Today we are working on Raven: 1 from Vulnhub.com. This box is rated beginner/medium.
Initial Enumeration
We start with our nmap scans.
Since RPC is available, I’ll start with basic RPC enumeration
We don’t see anything obvious from RPC, so we let’s move on to web enumeration. There is nothing obviously useful in the homepage, so we focus on the Wordpress site. Add raven.local to your /etc/hosts if you want the site to show up as intended:
Wordpress Enumeration
Any time you find a Wordpress site, you should start with a wpscan.
wp-scan finds two users, steven and michael. We next try to brute-force the password of these users.
And we get a hit from the password list rockyou.txt.
Foothold
I looked around the Wordpress admin site and didn’t find anything obvious. I then thought I would try the same Wordpress creds for ssh.
Privilege Escalation
My first privesc check is always for sudo privileges and this box didn’t disappoint.
Python gives us the option of running shell commands. Let’s find the root flag and read it.
Sweet, but our goal is always to get a root shell. Pentestmonkey can help us with that. Don’t forget to launch your netcat listener before executing your shell command.
And we get a root shell! Did this box give you any issues? Did you find another path to root? Drop me a comment and let me know. Thanks for reading!
