Hello there! Another beginner/intermediate machine named Raven:1 by William McCann. Download from VulnHub.
I run nmap ping scan and discover the target at 192,168.43.252
Then I run nmap aggressive scan on the ip.
I find apache server running on port 80. Let’s look at it.
So, just looking around I find a wordpress blog. Looking at the source code of the pages I find the first flag:
Now the blog. I need to add raven.local domain into my hosts file to see the pages. After looking at it I discover the first user michael.
I find that the ssh password for user michael is michael and I login into the system
I start looking around and I find the second flag inside /var/www/
I look at wp-config.php inside wordpress blog and I find the password for mysql
Looking inside the DB I find the 3rd flag in the wp_posts table
I look at wp_users table and get the hashes for the passwords of michael and steven
Now I crack these hashes and I find the password pink84
That turns to be steven’s password and now I can login into ssh as steven
Now it looks like steven can sudo the python binary
Now I execute python and start a root shell and read the final flag
There should be another way to get root, but I am happy with this one.