Hack the Raven: Walkthrough (CTF Challenge)

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven. Raven is a Beginner/Intermediate boot2root machine. There are two intended ways of getting root and we demonstrate both of the ways in this article.

Table of contents: (Method 1)

  1. Port scanning and IP discovery.
  2. Hitting on port 80 and discovery of WordPress CMS.
  3. WPScanning the website to discover two users.
  4. Hitting and bruteforcing port 22.
  5. Enumerating the active processes using LinEnum script.
  6. Discovery of MySQL.
  7. Fetching the database username and password from wp-config.php.
  8. Using MySQL to create a UDF (user-defined function) dynamic library.
  9. Compiling UDF exploit to a shared library program.
  10. Running UDF library program into the victim’s machine.
  11. Setting sticky bit on “find.”
  12. Getting root access.
  13. Reading the flags.

Table of contents: (Method 2)

  1. Getting shell to the victim and accessing MySQL the same way till step 7 in method 1.
  2. In MySQL shell, discovering all the databases and tables.
  3. Reading table wp_users from the database wordpress.
  4. Fetching hashes from the table wp_users.
  5. Cracking the hash to get shell to the other user.
  6. Discovering python has no root required to run.
  7. Spawning root TTY using python one liner.
  8. Reading the flags.

Let’s get started then!

Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case the IP address holds 192.168.1.102

Using nmap on the victim machine we got three ports open 22,80 and 111

So we instantly moved to the port 80 and discovered a website of Raven Security.

On the top right we found a tab saying “blog” and moved to the webpage only to discover that the victim’s machine had WordPress CMS installed!

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

The results returned 2 valuable users made on the victim’s machine:

Michael and steven.