By R3a50n
11-16-2018
Intro:
Raven 1 is listed as a beginner/intermediate CTF box on Vulnhub. I would classify it more as beginner but it always depends on the attacker’s skill set. I would recommend running it in VMWare because of the trouble I had trying to get it running with VirtualBox.
Quick warning about the commands in this post. The font on this site will make double dashes look like one long dash. If you’re getting syntax errors or other unexpected results, check the commands help reference.
Ok on with the hacky stuff …
Step 1:
Identify the IP Address
netdiscover -r 192.168.2.0/24
In my lab it came out as 192.168.2.40 but yours may vary.
Step 2:
Nmap Scan
nmap -sC -sV -v 192.168.2.40 -oN map1
This will do version scanning, apply default scripts, verbose and dump it to a file. Keep in mind this will only scan the most popular 1000 ports unless otherwise specified.
Here we can see 22 (ssh), 80 (http) and 111 (rpc) are open. RPC gives us some information on some other ports but that’s not necessary. Let’s take a look at the web port.
Step 3:
Brows to site
Looks like WordPress but let’s look around a little. In source of the service tab, the first flag becomes visible.
Navigating to the Blog tab confirms it’s WordPress, but it looks broken
Looking at the source we can see it’s trying to locate raven.local.
By adding 192.168.2.40 raven.local to the /etc/hosts file, we can make things resolve properly.
Step 4:
Scan WordPress
Since this is WordPress, let’s run a wpscan and see if we can enumerate some users.
wpscan –url 192.168.2.40/wordpress –enumerate u
Going to the login page, I tried to guess the passwords, but nothing worked. I did find out that there are no lockouts. This makes it a perfect candidate for a brute force attempt.
Step 5:
Brute Force
Wpscan will do brute force attempts on enumerated users, however, it will only do one at a time. I wanted to do both users at the same time so I ran two different instances of wpscan each with one of the user names.
wpscan –url 192.168.2.40/wordpress -U steven -w /usr/share/wordlists/rockyou.txt — threads 25
After some time, the steven account displayed an error on one of the responses.
Let’s try it anyway … and it works!
Here you can also find flag3 within the posts.
Step 6:
SSH
So now we could try to bypass WordPress file upload restrictions to get a shell, but first let’s try something else. Remember the SSH port? The user may have reused his credentials there.
Let’s try it!
Step 7:
Post Exploration – Root – Final Flag
It worked! Now we have a user access on the box. Now if you’re hunting for flags, our missing Flag2 can be found in the /var/www directory.
Ok let’s get root. One of the first things to check is our sudo permissions
This is great! We can run python as root which means we can basically do whatever we want. Let’s get a bash shell. The command I’m using is normally used to upgrade shell’s that don’t have tty support, but it works perfectly fine in this situation as well.
Root Dance!
And now we can go for that final flag …
That was Raven 1. Another path to getting the initial shell would have been to brute force the SSH login. I didn’t do it initially because SSH brute forcing usually takes forever, but it does work. The wpscan brute force took over an hour, though I did have the threads split between two different accounts. With access to the WordPress directory you can get the root MySQL password and search the database. You could potentially crack the other user password using hashcat or john faster than the wpscan brute force. In the end that wasn’t needed.
Final Thoughts:
Raven 1 was more basic than intermediate, but decent for those just starting out. I don’t love brute force as a path on a CTF, but it is a good skill to learn. I thought flag2 was in a strange place and only found it by searching the file system after rooting the box. Putting it in one of the user directories (steven has access to both) would have made more sense. Anyway, it wasn’t a bad way to spend a few hours. I’ll have to try Raven 2 soon.
I also made a video with some extra content at the end. It shows SSH brute forcing with hydra and WordPress brute force with BurpSuite. You can find it here.
Happy Hacking
-R3a50n