Raven: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

4 flags / root

Download

https://www.vulnhub.com/entry/raven-1,256/

Walkthrough

nmap
alt text

detailed nmap
alt text

tested rpc but nothing there
alt text

dirb shows wordpress
alt text

found this out after the fact, had to add raven.local to hosts file for wp
alt text

default wp
alt text

wpscan enum finds two users
alt text
alt text
wpscan brute finds nothing; huge rabbit hole
alt text
alt text

only port left is ssh; tried hydra and creds found
alt text

ssh as michael
alt text

check etc/passwd; another user steven
alt text

check wp-config; find mysql root creds
alt text

grab hash for steven
alt text

run against john; find pass
alt text

elevate to steven; see that sudo python available; i am root
alt text

root errr flag 4; lolz forgot i was looking for flags :P
alt text

searched for remaining 3 flags and found
flag 1 was in service.html
alt text

flag 2 was in /var/www
alt text

flag 3 was in mysql or maybe a post?
alt text
alt text

Written on November 9, 2018
Share on: