TryHackMe ColddBox: Easy (Beginner Friendly Write-up)

Hi, it’s me again! Today I’ll be writing a write-up for ColddBox: Easy from the TryHackMe Platform. This room is created by C0ldd. Without further ado, let’s start!

Link to TryHackMe ColddBox: Easy room: https://tryhackme.com/room/colddboxeasy

This is the page when we go to the IP address.

Nmap

Let’s start by running Nmap.

nmap -sC -sV -T4 -p- <Machine-IP>

We can see there are 3 ports opened for this IP.

Enumeration

Let’s run gobuster.

gobuster dir -w <Wordlist-Path> -u <Machine-IP>

After the enumeration, we actually found something fishy.

After going to the directory, we can see:

From here. we can indicate that there is 3 person.
1. C0ldd
2. Hugo
3. Philip

These names might be useful for later. Take note of these doesn't do any harm. ;D

WPScan

Run up WPScan with the following command:

wpscan -url <MACHINE-IP> -passwords <Path-to-List>

And we have it. Now go to the login page and enter the credentials we obtained and we are in.

Login Page for WordPress.

Inside WordPress

After login, we go to the plugin to upload the reverse shell.

To find the script we uploaded, we can go to /wp-content/uploads/ directory to get the path of the script stored. We can use curl command to get the script to activate it. Before running the curl, remember to run netcat on another terminal.

We are in.

User.txt

I instantly cd to /home/c0ldd to get user.txt. But, it failed. The user.txt requires sudo permission to view it. So, now we can try to look up at other places. Suddenly I thought about the HTML page, so I search for it and found it at /var/www/html directory. With cat command, we can look into the wp-config.php for any information. ANd we found the password for user c0ldd.

Now, we can escalate our privilege to c0ldd.

and we go to /home/c0ldd, and we retrieve the text.

Root.txt

Now the root.

Run sudo -l with c0ldd user and we can see vim is available to use as an exploit.

Go to GTFOBin to search for vim, and we can look at the exploit as below.

After inputting the command, we have the root.

Use command cat /root/root.txt and we will finally retrieve the root flag.

And we are done again!

Thank you for reading my write-up for this room!

There are some other exploits but I did not try them yet. But nevertheless, the room is very fun and challenging for a beginner and a very good practice for other levels player.

Special thanks to the creator and TryHackMe for providing us such a great place to learn hack.

############################################

Anyone willing to gift me any free vouchers is greatly appreciated XD

############################################

--

--

--

Just learning, together we are strong.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Algorithm self-learning Note — Basic Concept

How To Install and work with Multiple Linux Distributions on Mac/Windows

Useful IDEA features. Part 2

“Vault, Terraform & AWS Integration” : Fetching AWS access/secret keys dynamically from vault…

Why Scala Implicits

Developer Story | From Web to Blockchain Developer

Everything You Need to Know About WordPress Theme Customization

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cursemagic

Cursemagic

Just learning, together we are strong.

More from Medium

THM EXPLOITING ALFRED WRITE-UP

Pentesting Fundamentals TryHackMe

TryHackMe — RootMe

Solar (log4shell) — TryHackMe