boot2root, 4 flags, 2 ways to get root
This will be a brief walkthrough that will point you in the right direction, but leave enough for you to figure out on your own. This is a great CTF to do early on because you cover a lot of different things that are commonly encountered in CTFs and pentesting. I did this at one of my ethical hacking club meetings following a guide and wanted to come back to it to understand what was being done.
I usually do a quick check with netdiscover, fping, or something similar to make sure that I’ve got my VMs on the same network. Since I’ve usually got several labs that I’m working on, it’s a quick way to make sure that I have everything on the same host-only network for labs like this. Then I’ll use nmap to see what I’m dealing with.
Found target – 172.16.250.3 (it would be a good idea to add this to your /etc/hosts file as raven.local or similar). Remember your IP will differ depending on your VM settings.
- 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
- 80/tcp open http Apache httpd 2.4.10 ((Debian))
- 111/tcp open rpcbind 2-4 (RPC)
- Linux 3.x|4.x
The big targets from the port scan are SSH and the webpage. From doing other CTFs, I know the webpages are often great targets. So I would have likely started poking at that first had I just done this box on my own.
Pull up the website using the IP and click through it. Check the page source on each, specifically look for flags. Flag 1 can be found in the source code of one of the pages. Hint – it’s near the footer.
You should also use tools to enumerate the website – dirb, nikto, etc. These will give you some additional things to check out. Notice that there is some stuff related to wordpress, including an admin page.
Try using WPScan to see what’s there. It complained about not being able to find the wp-content dir, so I did have to supply that.
wpscan --url 172.28.128.4/wordpress --wp-content-dir /wp-admin -e
Found some info about potential vulnerabilities and 2 users – steven and michael.
Next step, try to brute force the WordPress login. Because the main site is not WordPress some of the typical WordPress approaches don’t work well. WPScan and the Metasploit WORDPRESS_LOGIN_ENUM module both fussed at me. Pull up your developer tools (F12 in most browsers) to check out how logins are handled so you can pull the info needed to run Hydra against the login page. This walkthrough on NULL BYTE does a great job explaining how to obtain this info. Do the digging, and you end up with…
hydra -vV -L <usernamefile> -P <passwordfile> raven.local http-post-form '/wordpress/wp-login.php:log=^USER^&pwd&wp-submit=Log+In:F=is incorrect'
(Hat Tip to Scipher of my ethical hacking club for the Hydra example code)
While that’s running, I popped up Metasploit to work on brute forcing the SSH info.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set pass_file /usr/share/wordlists/rockyou.txt
msf auxiliary(scanner/ssh/ssh_login) > set user_file <pathtowhereyousavedusernames>
msf auxiliary(scanner/ssh/ssh_login) > set rhosts <targetIP>
msf auxiliary(scanner/ssh/ssh_login) > set user_as_pass true
michael:michael as an SSH login, so while Hydra is still working on the WP login, I’ll do some poking around by using SSH.
Digging around as michael
Log in via SSH, and get a message about new mail. Did
locate mail to quickly find where mail would be since I couldn’t remember (/var/mail) and found the message for michael.
Cat the message to get an idea of what it is, and it was long. So pop open another terminal window to use scp to pull the file for analysis.
scp email@example.com:/var/mail/michael /whereyouwantthe/file
Since I’m already in var, I decided to look into the /var/www file since it often has website info, and there was flag2.
Now onto the /var/www/html directory. There is a wordpress directory, so let’s take a look there. There are quite a few items in the folder, but one of interest is the WordPress configuration file. Cat and examine the info or use scp to pull it onto your box.
Looking over the file, you can find the MySQL username and password(root:R@v3nSecurity).
Now you can check out the MySQL databases available. While still using SSH as michael, start MySQL and see what’s there. This MySQL cheatsheet is a handy reference.
mysql -u root -p #Enter password when prompted
mysql> show databases;
mysql> use wordpress;
mysql> show tables;
mysql> select * from wp_users;
Take the hashes of the user passwords and save them in a file. Then use John to crack them.
You may also want to check out the tables to see what you can find.
It’s also a good idea to try to sudo when you have an ssh shell. I think sudo is one of those commands that gets used alot without every really digging into what it can do. So, I ended doing some digging to understand what was recommended at hacking club. The man page is a good place to start. And this StackExchange had an answer that clarified a lot of things. Unfortunately, michael’s account was limited.
Digging around as steven
John came back with a password for steven. I tried that on the WordPress login and was able to get it. Do some digging around and you’ll find flag3 if you didn’t find it poking around the database earlier.
Then to using SSH with steven. Log in and try
sudo -l to see what steven can do. This shows that steven can execute /usr/bin/python. Hmmm…this made me think of the multiple times I’ve used Python to get an interactive shell.
sudo python -c 'import pty; pty.spawn("/bin/bash")' to get a shell as root. (Another HT to Scipher for providing the code so I didn’t have to dig it out). Now you’ve got a shell as root, so you need to do some poking around and find flag 4.
I liked this box a lot. It was a little different doing it as part of a club meeting because it was easy to follow the breadcrumbs. It used quite a few things I already know, reinforced some other things (like dealing with MySQL), and made me learn more about where WordPress puts things and what sudo really means. I think working through boxes like this with breadcrumbs or a walkthrough is really helpful when you are learning to pentest. There’s a certain point that you need to get to before you can really work through boxes on your own. Or at least that’s where I’m at since there are only so many hours in the day. I’ve found doing the walkthroughs has helped me learn how to think about the process. When I’m using a walkthrough my goals are different than when I’m attacking a box without one.
I like to see how other people approach things, so I checked out a few other walkthroughs. InfoSec Adventures had a nice one. I’m also a fan of Raj Chandel’s walkthroughs and he has a detailed walkthrough of this box if you need additional information. He also covers 2 methods of getting root. I found 2 detailed walkthroughs on YouTube if you learn better that way. Both are long (40+ minutes) but I think worth watching if you need to see a little more of what’s going on.
There is a Raven 2 box, so you may want to check that one out as well. It’s an intermediate level, but looks like fun. It’s on my never-ending list of CTFs to play with. If you want to keep working on beginner level challenges, there are a lot of those out there as well. For a more guided option, try something like OverTheWire.