Name: FristiLeaks: 1.3 Date release: 14 Dec 2015 Author: Ar0xA Series: FristiLeaks Web page: https://tldr.nu/2015/12/15/fristileaks-vm/
A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
Updated: Dec 9, 2018
Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven?
Author: William McCann Series: Raven
This post documents the complete walkthrough of Raven: 2, a boot2root VMcreated by William McCann, and hosted at VulnHub. If you are uncomfortable with spoilers, please stop reading now.
So here, we run a nmap scan and save the output in the current directory that we are in. The below output is what we captured from the scan. Let's take a look and see what ports or services that we find open.
To do this, you can run it from the command line. The following Nikito scan we ran is:
nikto -C all -h 10.20.0.14
We can edit our /etc/hosts file so that when we put http://raven.local in the address bar it will load the web page hosted on our target machine.
Based off the output, looks like this website is a wordpress website. Keep that in mind for later.
Our Next step is do use a directory buster and get an idea of the website structure. Below, I have posted a few screenshots of running gobuster using dirbusters wordlist, then used the same wordlist using dirbuster just to show you that you can do this more than one way.
gobuster output:
Dirbuster output:
So after we ran the scans, you can see the many directories and files found. I was scrolling though and found the http://raven.local/vendor directory to have some items of interest such as Callback_function_notes.txt. With that being said, let us go explore in this directory with our browser.
I went straight to the docs folder to take a peak at the text file, which I for sure am going to note. See below
So, maybe we have some php goodies we can look up, but for now, we note it and go back to the parent directory of vendor to see if we missed anything. This time, we notice something. See if you notice it to?
I think you see it to? The date is different than every other file in the directory. Lets click on it and take a look shall we?
Flag 1 is Found!
/var/www/html/vendor/
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}
After getting the first flag, just browsing around in the directory, clicked on the Readme file to see if I could find anything interesting, which shows PHPMailer information. So we navigate back to raven.local/vendor directory in our browser and click on the VERSION link.
README file below:
VERSION info below:
As you can see, PHP Mailer version is 5.2.16, and according to the CVE, 5.2.17 and down are vulnerable to remote code execution. The picture below shows where on the website this would occur.
We can now go to our machine and look on searchsploit to see if any attacks are available or can help move us in the right direction.
I grabbed a copy of the exploit from the path as you can see above which is:
/usr/share/exploitdb/exploits/php/webapps/40974.php (For Remote Code Execution)
I copied the file and renamed it raven2(.)py
Usage:
1. Add #coding: utf-8 tag at the very top of the script
2. Set the target of vulnerability to <ip address>/contact.php where this vulnerability exists (Discusses this earlier up above)
3.Set the backdoor’s name. Example: shell.php
4. Set the local IP of your box and port you want to use in the Subprocess call.
5. Lastly, set the location to upload the backdoor in. Example: /var/www/html/shell.php
Script Settings below:
Start a Netcat Listener
Now you want to start your listener on the port you chose and set in the python script
Example: root#nc -lvnp <port>
Once Your listener is running go to the url in the picture below (whatever the IP to the Server is for you in your situation or setup
If Done correctly, you will have a low priv shell. From here you will import a proper teletype shell by typing the following command below:
root#python -c 'import pty;pty.spawn("/bin/bash")'
This will put you in the /var/www/html directory in which case you can navigate to the /var/www directory and the flag is in there. Type ls and you will see it. All you have to do now is cat flag2.txt and that is murder she wrote.
Now that we have Flag to, moving on to flag 3
Now that we are on the remote server, we mentioned wordpress earlier on and said to keep that in mind. Well, we are going to back to the root directory of the webserver which is /var/www/html and see if we can find the wordpress configuration.
Went into the wordpress directory and did the ls -la command to see what was in there, found a wp-config file, always happy to see a config file. Let us see what it contains
Going to keep note of this, since we are dealing with MySQL, we will look for vulnerabilities that we can use if need be to track down this flag. So, we can just go back to the wordpress directory and try our luck with a recursive find and see if we get lucky.
We got lucky, there it is, but it is a png file and not a text file, so now we have to view it as a picture. An option we have is just copying it into the root directory of the web page which is /var/www/html and just navigating with our browser.
Flag 3:
Now that we have Flag 3, we are on the final flag, which is flag 4. Not sure how that will show up, but I assume it will be some sort of privileged escalation.
Since we were able to get the MySQL credentials, figured might as well poke around and see what processes were running to see what privs they were running out. Also, would good to verify what version is running to see what direction we need to go in.
From the picture above, you can see that MySQL is running as root and it is version 5.5
From here, just did a google search to see what i could find. Here is a link I found with some information
https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
This will get you pointed in the right direction. I will post a link to use a UDF, i had to do a lot of figuring out to compile the c code. None of it was my own writing as in I did not come up with the code. This was script kitty central. I did figure it out though with the help of good sources!! Even reading what someone has already done doesn't always seem to go smooth, this was one of those times This is the direction I started in for looking for the exploit
https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html This will help
https://github.com/mysqludf/lib_mysqludf_sys
