Raven 2: Vulnhub Walkthrough

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven 2. It is the sequel to previously solved Raven. Raven 2 is a Beginner/Intermediate boot2root machine. The goal is to snag 4 flags and get the root on target VM.

Table of contents:

  1. Port scanning and IP discovery.
  2. Hitting on port 80 and discovery of WordPress CMS.
  3. Directory enumeration to find a directory “vendor.”
  4. Discovering a file PATH to snag flag 1.
  5. Discovering a file VERSION to snag the PHP version.
  6. Exploiting RCE in PHP version 5.2.6
  7. Making local changes in the exploit code for successful delivery of payload.
  8. Getting a netcat shell using the uploaded payload.
  9. Snagging flag 2 in /var/www
  10. Reading database password from wp-config file.
  11. Running LinEnum.sh to enumerate processes.
  12. Exploiting UDF dynamic library vulnerability using an exploit with codename 1518.c on exploit-db
  13. Setting sticky bit on find.
  14. Getting root access.
  15. Snagging flag4 in /root
  16. Manually traversing system to find flag3.

Let’s get started then!

Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case the IP address holds 192.168.1.101

Using nmap on the victim machine we got three ports open 22,80 and 111

So we instantly moved to the port 80 and discovered a website of Raven Security.

We thought it would be wise to run a directory test before we scan anything else. So we ran a directory buster test to find “vendor” directory in the victim machine.

Accessing /vendor the following files and folders came out.

Among them a file called PATH caught our attention since it is no ordinary name. So we opened it in the browser only to find flag1!

There was yet another file worth noting called VERSION. On opening it we found the version of something. It was unclear which software had version 5.2.6 but look at the previous screen again… A file exists called: PHPMailerAutoload.php. It is fairly certain now that version 5.2.6 was of PHPMailer. So, on a bit of internet surfing we found an RCE exploit for the version!

Now we downloaded this python file but don’t run it yet! There are some changes to be made which are highlighted in the screen below.

  1. A coding: utf-8 tag is to be added at the top.
  2. Set the target of vulnerability to 192.168.1.101/contact.php where this vulnerability exists (read PHPMailer’s function).
  3. Set the backdoor’s name. Let it be backdoor.php for now.
  4. Set the local IP in the Subprocess call.
  5. And finally, the location to upload the backdoor in.