Vulnhub Raven 1 Walkthrough

By R3a50n
11-16-2018

Raven

Intro:

Raven 1 is listed as a beginner/intermediate CTF box on Vulnhub. I would classify it more as beginner but it always depends on the attacker’s skill set. I would recommend running it in VMWare because of the trouble I had trying to get it running with VirtualBox.

Quick warning about the commands in this post. The font on this site will make double dashes look like one long dash. If you’re getting syntax errors or other unexpected results, check the commands help reference.

Ok on with the hacky stuff …

Step 1:

Identify the IP Address

netdiscover -r 192.168.2.0/24

In my lab it came out as 192.168.2.40 but yours may vary.

Step 2:

Nmap Scan

nmap -sC -sV -v 192.168.2.40 -oN map1

This will do version scanning, apply default scripts, verbose and dump it to a file. Keep in mind this will only scan the most popular 1000 ports unless otherwise specified.

raven1

Here we can see 22 (ssh), 80 (http) and 111 (rpc) are open. RPC gives us some information on some other ports but that’s not necessary. Let’s take a look at the web port.

Step 3:

Brows to site

raven2

Looks like WordPress but let’s look around a little. In source of the service tab, the first flag becomes visible.

raven3

Navigating to the Blog tab confirms it’s WordPress, but it looks broken

raven4

Looking at the source we can see it’s trying to locate raven.local.

raven5

By adding 192.168.2.40 raven.local to the /etc/hosts file, we can make things resolve properly.

raven6

Step 4:

Scan WordPress

Since this is WordPress, let’s run a wpscan and see if we can enumerate some users.

wpscan –url 192.168.2.40/wordpress –enumerate u

raven7

Going to the login page, I tried to guess the passwords, but nothing worked. I did find out that there are no lockouts. This makes it a perfect candidate for a brute force attempt.

raven8

Step 5:

Brute Force

Wpscan will do brute force attempts on enumerated users, however, it will only do one at a time. I wanted to do both users at the same time so I ran two different instances of wpscan each with one of the user names.

wpscan –url 192.168.2.40/wordpress -U steven -w /usr/share/wordlists/rockyou.txt — threads 25

After some time, the steven account displayed an error on one of the responses.

raven9

Let’s try it anyway … and it works!

raven10

Here you can also find flag3 within the posts.

raven11

Step 6:

SSH

So now we could try to bypass WordPress file upload restrictions to get a shell, but first let’s try something else. Remember the SSH port? The user may have reused his credentials there.

Let’s try it!

raven12

Step 7:

Post Exploration – Root – Final Flag

It worked! Now we have a user access on the box. Now if you’re hunting for flags, our missing Flag2 can be found in the /var/www directory.

raven13

Ok let’s get root. One of the first things to check is our sudo permissions

raven14

This is great! We can run python as root which means we can basically do whatever we want. Let’s get a bash shell. The command I’m using is normally used to upgrade shell’s that don’t have tty support, but it works perfectly fine in this situation as well.

raven15

Root Dance!
And now we can go for that final flag …

raven16

That was Raven 1. Another path to getting the initial shell would have been to brute force the SSH login. I didn’t do it initially because SSH brute forcing usually takes forever, but it does work. The wpscan brute force took over an hour, though I did have the threads split between two different accounts. With access to the WordPress directory you can get the root MySQL password and search the database. You could potentially crack the other user password using hashcat or john faster than the wpscan brute force. In the end that wasn’t needed.

Final Thoughts:

Raven 1 was more basic than intermediate, but decent for those just starting out. I don’t love brute force as a path on a CTF, but it is a good skill to learn. I thought flag2 was in a strange place and only found it by searching the file system after rooting the box. Putting it in one of the user directories (steven has access to both) would have made more sense. Anyway, it wasn’t a bad way to spend a few hours. I’ll have to try Raven 2 soon.

I also made a video with some extra content at the end. It shows SSH brute forcing with hydra and WordPress brute force with BurpSuite. You can find it here.

Happy Hacking

-R3a50n

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s