Raven1 VulnHub CTF Walkthrough - Boot-To-Root

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys hackersploit here back again with another video and welcome back to the ctf uh series and in this video we're gonna be looking at raven one now this is a new set of uh vms or ctf challenges that were released on uh on volnhub and we're going to be starting off with raven one now if i'm just to uh to navigate back right over here you can see that there are quite a few that i want to cover and one of the ones that is that also caught my attention is websploit so we're going to be looking at that next hopefully i can upload one so we'll start off with raven one and uh i just finished solving it and it was really really awesome and hopefully i can explain a few uh a few things with it now before we actually get started i just want to let you know what you should expect when uh when doing this ctf challenge and again if you if you have not done it then there are going to be a few spoilers uh so this vm uh really really tested you in terms of password cracking and your wordpress skills so uh it's all about enumerating as much info information as possible from wordpress and uh also dealing with password cracking otherwise the rest of the stuff was pretty easy even when you talk about the privilege escalation now you can see that raven is said to be a beginner or intermediate boo to root machine and there are four flags that you have to find with two intended ways of getting root now i i do not know of the second way of getting root uh the first way is pretty standard to get but i'll still be experimenting on this and as always you guys can let me know in the comments section all right so i have it set up on a virtual machine and i'm currently on my laptop because i am doing a few projects on my main workstation so i have to do it here uh so what i've done is i have done a few things just to make this video as short as possible uh so when it comes down to the results as i mentioned we'll be using web map for uh to essentially analyze our nmap scan which i have saved so we don't waste any time with that and pretty much i'll be explaining everything as i go all right so without further ado let's get started now the ip address for this virtual machine is on my local network is 192.168.1.116 just letting you know that so in terms of the nmap scan i run i ran a simple scan as you can see right over here uh what i'm gonna do is uh if i can just uh you know zoom in so we're using webmap and as you can see i initiated it um when did i initiate this scan about 4 46 yeah so 4 46 a.m and i was able to complete it before now and this is when i'm recording the video all right so you can see it is a tcp scan and the scan type is uh is a syn scan and that these are my arguments so you know nmap you know service or fingerprint banner grabbing sorry and an aggressive scan and that pretty much gave me all the information that i needed now when it comes down to the ports we can see that we have three open ports we have an ssh port uh we have a a web web server running apache and we have an rpc port now i was not able to enumerate anything from the rpc port i tried uh you know going through a null session and if you can see i also run the cv scan right over here and hopefully uh you can also run that for yourself this is if you plan to actually uh to actually use webmap you don't need to uh so hopefully uh that sums it uh all up in terms of the services now when it comes down to um if i'm to just open up the pdf report actually should have generated the pdf report so we're going to wait for that in a second so uh what i'm going to do is i'm going to run the scan right now as well so that we can also we can also get an idea of the services running on it just right so for those of you who don't want to use um who do not want to use web map all right so sudo bash and i'll use nmap and you know sv and i'll do an aggressive scan 182.168.1.116 i'm going to enter and we're going to wait for that nmap scan to complete so when it comes down to the pdf report right over here you can see that uh you know give you a list of all the ports that are open in terms of their services so here we have the service versions we have open sh 6.7 p1 which is not vulnerable you can also perform a search split scan for that we then have my web server which is running apache httpd 2.4.10 which is slightly uh old or outdated but not vulnerable to anything and we have rpc uh so again i tried logging in with a null session and i wasn't able to enumerate much uh so you can also run your enum for linux if you want to but again as i mentioned i was not able to find anything significant so my next step uh was to essentially try and prod the web server which i did gracefully right over here so 192.168.1.116 all right i'm going to hit enter and immediately it's going to take you to a website called raven security and supposedly the office uh security services and uh i have seen this theme before this is actually a free wordpress theme that is uh supposed to be for a security company not really a cyber security company but yeah anyway it's a free theme it is what it is all right so the first thing i like doing is robots.txt and uh yeah we don't get any of that so what i'm going to do now is i'm going to run a nicto scan on this i usually always do that and here are the results for those of you who are wondering about you know normal nmap scan uh you can see that we have rpc and this also has a udp port opened and i also tried connecting through the udp and i was not able to get anything out of there so uh what i'm going to do is i'm going to run a necro scan so nikto h and we'll put in that url and we're going to let that run as well and while we're on that we can also launch a dir buster session right over here just to enumerate uh as many directories as we can find um so i'll paste that um that url in there and we'll use i'll say 50 threads and i will use all uh a word list here so user and the share and that is in word lists right over here and we have the buster direct directory list medium select that and i'm gonna hit start all right so we're gonna let that run and we'll give that a second meanwhile we can analyze our nicto results right over here so you can see uh that pretty much we get some directories here we have an img directory which we can also check out right now so i'm going to do that as we speak so img and pretty much that uh that gives us an idea of what it's running and you can go and go ahead and explore the images these look like the template images we have something interesting here we click on blog you can see that this does have a blog as well and we can you know click on random files here with the slider so these are just essentially uh resources that the uh that the template is using uh if we look at t2.jpg we have a random image there of someone you know don't know who it is but yeah all right so let's go back into their buster and let's see what we're able to enumerate from their buster all right so interesting uh so far we can see that it's gone through quite a bit of files which is good we can see the default manual files right over here which tells me that again it's it confirms to me that we are running apache but if we go up you can see something interesting here so we have icons img img block index.html so simple uh simple templates are or simple template files simple html files here for the template and then we have something interesting here we have a wordpress installation now what this tells me is when i first saw this i was a little bit confused because uh it's either running wordpress or it isn't so what i decided to do is uh is i decided to go back to the website right over here and i was going to use burp suite to essentially intercept uh all uh to essentially get an idea of how the site is structured because i thought i was making a mistake so i'll show you this in a second so i'm going to use the proxy and i'm just going to launch up here web suite as you can see right over there and i'm just going to enter my password here and we're going to wait for burp to launch and i'll explain something in a second so you can see that um given that there is a wordpress installation my initial thought was that it was a wordpress installation and there were files outside but what it happened to be was that uh it was an apache server with a web template and then a wordpress installation with the same theme i'll show you that in a second so i'm gonna hit next and start and what i'm going to do is i'm just going to disable intercept so we can actually get an idea of the files that we're dealing with here so proxy and intercept is off and what we can do is we can just reload the page here and what i started to do to do now is essentially i do really didn't want to spider i just wanted to click on all the pages here and get an idea of what page if any takes us to the wordpress installation so immediately i thought register log in and you can see that that does not have any redirection to it so it's not being rerouted anywhere so uh click on service here team team is nothing so far and we have the blog which takes us to wordpress now for some reason on my laptop i think this is probably a a javascript issue the wordpress installation does not load and essentially it is missing some javascript components uh some javascript components sorry about that here and uh yeah i don't know what's causing it but essentially this is the same website now hopefully you guys can try it out for yourself i do recommend it uh so this takes us to wordpress so if we go back uh we can see that the blog took us to the to the wordpress installation and then we have the contact page here so let's go back into burp now if you remember we do know that this this ctf challenge has four flags so we have four flags to get now i mind you when i first did this challenge i did not get i would say two of the two of the four flags and i'll explain why it actually took me a while to get them uh so what i'm going to do is as you can see this is the this this confirmed my suspicion so you can see that we have the um the theme template here so that has the about you know the blog contact html and they're doing essentially uh all that they've been designed to do except the blog which sort of like redirects us to wordpress which is interesting uh if we look at the other pages here you can see we have the images which i think we take we took a look at um you have your javascript files right over there you have your service your team dot html and your wordpress so what i wanted to explore was i wanted to look at the blog because that's sort of like took us um it's sort of redirected us to wordpress but again that was um we didn't get anything from that now when you talk about the abort.html which contain a bit of data i was inspecting all the files uh right over here and the response that we got and yeah this is a basic template now i wasn't able to find anything right over here so i decided to to start hitting wordpress and that's exactly what i did so uh what i'm going to do is i'm just going to pause this and if we look at the nikto scan you can see that um we weren't able to enumerate anything important apart from the json file the wordpress json file right over here so again uncommon header link found with contents uh and that is essentially raven.local which is the ip now i haven't added raven.local to my host file so that can be simple uh to enumerate so let me just copy that address and i'll show you what i found over here so uh instead of instead of running raven.local we can essentially just run a 192.168.1.116 and i'm going to hit enter and you can see that this is a this is this is json data and i wasn't able to get anything from this now i'll explain my methodology here so apparently there was a flag and i'll explain where it is hopefully when we reach the end of the video which is really weird now this is one of the problems that i face when performing ctf challenges is i approach these uh ctf challenges from a point of weaknesses because i i work you know professionally in this industry and uh usually what you're looking for in a real pen testing environment is you're looking for weaknesses in services you're not really looking for flags so that kind of threw me off but i'll get to that in a second so next we're going to use the wordpress scan all right so wordpress scan and we know that the the um the wordpress installation is found within the wordpress subdirectory so wordpress can url and uh you know we specify the url here so 192.168.1.116 and wordpress uh and then uh this will essentially generate uh or enumerate as much information as it can without specifying anything additional i'll get to that in a second so it's going to update the database and now this is one of the good things that this ctf does cover in regards to a wordpress installation is it really shows you how to enumerate or how to get a lot of information from a wordpress installation now nowadays you usually find wordpress installations behind firewalls so you know it gets really difficult but if you know what you're doing you can see that it does tell us that we need to specify sorry about that let me just go back there it does tell us to specify that we need to uh you know we need to specify the wordpress content directory so it can actually look actively within there all right so to do that we specify the wordpress content directories content directory and we say we want to enumerate uh we want to go go through all the themes all the plugins and we want to enumerate usernames all right i'm going to enter and for some reason it's telling me that i can't enumerate plugins so we'll try all uh all themes there let's just see what what that did work i probably should have specified first all right so yeah we i probably should have specified plugins later but there weren't any vulnerable plugins so by default this went through the default theme here and uh if we look at the results we can see that yeah that went through wordpress and it told us we are running on apache server uh we have the wordpress um the wordpress xml rpc.php file there which did not yield anything the wordpress readme which is pretty much it really doesn't give us anything else and the wordpress version which we can see it's running wordpress version 4.8.7 and now it was able to enumerate usernames here and we did find that we have uh two usernames we have steven and michael all right and uh by default here what you can see is uh that this does give us usernames um sorry about that it does give uh it does give us uh usernames and passwords here uh now what no no not password sorry about that i was going to explain something uh when it comes down to enumerating uh users on wordpress this will usually come from various places and by default you can see that uh this came from in the form of off id brute forcing so uh now if i'm to go back into my um into web map right over you can see that we are running in ssh port so that was my next target given that we have two users stephen and michael i decided to to essentially try and brute force for both names and i'll show you that in a second so what i did first is uh what i actually did is i went to my desktop here or i should have actually just created the file so nano and i'm just going to say names.txt we're going to create a user list here so michael and steven and i'm going to hit enter i'm just going to save this file and now i've brought up hydra all right so hydra and we're using the um so i'm just going to say home lexis and desktop here and we're just going to names.txt and for the password file i used user share word lists and roku.txt and ssh 182.168.1.116 and i'm going to enter and that is going to start brute forcing uh the ssh now of course what happens here is what or what i did find is during my initial test or as by default you can see we've already got the password for michael uh what i did find is sometimes with this virtual machine uh you do have to reduce the amount of threads to four or something less like two which uh usually then does not give you the errors in terms of being disconnected uh you know uh disconnected automatically or you know through your session so uh ssh we can see that we have the user michael and the password michael so yeah i really was wasn't impressed with that because it's very rare that you see an ssh user i have seen it before but it's very nowadays where you encourage to change your passwords even for your ssh for your ssh accounts regularly so yeah that was pretty simple so what i'm going to do is i'm going to use ssh and michael uh whoops is that got the correct spelling there yeah michael 192 sorry one one 192.168.1.1111 six all right so uh right over here we can see once we hit enter it's gonna ask us to uh essentially continue connecting there we are and the password is michael i'm gonna hit enter and i'm just gonna clear this up and by default you can see that we are in the michael directory and we do not have any root privileges uh so let us first get an idea of what operating system we are on we can see that we are on debian uh debian8 and you know cat hc and password just get an idea of the users now of course you can use the linux uh in enum.sh tool which is i have it right here a lot of you guys have been asking me to to go through that sorry let me just turn off my my proxy i'll get to that in a second as to why i need that let me just reload the page here uh so we're talking about the linux uh the linux enum.sh which is a local linux enumeration tool so i have it right over here a lot of you guys have asked me for this uh to actually make a review of this so hopefully this will cover how good it is so i actually ran this tool or actually ran the linux exploit suggester which yielded nothing i thought that i had to escalate privileges but given that there was another user i was always skeptical so um if i'm just to go back right over here and i you you know used wget to get the linux enum.sh file which is good it'll it actually showed us that we have read write permissions so you know chmod 775 and the linux enumeration tool here linux enum and we're going to hit enter so we're just going to wait for that to complete running so we can see that the only super user accounts are root and i'll get to that in a second we have a mysql database running something that i overlooked once more i really forgot this i can't believe i did this so the scan is complete um let's look right over here we can see let me just go back here um if we can just start it off for some reason my terminal does not display that but in terms of um what i was able to get from the yeah so there we are so mysql version this is using version 14.5.14 uh now what i wanted to essentially cover here is by default and it's something that also forgot by default every wordpress installation requires a database a mysql database where you can store everything from user uh you know from from user data to passwords to the to two posts uh and and all that information i'll get to that in a second so uh i was not able to do anything from this now when i talk about um the web directory i'll get to that in a second if i can just get down here so let me just clear that up if i was to list list the files in here in the var www and we list the files there we can see something interesting now this is where supposedly uh sorry actually should have changed my directory into that so so var www i'll actually explain something so this is where my apache installation is but is the is is configured by default if you ever have an apache as uh if you ever ever have an apache service running on your computer this is where it's going to store all of its files and as i clicked on it i got the flag 2 so i was a bit confused because i thought this is where i would get by flag 1. so again i tried locating my flag 1 and by default it should have been in my michael at raven directory but it wasn't there i'll get to that in a second so we got the second flag so far so good but i was still worried about you know not miss i'm not getting the first flag so uh in any case my first priority was to get root access on this computer so if i change my directory into the html folder uh you can see that i was right about the wordpress configuration here so we can see that the wordpress installation is within the apache installations and we have other files outside it by default when configuring a web server the wordpress files would be in here instead of being a separate directory called wordpress so interesting now i knew something about the wordpress database and the fact that all data in regards to the configuration of the database are found in the wordpress config file so wordpress and if we list the files you can see that we have the wordpressconfig.php file which if you are a web a web server administrator you should already change the read write permissions on this file because this can cause a lot of damage i've seen many websites getting hacked this way so i'll use nano and we're just going to look at the wordpress config sorry the wordpressconfig.php file here i'm going to enter and you can see that the database name is is called wordpress uh the database user is root and the database password is raven security so we were able to get the database right over here now most of you will be obviously wondering well how do you know that the database is running as i mentioned if you're running a wordpress installation you need the database running you can try it out for yourself what i want you to do is run a local stack you can try the um the lamp stack on windows or linux whatever you feel is comfortable for you and you know run a default wordpress installation and then turn off mysql you will see what i'm talking about so ctrl x and you can also use netstat uh you know antp right over here and you can see that we are running the uh mysql wordpress database the default port for mysql is 3306 and it's open to listening excellent so uh now what we need to do is we need to log in we need to log into the wordpress uh to the wordpress database so we know that the default username is root and the wordpress uh the name of the database is wordpress interesting so to actually log into a wordpress database or a mysql database it's very simple uh so you type in mysql and then you need to type in the username which is root and then the password which will specify or you can specify it later and then the name of the um the name of the database and we hit enter and hopefully i copied the password i'm going to hit enter and voila so what i'm going to do is hopefully you know the database mysql syntax sorry so i'll um i'll actually show you this so show data basis and uh we'll essentially run that and uh we have uh an information schema a performance schema and mysql so what i'm going to do is i i actually went through all of them and i'll show you what you can find in in all of them so far so uh what you can do is if you want to use a table or you want to use well yes a table or the database that exists you can actually uh click on one the one that you want to use so you can say use mysql and database change so show tables we hit enter you can see that in terms of mysql we have the database help category functions plug-in um so i actually took i i took a look at the most interesting one which was the user right over here so uh now if you want to select uh if you want to select content from a table what you can use is this is the select query and so we're saying select and then you you use the the asterisk there to specify where you want to begin from and then from uh wordpress uh well in this case you're not doing any wordpress so you're going user so i'm going to hit enter and yes uh actually i think i made a syntax error there i got a syntax error there i'll get to that in a second um yes did i actually copy the password there so yes i'll get to that in a second so show databases uh and yeah i'm always forgetting to use uh the uh the semicolon and it's been a while since i've used wordpress uh sorry mysql and this is what i was talking about it's very good to see a ctf challenge that incorporates a database i have seen many and i'll get to that in a second so show databases and i'm going to hit enter oops sorry database is there and we're back in here so uh what happens is i went through all of them and they did not contain anything interesting so my next destination was the wordpress uh the wordpress database so what i'm gonna do is i'm you can just type in use wordpress and we're gonna hit enter the databases change show tables uh because we want to show the tables and again you can go through all so i actually went uh through the um i went through all of them and this is where i found something interesting so uh where i was looking at comments i did not find anything there i looked at links options uh but something interesting happened when i actually took a look uh at um when i took a look at the wordpress posts all right so wordpress posts and they took a look at that and we can see that we have the the flag 3 right over here and we also have flag 4 for some reason that's really weird flag 3 flag 4. um that's that's really weird man because flag 4 is usually found uh in uh after you essentially escalate your privileges which is really which is really weird uh i did not find this in here and i think this is a problem with terminator i apologize for this it sort of displays a mysql uh the the tables very very weirdly so apologies for that but essentially what you would find in the posts are the is the flag 3 and the url for it so you can see that uh hopefully i can actually just copy this url here copy the address and let me just go back to my uh wordpress sorry i'll leave that open because we do tend to use it one more time during the ctf challenge uh so if i go back and uh yeah we have to get rid or oops sorry about that uh oops and we just type that in and let me just get rid so that is that that is a post and 192 192.168.1.116 and we hit enter and hopefully that brings us to raven and yeah it does not give us anything which if we check the source i was able to find it and apologize for i apologize for the fact that my my browser is not displaying the wordpress installation correctly hopefully it's different for you um and uh where is the um if you can just locate it so i'm just gonna type in flag here uh yeah we have the flag right over here well that's not the one so we're looking for flag 3 here and we are unable to find it which is really weird because this is where i found the third flag anyway again this is something that i wanted to actually actually point out i'm not really interested in the flags my my main goal is to actually get root access on this so i'm just going to show tables once more so show tables and and now i use the select and we're using we're going to select it from uh from the wordpress users which usually contains the wordpress users and their passwords either in clear text or in their hash format this is where things got really exciting so select from a wordpress users and i will hit enter and as you can see uh hopefully well this time it did display the tables correctly uh we have michael and we have steven and we have uh the all the emails which means we can actually log into the wordpress installations or to the wordpress accounts once we're able to crack this password so what happens here is we already have the the password for michael uh we'll hopefully we'll want to crack it later for wordpress but that does not give you any root access so my first priority right over here is stephen so i'm just going to copy the hash right over here and i'm just going to launch a new terminator session i know the video is actually getting quite long but hopefully i'm explaining some important stuff here so sudo bash and i'm just going to launch that right now and we're going to use the hash identifier uh the identifier here and if we paste this in here you can see it's going to tell you this is using md5 wordpress and it's essentially a php it's using php php wordpress salt i'll explain that in a second so uh by default uh i think after wordpress version 4.5 do not quote me on this i'm not too sure they moved from standard md md5 hashes to a salted hash which as you know you can also crack with john so i'm just going to go to my desktop right over here and i'm just going to use nano i'm just going to call hash.txt i'm going to create a new file hash.txt paste that in there and we just hit save and we can now use john to crack this hash so i'm gonna use john and uh this took a while to be honest it took well i'm running it on a laptop and yeah this really heated up my computer so i'll also be working on creating a workstation where i can actually you know crack password hashes uh this actually brought me back to the google to the good old days now when when i hit enter with john uh you can see that it's gonna tell you that this is using a php password and it's going to display the hashes and the security so it's a 128 bit which is quite powerful which also brings me or leads me to believe um i also did this on my lamp stack i experimented this with this on an ubuntu server this is by default the hash that wordpress does use which is very interesting because after 10 minutes i was able to get the password i already have it saved on my desktop because i didn't want to go through the whole process you can also use another resource if you don't want to use your computer and all the processing processing power it requires you can use i'll actually show you the website name because they they do offer quite an awesome service although it did take a few hours with that as well uh well no no no not a few hours that was with another wordpress password uh but what what this actually showed me is that if you do ever get uh the wordpress hash depending on the password complexity it is possible to crack it with john which is really awesome now this is going to take a while and i'm not going to go through this you can run it as well for yourself and as i mentioned let me just quit that session i already have the cracked hash on my desktop here so i'm just gonna i'm just gonna cut it here with uh i'm just gonna get the correct hash.txt file and you can see that for steven we got the password as pink84 and you can also crack your your hashes on onlinehashcrack.com let me just show you that right now it's an awesome service they're not sponsoring this video for those of you wondering most of you guys think that whenever i make uh like whenever i feature product on my channel uh the ones that are sponsored i do mention uh but you know if i'm not sponsoring anything i also do i also do mention that so you paste in your hash right over here well sorry your hash and you select the hash type and in my case it was a salted wordpress it also provides you with uh with you with uh with the options of joomla etc etc so you can also use this service it's really awesome it does take a while or you can pay for the service and they essentially give you a better priority on the list and that means your password or your hash gets cracked quicker but again it all depends on the complexity so the password here for the user stephen is pink84 all right so what i'm going to do here is uh we can actually uh exit from the wordpress uh from the mysql uh database right over here and we can say su steven or you can log in with ssh by default i'm gonna hit enter and uh we are inside uh we are inside steven now so there we are we are logged in as steven and um now uh sudo bash let me just try and get um put that in there yeah so we cannot execute bash yet which is interesting so let me just go back to my default directory which is uh sorry uh which is in home stephen so i'm just gonna go back here and we'll change back into michael here michael and we'll list the files in there and i do want to run linux the linux enum dot actu actually should have logged in directly with ssh and i am going to do that um so after running the linux enumeration script one more time uh we can see that uh by default uh the the shadow file can only be accessed by the root user uh and also of course the etsy password uh in terms of the compilers we do find that it has the gnu the the gcc compiler sorry the new c compiler as i mentioned i did try and run um the what's it called i did try and run um what's it called the linux exploit suggester which is right over here and by default that gave me exploits i tried all of the possible exploits i'll show you that in a second here uh well what i should have done is if i just uh sorry guys let let me actually just log in right now it's here sorry so ssh stephen uh steven at 192.168. uh 168 uh 0.1.116 uh 1.116 here i'm gonna hit enter and the password is pink 84 i'm gonna hit enter and voila all right so we're back in here so we can use wget here and just put that right over here and by default we can see that that this does not allow us well that's because uh if we just go back here sorry about that i should just stick to one of my sessions apologies for that what i was getting into is i tried to launch all um we can see uh you you just saw that i tried to to to wget and i did not i did not have any right permissions for the steven folder we do have right permissions i believe i think for the michael folder i'll test that right now um you can see that it tells us permission denied which means we can now work in the opt folder which if i just uh sorry about that um my keyboard is really messed up right now and permission denied so i'll get to that in a second so you run your sudo l command right over here and immediately that told me once we i clicked on sudo l is that uh uh as i mentioned i tried learning running the exploit suggest i don't know why it's not allowing me to write in my current working directory uh but we can see that we can use python which is very interesting which means we can also we can also escalate some privileges now when i talked about the flags as i mentioned i'm not really interested in the flags i'll get to that in a second all right when we talk about the flags uh we did find it within the post which is weird i have contacted the author or i will contact the author uh depending on when you watch this or off the ctf challenge because this was really weird and as i mentioned my main priority was to get root now this is the the the way of getting root that i know i haven't been able to to use any of the other exploits that's primarily because uh i do not have a g plus plus installed the g plus plus compiler the g the new c plus plus compiler which is actually for one of the exploits i'll get to that in a second um so what i was talking about here is uh well no no no not really in terms of enumeration so what was talking about when i ran the sudo l you can see that we can use the python which is interesting because that means we can actually spawn a shell in python i'll get to that in a second uh if i'm to just change my folder into the temp folder here which is i think the only place you can actually launch or you can actually execute files yeah there we are so i'll use wget right over here and if we list the files here let me just chmod this 775 uh let's not sh sorry about that uh damn sorry about that so uh chmod chmod 775 my typing is horrendous even though it's in the morning so yeah my typing is pretty pretty bad right now so less dot s8 i'm gonna hit enter and you can see that the possible exploits are quite a bit the one that did seem to work was again dirty cow uh i did try it but again you need uh you need the compiler uh which defeats the purpose because once you get root then you you really can't get any other exploit but as the developer said of this vulnerable machine we cannot use any other the only two ways of getting root which is interesting so uh what we can do now is we can actually use uh we can actually launch python so you know i can actually say python or we can actually go into the compiler itself which you can you can use uh the user bin python uh from the default directory so you know we can use we can import os and we can say os.system and this is to get a shell here so we'll say bin and this is bash right over here and once you specify that we can hit enter and if we hit id now and for some reason that takes us into bin bash oh yes sorry you have to launch this with sudo or super user so sudo because this does not require any password so sudo uh what am i talking about bin python sorry about that guys user bin python that is in the user bin python um i'll get to that in a second so user bin python and yeah now we are in python and we can execute now root privileges from this all right so let me just import os one more time hopefully this isn't as confusing as it is as it was for me so system and again we're launching bin bash one more time so uh bin uh bash and we close that up and we hit enter and we are root dot uh root at raven now and we do do have root access all right so i know i got a little bit confused and that's because i was trying to explain too many things once so let me just clarify there are two ways of rooting this i have only found one i'm still experimenting and i would love to hear what you guys think i did run the both the i did enumerate as much as i could locally from the linux as you just saw using the linux enum.sh script which you could run uh when you are logged in as michael uh the the only directories that you can uh that that you can use to to write to are is the temp folder i don't know i went to opt that was really confusing i did i did remember that i was able to execute but i did restart the vm so i don't know what whether that caused any issues so apologies for that so in in your temp folders where you can actually run all your scripts and exploits i did try and execute some exploits but they failed so again i'll be looking at the other way of getting root which is quite interesting now when it comes to getting the fourth uh flag which uh i i do not actually know where it is it's probably in the root directory um we're in temp so let me just go into my root directory list the files and indeed we have the fourth flag now when it comes to the first two flags i found flag 2 and flag 3 and for some reason i was able to get flag 4 in the wordpress posts this was really weird now when i talk about the the first flag i was not able to find it anywhere within the the vm which is really weird now when it comes down to why i have wordpress open uh once i started inspecting the files i was able to see that if you go to your services page right over here and if we look at the response or the html file and we scroll all the way to the bottom here you'll see something really interesting right over here in the footer we have flag one right in the footer over here which is really awesome because uh this is something that i never even thought of and i really don't inspect web pages anymore unless i'm doing lfi you know all that stuff in terms of web applications so uh this overall was a very good ctf challenge um was it the most realistic uh yes i would say i would say so in terms of wordpress and what i can essentially uh tell you that this will help you learn is it it had a bit of password cracking uh which is good it shows you how to use uh it teaches you about hashes uh but for those of you already know about hashes it's it's nothing new it also covered mysql which is awesome you really need to know how to navigate a mysql database i've come across many people who don't know even you know basic syntax like showing databases which is really weird now for those of you on the discord channel who are talking about um sql injection and i talked about the query that i was using so i was i was explaining to you a query now if i was dealing with uh a wordpress um database that or the wordpress users table uh that stores wordpress users and their respective password hashes you can see that the uh the query that they used in the uh the mysql database was very simple i simply selected from uh from the beginning of the of of of the table from the wordpress users table now what that did is essentially enumerate all the information we're talking about sql injection what you're trying to do is you're trying to essentially pass those queries through the uh through the text box on the website and of course this is done because uh the the the the forms or the input fields are unsanitized now of course i'm talking about web security web application security there but i just wanted to show you that so i did think i got all the flags at least and i was able to get root uh the write up for this will be on my website i'm working on all the write-ups for all the ctfs i've done so far i know i haven't uploaded any new articles on the site i'm working on that and they should be up this weekend so yeah that was uh very very interesting and the the the the main points that i wanted you guys to take away from this is wordpress it's very important to know how to use wordpress and how to use essentially perform a penetration test on wordpress and yeah it was quite interesting to see how this was structured uh i don't think there should have been four flags i think three flags was enough the initial flag is when you log in via ssh that's a simple basic flag uh the second flag is uh when you are able to log into stephen and the third flag when you're able to get into the root account or you're able to get root or administrator privileges on the machine all right so you guys can go ahead and log into the wordpress installation i'll also do that after the recording is complete and let me know what you guys think of this ctf i know uh this is a bit delayed it's probably on saturday right now when you're watching this and it was supposed to be on friday apologies a lot of work needed to complete but yeah that's pretty much all for this video hope you found value in this video if you did please leave a like down below if you have any questions or suggestions let me know in the comment section on my social networks on my website and i'll be seeing you in the next video peace guys [Music] you

Info

Channel: HackerSploit

Views: 35,430

Rating: undefined out of 5

Keywords: how to hack, hacking, hacker, white hat hacker, exploit tutorial, hacking tutorial, vulnhub, vulnhub kioptrix, vulnhub walkthrough toppo, vulnhub stapler, vulnhub goldeneye walkthrough, vulnhub walkthrough easy, vulnhub lampiao, vulnhub walkthroughs, vulnhub lab setup, vulnhub tutorial, raven, vulnhub raven walkthrough, vulnhub raven

Id: Aha7JWSIfSI

Channel Id: undefined

Length: 45min 0sec (2700 seconds)

Published: Fri Nov 16 2018