Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "ColddBox" System

Purpose of the Report

This report outlines the penetration testing process conducted on the c0ldd Box machine, detailing the steps taken to identify and exploit vulnerabilities in order to obtain both user and root access.

Methodology

  1. Port scanning and service enumeration using Nmap.

  2. WordPress user enumeration and brute-force attack using WPScan.

  3. Plugin upload and reverse shell execution.

  4. Post-exploitation: credential discovery via configuration files.

  5. Privilege escalation using misconfigured sudo permissions.

Detailed Findings

  • Reconnaissance

    • A fast scan with Nmap (nmap -sCV -F -T5) revealed an HTTP service running WordPress version 4.1.31 on port 80.

  • Enumeration

    • WPScan was used to enumerate users: wpscan --url http://10.10.70.7 --enumerate u Result: hugo, c0ldd, phillip

    • A brute-force attack identified valid credentials for the user c0ldd using the rockyou.txt wordlist.

  • Exploitation

    • Using the c0ldd credentials, access to the WordPress admin panel was gained.

    • A reverse shell (PentestMonkey PHP script) was uploaded as a plugin and triggered via HTTP to obtain a shell.

    • A TTY shell was upgraded using Python.

  • Post-Exploitation

    • With a shell as www-data, access to /var/www/html/wp-config.php revealed the MySQL password, which also worked to access the c0ldd user via su.

    • User flag obtained after switching users.

  • Privilege Escalation

    • sudo -l showed that the user c0ldd could execute chmod, ftp, and vim as root.

    • Root access was gained using: sudo chmod 777 -R /root Flag extracted from /root/root.txt.

    • Additionally, root was achieved with: sudo vim -c ':!/bin/sh'

Recommendations

Short-Term:

  • Update WordPress to the latest stable version to avoid known exploits.

  • Disable plugin uploads or restrict to trusted administrators.

  • Avoid credential reuse between services (e.g., database and system accounts).

  • Configure strong password policies and lockout mechanisms.

Long-Term:

  • Implement role-based access controls in WordPress.

  • Monitor and audit sudo permissions regularly.

  • Disable unnecessary binary access via sudo.

  • Harden PHP upload handling and isolate web application from critical files.

Conclusion

The c0ldd Box machine was compromised via a vulnerable and outdated WordPress installation. Improper user permission configurations and password reuse allowed for lateral movement. Weak sudo policies enabled full system compromise. This scenario highlights the importance of patch management, access control, and system hardening.

PreviousWrite-upNextExecutive Report

Last updated