Here is the walkthrough of the Raven1 CTF from VulnHub, with step by step analysis, here you will get to know how to think while doing such CTF challenges and the tools that can be used in the penetration testing process.
Firstly, we should always focus on gathering as much as information as we can and then analyze them to get the in-site, in the walk-through tools like Nmap is used to get the all the network related information and web map is used to analyze the information and generate a well-structured report.
Nmap commands used
nmap -Sv -A ip address of vulnhub machine
After enumerating about the services, open ports, we went for enumerating about the web server, check for robots.txt file, which in this case was absent, then we performed nikto scan for information like files, outdated server software etc.
nikto -h http://ip address/
Along with nikto dirbuster was used to enumerate about the directories and we used graphical user interface of dirbuster, where we gave URL of our machine as input.
After these scans we found many directories, information from these directories was useful as it gave us our next checkpoint, we also used burp suite proxy to know more about the structure of the web server.
Next, we used wpscan
wpscan –url http://ipaddress/wordpress — wp-content-dir -at -eu
After running this command, we found some usernames, then we tried to brute force the password for usernames, passwords for the username will help us to ssh into the machine as we know from nmap that ssh service is there in the machine. So, we used hydra with the default wordlists in usr/share/wordlists/rockyou.txt.gz to brute force the password.
hydra -L location of username text file -P /usr/share/wordlists/rockyou.txt.gz ssh://ipadress
We found password for one of the users and we used that password to ssh into the vulnhub machine, then we installed LinEnum tool to enumerate about the privilege escalation, our whole purpose is to get root access.
we found our flag2 first which was in var/www/, in the var/www/html we found WordPress config file, where we found about the password of MySQL database, with those credentials we login into the MySQL.
mysql -u username -p wordpress
Commands used inside MySQL are
In the table wp-posts we got our flag3, from another table called wp-users we got some username and password for wordpress user login, the password were hashed, to identify the hashes we used hash-identifier, which in this case was salted wordpress, you can use john or other services to enumerate the password, which in our case was pink84, so we ssh into machine with Steven as user and its password pink84, after that we tried Linux exploit suggester tool, we were able to run this tool in temp folder and then this Linux exploit suggester suggested bunch of exploits, although we didn’t used them to get root access.
We used python to get the root access
We got root access and eventually we found our flag4 in the root folder, interestingly we did not find flag1 anywhere, actually it was in the service.html page, in the footer section and that’s how we completed our CTF challenge.
To know how exactly each tool is used in this CTF challenge you must watch the video where each and every step is explained with the logic behind it, keep learning keep hacking.