![Walkthrough Walkthrough](https://www.hacknos.com/wp-content/uploads/2020/03/vulnhub-walkthruogh-6-290x220.png)
In this article, we will solve a capture the flag (CTF) challenge that was posted on the VulnHub website by an author named Dylan Barker. As per the description given by the author, this is an intermediate-level CTF and the target of the CTF is to get the root access of the machine and read the flag files. Raven Vulnhub CTF Walkthrough Lucideus. Unsubscribe from Lucideus? Mr-Robot: 1 CTF Walkthrough - Duration: 22:45. JackkTutorials 134,016 views. Matrix 1: Vulnhub CTF Walkthrough; Raven 2: Vulnhub CTF Walkthrough; Raven 1 - Vulnhub CTF Walkthrough March (2) 2017 (1) October (1) 2013 (6) July (1) March (4) January (1) 2012 (10) September (2) June (1) April (1).
- Zico2:1 vulnhub walkthrough. Hello friends. Today I will share with you another writeup for vulnhub walkthrough vulnerable machines. The selected target will be Zico2.
- The Kioptrix VM's offer simple challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games is to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways than one to successfully complete the challenges.
Description
Hello, today we are starting the Raven Vulnhub series. There are a total of 2 machines in this series. We will make the walkthrough to Raven 1, the first machine of the series. If you want to download the machine affected by the vulnerability, you can click here. In this article, we will see the solution to the Fowsniff machine.
Writeup
First of all, we are opening our vulnhub machine. This is the boot image we run on VirtualBox. As usual, we start by learning the IP address of our vulnhub machine.
Then we need to check the ports open on our vulnhub machine. For this, we will use the Nmap tool.
We saw that gate number 80 was open. However, when we manually check the site, we realize that it has many extensions, but we could not reach any tips. For this, we will search an extension with dirb.
When we examine the results of the dirb scan, we see the login panel of our WordPress site. After trying the default username and passwords first it did not work any. Harry potter free 123movies. Now we will scan the WordPress with wpscan.
As a result of our scan with the Wpscan tool, two users showed us. Using these users, we can provide an ssh connection with the open port 22 we found. For this, we will first try to crack our users’ passwords with a tool named Hydra.
We successfully achieved our password with the Hydra tool. It was a password that we could reach by trying. We have a username and password and we will make ssh connection with this information.
We have successfully provided our ssh connection. Now, after navigating through some files, we couldn’t get anything. For this, we will search the word flag with a search command.
Flag 2
In this way, we successfully found one of our flags. Now we will go to the directory of the flag we found and search for clues.
We see the wp-config.php file in the directory we entered to search for clues. When we want to view the related file, a user name and password appear.
We will log into the Mysql database with the username and password we find. After logging in, we need to search for usernames and passwords for us to be root users in WordPress. After doing a search for this, we find usernames and encrypted words. When we decode these encrypted words, we will successfully login as the root user.
Yes, we come across user information of Michael and Steven, and when I try to find passwords on the MD5 cracking site, I realized that they were not cracked, so we try a different way. We save the passwords in a .txt file, then start the cracking process with the tool named John The Ripper.
Soon after, john the ripper password cracking tool tells us that our password is pink84. Now, all we have to do is complete the login process and find our last flag.
We successfully solved the first machine of the Raven series.
Vulnhub Mr Robot
One part of penetration testing is re-testing companies to confirm that the vulnerabilities disclosed in the first round are now non-existent and properly secured. In this machine, Raven Security, a company that was breached in an earlier attempt, brings a new challenge to the pentesting team after securing their web application. The author says that this machine is an intermediate one. This is based on it containing a rabbit hole and understanding how an exploit runs and modify the code according to the application at hand. The machine can be found on VulnHub, so go pull down a copy and lets jump right in!
Information Gathering
Starting off,
netdiscover
allows us to find out the IP on the internal network of the virtual network. netdiscover -i eth0 -r 192.168.56.0/24
where -i
stands for the interface and -r
stands for the network range that we want to scan.After identifying its location, knowing what's running on it comes next. In addition to
NMAP
, unicornscan
will be used to confirm the results. Unicorn is super fast in scanning for the ports, whereas NMAP can be awesomely used to discover the services running on the ports and provide enough information. Following the generated results, 22, 80 and 111 are open. Knowing the services, port 22 can't be easily exploited, the only possibility is to brute force it. Port 80 is the hottest one to be tackled. Port 111 is the rpcbind service which tells that there is a RPC application program running. Not that interesting.
Web Busting
After prioritizing our services, web directory busting begins using
gobuster
:Looking at those findings, another
gobuster
process is ran on the wordpress
directory, which is in general, a juicy spot.Without noticing, I was slowly sliding down a rabbit hole. I ran 2-3 bruteforcing attacks on the login process for the users with different password lists. While doing the last attack, I stepped back, and remembered that there is way more to this than the
wordpress
section.![Vulnhub Vulnhub](https://pentesterhome.files.wordpress.com/2018/11/raven7.png?w=660)
Script debugger 6 0 – applescript authoring environment. Looking around in the web directories,
/vendor
came out to be crucial to this box.This was the vendor directory for
PHPMailer
. Looking closely into those files:Lookie there! Flag 1. This is a clear sign that we are on the right track. Looking at the VERSION next:
This could lead to something! Using the infamous
searchsploit
: This service is pretty vulnerable! Using the python exploit from exploit-db, a couple of parameters needed modification. That was identified by checking where the PHPMailer was being used, in comparison to where it was used in the PoC. In our scenario, it was under
/contact.php
as opposed to the PoC, /
.If it wasn't clear, the fields set are the POST parameters to be sent. Running the exploit, a reverse shell is received:
Privilege Escalation
In the normal privilege escalation process, the privilege checker is ran to try and identify issues in the installation and setup of the system. One crucial process shines out. Mysql is ran with the root user!
After checking its version, an exploit was found for it!
This exploit was missing a user and a password to access that DB. Nonetheless, a WordPress application exist, and with it comes to life the
wp-config.php
file which is always interesting to grab.After logging in, Steven and Michael credentials were gathered and stored locally in order to try and break them later on.
As for the exploit, we are ready to attack the vulnerable application. Following that exploit-db guide, and combining it with the following blog, we get a functioning shell.
One last step for us to wrap up. Get the flags!
Attempting to grab the passwords for steven and michael for later usage, neither the MySQL credentials nor the
/shadow
hashes were decrypted using multiple wordlists.Conclusion
The machine contained some known issues, such us having an application running as root, or using a vulnerable application version, and these are dangerous liabilities on the application owner! Being offensive while building an application can bring up to the table lots of benefits, from building up the application, to setting it up. The author can be found on the following: https://wjmccann.github.io/
Brainpan Vulnhub Walkthrough
If you enjoyed my writing you can find me on Twitter as @7hunderson.