.9/ — enumerate u

we got the users c0ldd, hugo, philip and as I got these users I tries to brute-force the password with Wp-scan.

# wpscan — url http://192.168.1.9/ — usernames c0ldd — passwords /opt/wordlist/rockyou.txt — password-attack wp-login

We got the valid credentials for user c0ldd : 9876543210.

login successful . After that I tried to install a plugin called “wp file manager”

It’s a plugin which let you download and upload a file on the remote server, But putting a reverse shell will not provide us the shell of user ‘c0ldd’ so I tried to install the plugin and then download the ‘wp-config.php’ file to get the ssh connection of the user ‘c0ldd’.

After downloading the ‘wp-config.php’ file I got the correct password for the user ‘c0ldd’ which is ‘cybersecurity’

4.) SSH Connection

# ssh c0ldd@192.168.1.9 -p 4512

Yehhh..! Got the ssh connection and user.txt user flag. Time for privilege escalation

5.) Privilege Escalation

# sudo -l

The above command tell us that we can run some set of commands with sudo rights like vim, ftp and chmod.

So I used ftp command for root privilege

# sudo ftp

ftp>!/bin/bash

Got the root privilege and the root.txt final flag. Finally boot2root challenge completed.