Summary
Very similar to Raven: 1, as I discovered all vulnerabilities also with the previous machine, but went for the low hanging fruits. This time I had to take the harder part with exploiting PHP Mailer to have remote code execution. While on the machine, I saw that the MySQL database is still running as root. I was also able to use user defined functions, which gave me root.
Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Hello, today we are starting the Raven Vulnhub series. There are a total of 2 machines in this series. We will make the walkthrough to Raven 1, the first machine of the series. If you want to download the machine affected by the vulnerability, you can click here. In this article, we will see the solution to the Fowsniff machine. HackerSploit here back again with another video, in this CTF episode we will be looking at how to Pwn Raven1 from VulnHub.Links: https://www.vulnhu.
Identifying the host
As always with vulnhub machines, let's start with finding out the IP address of our victim. This time, we will use plain bash instead of nmap.
As .4 is our kali box and .1 is the gateway, .3 is our vulnerable machine. I added the IP address into /etch/hosts as raven.local.
Vulnhub Raven 1 Walkthrough Youtube
Port Scan
As with Raven: 1, there are the same ports open besides the last one. Again, I will enumerate port 80 first using gobuster.
I've also run wpscan, but besides the same usernames as Raven: 1 there was again nothing interesting, except the upload folder, in which I found flag3, that I missed on the previous machine.
Inspecting the files under /vendor I found the file PATH, which revealed another flag:
There was another file with the name VERSION, which gave me the PHP version 5.2.16. With this information, we can now search for an exploit.
We know from the /vendor folder, that PHPMailer is being used. So we copy the python script locally and modify it accordingly. All we have to do is to modify the following and write # coding: utf-8 to the first line.
And execute!
Reverse Shell
After finally executing the exploit successfully by visiting /backdoor.php, I managed to get a reverse shell. But prior to this, we have to setup the nc listener on port 4444.
After getting a full tty shell with python, I can work much better. I know from Raven: 1, that MySQL is running as root, so I just have to check, if the credentials are still the same. We can find this out with inspecting wp-config.php in the wordpress folder.
And execute!
Reverse Shell
After finally executing the exploit successfully by visiting /backdoor.php, I managed to get a reverse shell. But prior to this, we have to setup the nc listener on port 4444.
After getting a full tty shell with python, I can work much better. I know from Raven: 1, that MySQL is running as root, so I just have to check, if the credentials are still the same. We can find this out with inspecting wp-config.php in the wordpress folder.
To be sure, just recheck again, that mysql is running as root:
Raven 1 Net
Yes, still the same! So, I just have to connect to the database and try, if I can execute user defined functions there in order to escalate privileges.
We can see from the welcome message, that the MySQL version is 5.5.60. Searchsploit reveals a description, how we can use UDF in order to privesc:
All we have to do now, is to replicate the exploit,
setup the listener and press enter – and we are root!
Btw, for the sake of completeness: flag2 was under /var/www/
