# Technical Report

## <mark style="color:purple;">Technical Security Report: "ColddBox" System</mark>

### <mark style="color:purple;">Purpose of the Report</mark>

This report outlines the penetration testing process conducted on the *c0ldd Box* machine, detailing the steps taken to identify and exploit vulnerabilities in order to obtain both user and root access.

***

### <mark style="color:purple;">Methodology</mark>

1. Port scanning and service enumeration using Nmap.
2. WordPress user enumeration and brute-force attack using WPScan.
3. Plugin upload and reverse shell execution.
4. Post-exploitation: credential discovery via configuration files.
5. Privilege escalation using misconfigured sudo permissions.

***

### <mark style="color:purple;">Detailed Findings</mark>

* **Reconnaissance**
  * A fast scan with Nmap (`nmap -sCV -F -T5`) revealed an HTTP service running WordPress version 4.1.31 on port 80.
* **Enumeration**
  * WPScan was used to enumerate users:\
    `wpscan --url http://10.10.70.7 --enumerate u`\
    Result: `hugo`, `c0ldd`, `phillip`
  * A brute-force attack identified valid credentials for the user `c0ldd` using the `rockyou.txt` wordlist.
* **Exploitation**
  * Using the `c0ldd` credentials, access to the WordPress admin panel was gained.
  * A reverse shell (PentestMonkey PHP script) was uploaded as a plugin and triggered via HTTP to obtain a shell.
  * A TTY shell was upgraded using Python.
* **Post-Exploitation**
  * With a shell as `www-data`, access to `/var/www/html/wp-config.php` revealed the MySQL password, which also worked to access the `c0ldd` user via `su`.
  * User flag obtained after switching users.
* **Privilege Escalation**
  * `sudo -l` showed that the user `c0ldd` could execute `chmod`, `ftp`, and `vim` as root.
  * Root access was gained using:\
    `sudo chmod 777 -R /root`\
    Flag extracted from `/root/root.txt`.
  * Additionally, root was achieved with:\
    `sudo vim -c ':!/bin/sh'`

***

### <mark style="color:purple;">Recommendations</mark>

*Short-Term:*

* Update WordPress to the latest stable version to avoid known exploits.
* Disable plugin uploads or restrict to trusted administrators.
* Avoid credential reuse between services (e.g., database and system accounts).
* Configure strong password policies and lockout mechanisms.

*Long-Term:*

* Implement role-based access controls in WordPress.
* Monitor and audit `sudo` permissions regularly.
* Disable unnecessary binary access via `sudo`.
* Harden PHP upload handling and isolate web application from critical files.

***

### <mark style="color:purple;">Conclusion</mark>

The *c0ldd Box* machine was compromised via a vulnerable and outdated WordPress installation. Improper user permission configurations and password reuse allowed for lateral movement. Weak sudo policies enabled full system compromise. This scenario highlights the importance of patch management, access control, and system hardening.