PENTESTING ON COLDBOX

Methods

* Information gathering
* Scanning and Enumeration
* Exploitation
* Maintaining acesses
* Covering tracks

First of all, I have to find the IP address of the target. So I used whatweb to
find it.
IP[104.21.67.182]

After this, I Identified my target IP. Now I begin the enumeration part of this.

I performed a nmap scan for the target IP to find out the open ports and versions
run on that ports.

From this nmap scan, I found there are four open ports.

Port : 80/tcp | Service : http | Version : Cloudflare http proxy

Port 443/tcp | Service : ssl/https | Version : cloudflare

Port 2053/tcp | Service : ssl/https | Version : ngnix

Port 2087/tcp | Service : ssl/https | Version : ngnix

From this point I identified port 80 is opened then it works with the browser. And
I enter the target IP into the browser.

The bottom of this has a login link.

Now I click that and browse to that link. Then I can identify this based on
WordPress. But I find this before from whatweb command.

So now I used wpscan tool to find out the usernames and passwords for them. First I
enumerate the usernames.

From this, I found there are several user names with this.

I chose the cold username and I perform a command to find the password of it with
wpscan.

From this, I found that password and it is 9876543210

Now, I used this username and password to log into the WordPress admin dashboard.

now I’m in the admin dashboard.

Uploading a Reverse Shell

The next step is to get a reverse shell. For this, we can add a reverse shell by
modifying the header.php.

I will be using the php-reverse-shell by the pentestmonkey. This is the GitHub repo
for that.
After taking this reverse-shell I copied it to the header.php file in the WordPress
dashboard.

In this reverse-shell, we have to change our IP and port. For it, I perform
ipconfig command to find my IP address.

After taking that I changed the header.php file which holds on the reverse-shell.

IP = [104.21.67.185]

PORT =4545

After change this I open my kali terminal and used the Netcat tool to listen the
port 4545

While listing that port we have to re-browse targeted IP addresses on the browser.
Then we can see a low privilege shell on our Kali terminal.

Now I opened the python spawned shell.

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Now here we can see php files. the most important one is the wp-config.php file
because it contains the user name and password for the database.

So I used more command to see that file to find username and password.

From this, I can obtain the credentials.

Now I used these credentials to log into that account.

now I’m in the cold account. But I didn’t get root privileges. Now I perform the ls
command to know what are the files in there.

Then I find a file called user.txt. Then I use the cat command to see the content
of the file. From that, I found some encoded text inside of the file. It looks like
base64 encoded text. So I used my Kali box to decode that text.

In the first step to getting root privileges, I perform sudo -l command to list
binary files which provide the root.

Now use GTFOBins to exploits the above binaries. I chose ftp to exploit. This is
the command to that. You can take them from here.

Now I’m going to exploit it.

now I’m on the root. Then I am going to find the next flag of this box.

I found this root.txt from ls command. Then I used cat command to see the content
of the file. It’s like the previous file (user.txt). Then I used my Kali box to
decode that text.