This is the write-up for TryHackMe’s room named ColddBox: Easy
Rooms’s URL : https://tryhackme.com/room/colddboxeasy
Its is an easy boot2root box and task is to get user and root flag
Enumeration:
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.128.156
# Perform further information gathering on the open ports identified above
sudo nmap -O -A -Pn -T4 -p80,4512 10.10.128.156
So we have a WordPress site and SSH running on a non standard port.
WordPress Enumeration
Browse the website
And find the WordPress login Portal at : http://10.10.128.156/wp-login.php
Next step is to run WPScan to enumerate plugins and users and check if user’s passwords can be brute forced:
wpscan --url http://10.10.128.156 --enumerate ap,u
[+] XML-RPC seems to be enabled: http://10.10.128.156/xmlrpc.php ==> This indicates that user’s passwords can be brute forced.
Put the above users in a file named user.txt and lets brute force the password:
wpscan --url…