ColddBox

ColddBox - TryHackMe

Overview

c0lddBox is a beginner-friendly machine designed to test your skills in WordPress enumeration, brute-force attacks, reverse shell deployment, and privilege escalation. The target simulates a vulnerable WordPress instance where users must identify weak points to gain unauthorized access and retrieve two hidden flags.

Key Objectives

  1. Perform service enumeration to discover the CMS in use.

  2. Enumerate WordPress usernames.

  3. Bruteforce a valid user password using a wordlist.

  4. Upload a reverse shell via the WordPress admin panel.

  5. Upgrade the shell to a more interactive environment.

  6. Extract user-level credentials and access the first flag.

  7. Enumerate privilege escalation vectors.

  8. Gain root access and retrieve the root flag.

Skills Demonstrated

  • Nmap scanning

  • WordPress enumeration with WPScan

  • Brute-force attacks using common wordlists

  • Manual reverse shell deployment via plugin upload

  • Basic Linux privilege escalation

  • Use of SUID binaries for privilege escalation

  • Post-exploitation enumeration

Relevance

This machine introduces essential web exploitation and post-exploitation techniques for beginner penetration testers. It emphasizes the importance of weak credentials, misconfigured CMS platforms, and improperly set SUID binaries—all of which are commonly found in real-world environments. c0ld Box reinforces practical experience in identifying and chaining vulnerabilities for full system compromise.

PreviousExecutive ReportNextWrite-up

Last updated